March 15, 2016 By David Strom 2 min read

As we develop more powerful cloud architectures and virtualize more of our infrastructure, we need a better understanding of the changing security implications, best practices and threat models of a virtual network.

A white paper from Cloud Security Alliance included some great new information on how network function virtualization (NFV) and software-defined networking (SDN) have evolved and can be used in the modern enterprise. This post is the first in a three-part series on the topic in which we will look more closely at the security challenges of both technologies and provide recommendations on what you should do to make your virtual networks more secure.

Security and the SDN

Last year, we wrote about how software and virtualization can help define a more protected perimeter, particularly for health care organizations that want to segregate a virtual network for clinical trials and files containing more sensitive data, for example.

The concept behind SDN is relatively simple to explain: You can make changes to your network infrastructure (routers, firewalls and virtual LAN segments) on the fly, such as being able to respond to an outage or security incident. You can insert additional network paths or firewalls on demand when they are needed, just as a virtual machine (VM) allows you to bring up an instance of a Windows server when needed.

A VM decouples the physical hardware from the actions of a computer, such as running an operating system or saving files to a hard drive. Similarly, using NFV means you decouple a piece of networking gear from the physical device (a firewall, router or switch) itself.

But this simple explanation hides a great deal of complexity in terms of deployment, not to mention the difficulty of migrating from existing infrastructures to the virtual networks.

Too Many Choices for Virtual Networks

However, as more network-centric appliances proliferate, virtualizing them makes sense because network traffic patterns and operational requirements change. Many IT departments currently make use of virtual LANs. These perform some of these activities but still rely on physical network gear. SDN makes it easier to add tens or thousands of VMs and automate the provisioning and changes to your network infrastructure so you can become more flexible in your operations.

The good news is that SDN is a rapidly evolving marketplace. The bad news is that, like many IT-related innovations, there are several conflicting standards and vendor alignments competing in this space. Anyone who contemplates SDN will have to choose one of the top commercial camps based on the product offering and related standards and how it will integrate with existing security protocols.

“The pace of development and NFV/SDN evolution present an incredible challenge because they are outpacing the ability to fully understand security issues and provide effective controls,” the CSA paper stated. “Furthermore, the lack of consistent standards among SDN implementations can create further gaps in security.”

Be sure to read our next post in this series on the security challenges and increased risks of network function virtualization.

More from Network

New cybersecurity sheets from CISA and NSA: An overview

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) have recently released new CSI (Cybersecurity Information) sheets aimed at providing information and guidelines to organizations on how to effectively secure their cloud environments.This new release includes a total of five CSI sheets, covering various aspects of cloud security such as threat mitigation, identity and access management, network security and more. Here's our overview of the new CSI sheets, what they address and the key takeaways from each.Implementing…

Databases beware: Abusing Microsoft SQL Server with SQLRecon

20 min read - Over the course of my career, I’ve had the privileged opportunity to peek behind the veil of some of the largest organizations in the world. In my experience, most industry verticals rely on enterprise Windows networks. In fact, I can count on one hand the number of times I have seen a decentralized zero-trust network, enterprise Linux, macOS network, or Active Directory alternative (FreeIPA). As I navigate my way through these large and often complex enterprise networks, it is common…

Easy configuration fixes can protect your server from attack

4 min read - In March 2023, data on more than 56,000 people — including Social Security numbers and other personal information — was stolen in the D.C. Health Benefit Exchange Authority breach. The online health insurance marketplace hack exposed the personal details of Congress members, their families, staff and tens of thousands of other Washington-area residents. It appears the D.C. breach was due to “human error”, according to a recent report. Apparently, a computer server was misconfigured to allow access to data without proper…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today