Time to Get Serious About NFV and Security

Ulrich Kohn
Padlock inside a cloud

We're all familiar with the tantalizing benefits of network functions virtualization (NFV) - flexibility, scalability and cost-efficiency, to name just a few.  But there are certain issues that still need a lot of scrutiny. Of these issues, network security and data protection are paramount. Operators and suppliers know that these two areas need to be addressed if a truly successful NFV infrastructure is to be widely adopted.

Network security and data protection are especially important for enterprises that are unsure whether they want to move mission-critical data and vital network functions into the cloud. Without the necessary assurances, enterprises will be unwilling to adopt NFV-based services. What’s important to consider here is that, far from being a weakness, NFV can actually provide additional security and protection.

For example, virtualized firewalls or virtualized intrusion detection systems enable security features to be added in a fast and efficient way, ensuring service providers can respond rapidly to any challenges.

However, the introduction of NFV entails more than just adding new security solutions to a service provider’s portfolio; this transition also impacts on the risk profile of service providers and their customers alike:

  • Dedicated hardware appliances are frequently implemented via proprietary technologies, which create some level of “security by obscurity.” Replacing this hardware with standard general-purpose servers, standard storage and standard network components increases the attack surface and calls for additional security controls.
  • Similarly, there are key ramifications in moving from supplier-specific network management and network control toward open-source software, as detailed information about the applied protocols, as well as the supporting tools for those protocols, are publicly available.
  • NFV allows software appliances to use any available resource in a network. So an enterprise’s virtualized firewall may be instantiated anywhere in the network, extending the security perimeter into the network of the service provider. Consequently, precautions must be taken to make certain that the traffic between the enterprise side and the server location of the provider is fully protected.

It’s easy to see how transitioning toward NFV-centric networks significantly alters and increases the risk profile.

Additional controls are required, namely authentication (as a means to create a trusting relationship between different elements of an NFV network) and encryption (to secure the user and control traffic being exchanged by those entities). This is especially true for demarcation equipment at the edge of a provider network, which is operated on the customer premise. Those network elements play a vital role in not only protecting the service provider and enterprise networks but also in creating a trusting relationship between both parties.

Although encryption may be done at different network layers, it’s encryption at lower layers that provides the significant advantage of simultaneously securing traffic from multiple clients. This reduces complexity, saves overheads and improves performance. Advanced Ethernet encryption is the most efficient way to address security challenges and deliver full-site security as it fits in seamlessly and doesn’t interfere with existing Ethernet solutions.

In greenfield scenarios, the IEEE 802.1AE™ standard for hop-by-hop “MACsec” security provides a set of protocols for confidentially protecting data and maintaining integrity across Ethernet local area networks. It also mitigates attacks by identifying and excluding communications from unauthorized sources. Extensions of this standard allow end-to-end encryption of Ethernet private lines, which can be effectively applied with existing Ethernet networks.

Authentication is crucial for secure communication as it confirms the identity of a communication partner, helping prevent rogue devices from accessing private data or compromising a network. To this end, demarcation technology needs to be designed to provide security-hardened authentication functions. Tamper-resistant storage of credentials, such as encryption keys and other passwords, is among the key features required for implementing such functionality.

These security strategies are just some of the transport considerations that service providers need to explore as they look to make the shift from dedicated hardware to standard, general-purpose devices and software appliances. Others include operations, administration and maintenance capabilities beyond Layer 2 of the demarcation device - an essential component for service assurance. Programmability is also vital as it’s the key to maximizing efficiency. Then there's the critical consideration of creating a balanced mix of centralized/decentralized VNF hosting.

Service providers need to take a sophisticated, comprehensive approach to adapting their transport network for NFV implementation in order to fully exploit the benefits of NFV-based networks for applications such as virtualizing customer premise equipment, virtualizing radio area networks or any other NFV use case. A strategy that realizes the potential vulnerabilities of NFV as well as its amazing potential will lead to a smooth and safe path toward a secure service-centric network.

Ulrich Kohn

Related articles