As we develop more powerful cloud architectures and virtualize more of our infrastructure, we need a better understanding of the changing security implications, best practices and threat models of a virtual network.
A white paper from Cloud Security Alliance included some great new information on how network function virtualization (NFV) and software-defined networking (SDN) have evolved and can be used in the modern enterprise. This post is the first in a three-part series on the topic in which we will look more closely at the security challenges of both technologies and provide recommendations on what you should do to make your virtual networks more secure.
Security and the SDN
Last year, we wrote about how software and virtualization can help define a more protected perimeter, particularly for health care organizations that want to segregate a virtual network for clinical trials and files containing more sensitive data, for example.
The concept behind SDN is relatively simple to explain: You can make changes to your network infrastructure (routers, firewalls and virtual LAN segments) on the fly, such as being able to respond to an outage or security incident. You can insert additional network paths or firewalls on demand when they are needed, just as a virtual machine (VM) allows you to bring up an instance of a Windows server when needed.
A VM decouples the physical hardware from the actions of a computer, such as running an operating system or saving files to a hard drive. Similarly, using NFV means you decouple a piece of networking gear from the physical device (a firewall, router or switch) itself.
But this simple explanation hides a great deal of complexity in terms of deployment, not to mention the difficulty of migrating from existing infrastructures to the virtual networks.
Too Many Choices for Virtual Networks
However, as more network-centric appliances proliferate, virtualizing them makes sense because network traffic patterns and operational requirements change. Many IT departments currently make use of virtual LANs. These perform some of these activities but still rely on physical network gear. SDN makes it easier to add tens or thousands of VMs and automate the provisioning and changes to your network infrastructure so you can become more flexible in your operations.
The good news is that SDN is a rapidly evolving marketplace. The bad news is that, like many IT-related innovations, there are several conflicting standards and vendor alignments competing in this space. Anyone who contemplates SDN will have to choose one of the top commercial camps based on the product offering and related standards and how it will integrate with existing security protocols.
“The pace of development and NFV/SDN evolution present an incredible challenge because they are outpacing the ability to fully understand security issues and provide effective controls,” the CSA paper stated. “Furthermore, the lack of consistent standards among SDN implementations can create further gaps in security.”
Be sure to read our next post in this series on the security challenges and increased risks of network function virtualization.