As we develop more powerful cloud architectures and virtualize more of our infrastructure, we need a better understanding of the changing security implications, best practices and threat models of a virtual network.

A white paper from Cloud Security Alliance included some great new information on how network function virtualization (NFV) and software-defined networking (SDN) have evolved and can be used in the modern enterprise. This post is the first in a three-part series on the topic in which we will look more closely at the security challenges of both technologies and provide recommendations on what you should do to make your virtual networks more secure.

Security and the SDN

Last year, we wrote about how software and virtualization can help define a more protected perimeter, particularly for health care organizations that want to segregate a virtual network for clinical trials and files containing more sensitive data, for example.

The concept behind SDN is relatively simple to explain: You can make changes to your network infrastructure (routers, firewalls and virtual LAN segments) on the fly, such as being able to respond to an outage or security incident. You can insert additional network paths or firewalls on demand when they are needed, just as a virtual machine (VM) allows you to bring up an instance of a Windows server when needed.

A VM decouples the physical hardware from the actions of a computer, such as running an operating system or saving files to a hard drive. Similarly, using NFV means you decouple a piece of networking gear from the physical device (a firewall, router or switch) itself.

But this simple explanation hides a great deal of complexity in terms of deployment, not to mention the difficulty of migrating from existing infrastructures to the virtual networks.

Too Many Choices for Virtual Networks

However, as more network-centric appliances proliferate, virtualizing them makes sense because network traffic patterns and operational requirements change. Many IT departments currently make use of virtual LANs. These perform some of these activities but still rely on physical network gear. SDN makes it easier to add tens or thousands of VMs and automate the provisioning and changes to your network infrastructure so you can become more flexible in your operations.

The good news is that SDN is a rapidly evolving marketplace. The bad news is that, like many IT-related innovations, there are several conflicting standards and vendor alignments competing in this space. Anyone who contemplates SDN will have to choose one of the top commercial camps based on the product offering and related standards and how it will integrate with existing security protocols.

“The pace of development and NFV/SDN evolution present an incredible challenge because they are outpacing the ability to fully understand security issues and provide effective controls,” the CSA paper stated. “Furthermore, the lack of consistent standards among SDN implementations can create further gaps in security.”

Be sure to read our next post in this series on the security challenges and increased risks of network function virtualization.

More from Network

Databases beware: Abusing Microsoft SQL Server with SQLRecon

20 min read - Over the course of my career, I’ve had the privileged opportunity to peek behind the veil of some of the largest organizations in the world. In my experience, most industry verticals rely on enterprise Windows networks. In fact, I can count on one hand the number of times I have seen a decentralized zero-trust network, enterprise Linux, macOS network, or Active Directory alternative (FreeIPA). As I navigate my way through these large and often complex enterprise networks, it is common…

Easy configuration fixes can protect your server from attack

4 min read - In March 2023, data on more than 56,000 people — including Social Security numbers and other personal information — was stolen in the D.C. Health Benefit Exchange Authority breach. The online health insurance marketplace hack exposed the personal details of Congress members, their families, staff and tens of thousands of other Washington-area residents. It appears the D.C. breach was due to “human error”, according to a recent report. Apparently, a computer server was misconfigured to allow access to data without proper…

X-Force identifies vulnerability in IoT platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

Cybersecurity in the next-generation space age, pt. 4: New space future development and challenges

4 min read - View Part 1, Introduction to New Space, Part 2, Cybersecurity Threats in New Space, and Part 3, Securing the New Space, in this series. After the previous three parts of this series, we ascertain that the technological evolution of New Space ventures expanded the threats that targeted the space system components. These threats could be countered by various cybersecurity measures. However, the New Space has brought about a significant shift in the industry. This wave of innovation is reshaping the future…