Info Image

Virtualizing Security to Protect SDN and NFV Networks from Inherent Vulnerabilities

Virtualizing Security to Protect SDN and NFV Networks from Inherent Vulnerabilities Image Credit: Telco Systems

Telecommunications operators and similar communications service providers are excited about the opportunities that Software Defined Networks (SDN) and Network Functions Virtualization (NFV) promise to provide. SDN and NFV technologies and their ability to improve network versatility, reduce operational costs and create new business opportunities are attracting significant interest from service providers of all sizes and in all regions around the world. Although the operational use of SDN and NFV is still in early stages, most service providers are currently formulating their strategies for deploying these technologies and many are conducting proof-of-concepts (PoC) evaluations in their test environments.

#1:THE TRANSITION TO NEW OPEN NETWORKS AND THE SECURITY VULNERABILITIES

Traditional telecoms networks are closed infrastructures protected by readily-available and mature security solutions. Today, the control plane is separated from the data plane on nearly all telecoms networks. This separation helps protect the network from cyber-attacks and other security vulnerabilities and allows security solutions to work effectively.

The migration to SDN and NFV technologies offers service providers numerous benefits, including openness, remote programmability, agility and other advantages of IT-like networks. However, the similarity to IT networks that makes SDN and NFV networks advantageous for service providers also exposes them to a full range of cyber-attacks and security vulnerabilities. Unlike traditional network infrastructure, which is hardware-based and has hardened security policies, SDN and NFV networks are open and software-based, which is the source of most of the security vulnerabilities.

Gal Ofel,
Head, Software Solution Product Line Mgt,
Telco Systems

The SDN and NFV infrastructure planes must be protected from advanced persistent threats (APTs) and cyber-attacks, such as flooding and denial of service (DoS) and threats to hypervisor/vSwitch appliances on the control plane as well as malware, remote access threats and specific attacks on the virtual machines (VMs) on the application plane.

SDN and NFV infrastructures will also allow enterprise customers to self-provision new services, which will give external access to the control plane for the first time. This exposes service providers and their network infrastructure to additional security vulnerabilities that did not exist before.

2016 Trends and Outlook Polls

The open architecture of software defined networks enables this remote access. For this, service providers are using Open Source platforms and software like OpenStack, OVS (Open vSwitch), KVM and others, instead the proprietary technologies used on existing networks, which are inherently more secure due to their obscurity. In an SDN and NFV network, each host runs a virtualized network, which must be individually monitored and protected.

#2: VIRTUALIZING SECURITY FOR SDN AND NFV PROTECTION

On open networks, including those enabled by SDN and NFV technologies, these and other cyber-security threats can easily bypass existing security solutions that commonly use log file data from security appliances on the core network to analyze security events. APTs can hide undetected in a network and on endpoints for months, stealthily capturing and reporting on data passing through the network, which leaves the network open to penetration by undetected attackers.

Making the network smarter by using virtualization through open source capabilities may make service provider networks more vulnerable. However, it is this feature of virtualization that can deliver the necessary security to protect against the inherent vulnerabilities of SDN and NFV networks. By running a security solution as a virtualized network function deployed at the network edge, which is the closest location to all endpoints, security efforts can have complete visibility of the entire network and can be applied to the entire infrastructure. Remediation too becomes faster, since the network is centrally monitored and any malfunctioning component can easily be isolated before the attack spreads across the infrastructure.

SDN and NFV technologies will change the entire telecom industry in the coming years. As these technologies are deployed on service provider networks, they will deliver on the promise of cost savings and new business opportunities. Operators and service providers who are accustomed to a closed and protected environment must now consider how to protect the open SDN and NFV infrastructure that punches holes in the traditional separation between the control plane and the data plane. The solution lies in applying security solutions as a virtualized network functions to overcome these vulnerabilities and ensure that the promises of SDN and NFV securely fulfilled.

About The Author:
Gal Ofel is the Head of Software Solution Product Line Management at Telco Systems. Gal is responsible for the company’s SDN and Distributed NFV software products and ecosystem.

PREVIOUS POST

SD-WAN Revenue to Hit $1.3 billion by 2020, IHS Says

NEXT POST

In 2016, Wireless Carriers Will Shift Infrastructure Focus From Coverage To Capacity