At the recent Mobile World Congress, I heard many operators express an interest in analytics. They could see its potential to enrich customers’ user experience and offer new services. Many seemed to grasp how the basis for innovative services customized to user interest and user preferences can be built by correlating data from service connectivity, application types, service context, and performance metrics among others. Such data can also be used to identify malicious attacks on a network or on individual users, giving operators the chance to initiate counter action, preventing damage and mitigating the impact.
Analytics can be introduced with NFV network transformation projects as NFV technology enables operators to easily add network probes for capturing network data and traffic characteristics. Open NFV architectures simplify the gathering of metadata for use with analytical algorithms. In addition, NFV allows VNF-based security services such as virtual firewalls, virtual intrusion detection systems or software encryption to be easily introduced.
Does this mean that NFV-centric networks are more secure than legacy networks? Yes, to some extent. However, as new software-based means are introduced to secure networks and communication, attackers will focus further down the stack and will try to identify and exploit vulnerabilities at lower network layers. It also needs to be considered that NFV technology originated in data centers and initially was applied only within those security perimeters.
In many NFV deployments, software components are distributed across many data centers. They might also be hosted on untrusted sites or even sites with public access, which is especially true with the vCPE use case and hosting of VNFs on the customer premise. Public networks connecting those sites present an attack surface which does not exist in networks fully contained within a data center.
Although OpenStack comes with various means for securing interfaces, operators are facing major challenges with distributing virtual infrastructure management based on OpenStack over many sites. A presentation from Peter Willis titled “How NFV is different from Cloud: Using Openstack for Distributed NFV” at SDN and OpenFlow Conference in Düsseldorf, October 2015, provides an overview on need for enhancements.
As higher network layers are secured by specialized VNFs and by using analytics, there is a high likelihood that attacks will focus on vulnerabilities in lower network layers, trying to compromise operating systems and hypervisors. Hence, NFV deployments need to focus on securing the connectivity network. Encryption at the transmission layer, security-hardened open virtual switches (OVS), multi-factor authentication, tamper-resistant design, as well as boot kit prevention, are essential controls to secure NFV-based network elements operated outside a data center.
It is good to see that standard bodies and industrial forums already are taking action. DPDK Release 2.2 offers encryption of the data plane as an experimental feature. Recently, OpenStack also kicked off various projects which focus on improving the security in NFV through additional controls for improving authentication or secure storage of user credentials.
Of course, security doesn’t come for free and additional protective controls add some cost. There will be different grades of hardware-based protection responding to the security assurance required by a customer. Suppliers will respond to this by offering a solution portfolio with additional security controls as outlined above.
So, while it’s true that NFV-based services that require high security assurance call for additional protective controls and that distributed NFV networks will need to balance cost against security requirements, a wide range of technologies is available to support operators in this choice. ADVA Optical Networking is providing the most comprehensive set of edge NFV devices to meet any of those needs.
To learn more, come visit us at booth 22 at ONS. You can also access the slides from my presentation, Making NFV-Based Business Services Secure.