In mid-October, ETSI declared that security in the NFV environment represents both a major challenge and enormous opportunity. As a result, savvy companies are implementing new safeguards through NFV that are desperately needed to deal with growing security threats in order to take advantage of the opportunity.
Network functions virtualization (NFV) provides a unified orchestration platform that can address many of the network security issues that stem from the telecommunications industry's wave of mergers and acquisitions. As such, many service providers have complex IT infrastructures that were formed from the integration of many different networks and computing platforms. This integration makes certain aspects of security credentials, such as user names and passwords, difficult to manage due to the complex and disjointed environment.
A unified NFV orchestration platform could potentially bring the promise of being able to manage and control dozens of systems, allowing security policies to be kept up-to-date and enforced in a uniform fashion across global networks. If properly deployed, all of the network elements could be managed in a central way that goes beyond simple rule sets and ACLs, providing much more intelligence around image management, patch management and threat analysis.
While NFV provides important new security benefits, the separation of the software function from the physical hardware can cause potential vulnerabilities as well. The hardware needs to enable a secure platform to ensure the basic software components aren't compromised.
Network operators need to take responsibility for implementing NFV correctly to mitigate risk. For example, it's critical that the platform boots security in ways that makes it difficult to exploit.
Based on real-world deployment models, securing NFVs hinges on three key aspects:
Ensuring quality assurance is performed on all code
Consistent version control and a common code base
Proper documentation and audits implemented on a regular basis
Following such practices can significantly reduce risk and tip the scales decidedly to the opportunity side of the security equation.
Beyond the perimeter
In the past, the focus of network security was having a robust perimeter. While perimeter security and signature-based solutions remain an important part of a holistic security strategy, they are inadequate safeguards by themselves in an era of polymorphic attacks and Advanced Persistent Threats (APTs).
These new threats puncture the existing defenses, and then move around the network for a period of time, carefully hiding themselves as they seek out sensitive data.
With internal threats on the rise, security teams can no longer simply monitor firewall logs. What matters now is the actual behavior of the packets around the network. Consequently, as much data as possible must be captured and monitored, permitting intelligent analysis that can identify anomalies in network activities in real time and issue alerts if necessary.
It's important to approach the new generation of hybrid networks with the understanding that security is a constant loop. Cyber criminals are continually developing new tactics, so network security must always be an ongoing process. If communications service providers approach NFV with a deep understanding of how to securely implement this new network architecture, they can gain critical new safeguards against APTs and ever-more sophisticated assaults. (Listen to Tackling the NFV Security Challenge to learn more.)
— Ray Watson, VP of global technology, Masergy, special to The New IP