NFV presents the potential to help service providers enhance their security. But badly implemented NFV can present new vulnerabilities for attackers to exploit.
On the positive side, network functions virtualization (NFV) can help network operators orchestrate their security policies. Containerization potentially isolates workloads and therefore enhances security. With tens of thousands of containers running on a network, attackers will find it difficult to track targets, Heavy Reading analyst Caroline Chappell said during a panel about NFV and security at NFV Everywhere in Dallas this week. (See Taming the NFV 'Orchestration Zoo'.)
NFV & Security
Led by Caroline Chappell, Heavy Reading (far left), panelists discussed NFV security at the NFV Everywhere conference.
But NFV also presents security vulnerabilities. OpenStack is a single point of failure, and network operators need to make sure people and processes don't exceed their APIs, Chappell said.
Security experts and non-experts are split about the magnitude of the NFV threat -- and the experts are, surprisingly, more confident. "Security experts are remarkably sanguine about NFV. They see NFV as more an opportunity than a threat," Chappell said. "They're even saying there are security risks worth taking to achieve a trade-off." Experts are more inclined to pursue risk management rather than absolute security. "People who are not security experts tend to be more afraid of the technology," she said.
Security is a process, not a state, said panelist Nick Barcet, Red Hat Inc. (NYSE: RHT) director of OpenStack product management. Because NFV defines everything in software, it allows network operators to clearly define processes to maintain security. But like any software, NFV presents potential vulnerabilities. Network operators need to assess security, react quickly to threats, fixes and intrusion detection. (See Red Hat's Approach to OpenStack Adoption.)
NFV can, in some cases, create gaps: for example, by requiring multiple passwords. Passwords are potentially vulnerabilities, and need to be augmented with other security techniques, Barcet said.
Open source can help mitigate security risks, if it's implemented correctly, said Ray Watson, VP global technology, Masergy Communications Inc. Network operators need to take responsibility for monitoring and code auditing. "That's the promise of open source. Everyone can -- and more important, should -- do their own monitoring for those kinds of vulnerabilities," he said. (See Masergy's Bold NFV Play Is Customer Driven.)
Open source permits "unlimited innovation," said Don Clarke, chief technologist, CableLabs . "Open source has got an open feed of some of the greatest and most passionate innovators in the world." (See CableLabs' Clarke Updates Cable Virtualization.)
Open source also provides many eyes on code to find vulnerabilities. "You're going to get audited by everybody," Clarke said. And when vulnerabilities are found, they're patched quickly. "There's going to be an open source guy who's determined to fix it tonight, even if he's going to be up all night, because he wants to be the guy who fixed it."
But open source also has risks. Feature creep can introduce code bloat with added vulnerabilities. And network operators can become overly confident that somebody else did the check. "Some of the world's most horrendous disasters are because somebody thought somebody else had the job, but they didn't," Clarke said.
NFV and open source are fundamental building blocks of New IP networks, permitting agility necessary for network operators to derive business value from their assets. But NFV and open source also present new security challenges, which network operators need to be prepared to meet.
— Mitch Wagner, , West Coast Bureau Chief, Light Reading. Got a tip about SDN or NFV? Send it to firstname.lastname@example.org.