Security in the age of network virtualisation
Many enterprise CIOs are learning how Software Defined Networking (SDN) and Network Function Virtualisation (NFV) can bring about business transformation as well as IT efficiencies says Craig D'Abreo.
Craig D’Abreo, VP security operations, Masergy
Recent research from Ovum indicates that over half of IT departments are starting to work on SDN strategy and technology evaluations, or are in the early planning and analysis phase.
An emerging network architecture, SDN enables enterprises to modernise their global networks to be more flexible with dynamic bandwidth allocation, improved performance for business critical applications and greater flexibility to support necessary changes to network infrastructure. NFV enables the quick deployment of new, specific network capabilities, such as firewalls, switches or applications, via the cloud or software implementations.
Both similar tools, the common benefits of SDN and NFV architectures is that they provide a single platform that can manage and control dozens of disparate systems, across global IT networks in some cases. Quite simply, it makes it easier to manage key elements of a network by controlling access and policies from one central location – for example, from a security perspective, you know that if your head office in London is secure, then, with the same network rules and policies in place, your remote office in Poland is equally secure.
However, the move to virtualisation, whether it is certain network functions only, through to a full SDN architecture, brings about new security challenges. In the past, network infrastructure devices were considered secure due to the security policies being embedded directly into the device – which could be patched should a vulnerability come to light. With virtualisation, if a virtualised router or switch is deployed that's not secure, you're leaving your network vulnerable to attackers – and if this vulnerability goes unnoticed as you continue to add virtual switches, routers, or even firewalls, then you're simply adding more points of access to a hacker.
Securing the virtual network
It's very important that version control is monitored closely and rigorous Quality Assurance (QA) testing is carried out before pushing virtual devices or images out across a network.
When going down the network virtualisation route, we tell our customers that there are three key aspects to securing virtual images. Number one is quality assurance of the code – and rigorous testing is vital. Second, you have to keep the images that are deployed in the field under the same version control. The final piece is all about documentation and audits. Keeping records and regularly auditing software for vulnerabilities and other issues is vital in staying on top of security.
In addition to those tenets, the other important thing to remember is that security is a process. It isn't something you simply implement once and say, “We've got security and we're done.” Security requires ongoing attention.
Having a unified virtualised network platform that's centrally managed allows for security policies to be kept up-to-date and enforced in a uniform fashion across global networks. Working with the network team, if properly deployed, network elements can be managed in a central way that goes beyond simple rule sets, providing much more intelligence around image management, patch management, and threat analysis.
My advice for deploying SDN or NFV securely is a simple four letter acronym; “DAVE”. That is:
· Documentation – the importance of having clear and concise written records throughout lifecycle
· Auditing of code and process
· Version control
· Education of user and operators.
It's important to approach the new generation of hybrid networks with the understanding that security is a constant loop. Cyber-criminals are continually developing new tactics and tools to breach corporate networks, so network security must always be an ongoing process. If enterprise CIOs approach SDN and NFV with an understanding of how to securely implement these new architectures, they gain the advantage of safeguarding against sophisticated and targeted attacks.
Contributed by Craig D'Abreo, VP security operations, Masergy