March 22, 2016 By David Strom 2 min read

In the first of this three-part series, “Security and the Virtual Network: Part I,” we discussed how network function virtualization (NFV) and software-defined networks (SDN) are changing the typical enterprise infrastructure.

In a new white paper from Cloud Security Alliance, there is some great information on some security challenges and increased risks of implementing virtual networks.

What Are the Risks?

First, SDN by its very nature has to be centralized around an overall controller that keeps track of the virtual network deployments and operations. This goes against the nature of some cloud computing environments, which are more distributed. Understanding this difference is critical to any successful SDN deployment.

Second, NFV infrastructure may not be compatible with your existing virtual machine hypervisors and cloud servers. Some of these existing cloud-based systems may use their own security apparatus that won’t function in another virtual network.

Third, the typical SDN deployment has its own hardware and management systems that may be unfamiliar to network administrators who are steeped in running traditional networks. This will require training and understanding the new default security settings. Professionals also need to learn new ways to configure the systems properly and ensure that the integrity of network operations is maintained.

Pros and Cons of a Virtual Network

The added complexity of NFV can hide potentially dire consequences. For example, as the Cloud Security Alliance paper stated, “a successful intruder could manipulate underlying network routes to bypass NFV security devices.” It goes on to describe how a malicious user could construct multiple security policies that could hide malware inside normal network traffic.

Another potentially troublesome situation could arise if two or more cloud-based networks were connected in such a way that the SDN controller wasn’t aware of the connecting components and couldn’t manage this traffic.

But not all is gloom and doom when it comes to maintaining a virtual network infrastructure. There are some big benefits that can improve your enterprise security profile, too. For instance, with properly planned NFV, you can build in security functions as part of your network fabric, such as intrusion prevention devices, virtual load balancers and firewalls. As your network expands and changes, the protection changes to match it appropriately.

You can construct a network with dynamic threat responses and a more flexible response because you can quickly provision these resources. “The NFV control plane can quickly provision different types of virtual security appliances, while the SDN controller can steer, intercept or mirror the desired traffic for security inspection, thereby creating a security service chain,” the white paper explained.

Be sure to read our final post in this series, in which we recommend improvements and certain security frameworks for protecting a virtual network.

More from Network

New cybersecurity sheets from CISA and NSA: An overview

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) have recently released new CSI (Cybersecurity Information) sheets aimed at providing information and guidelines to organizations on how to effectively secure their cloud environments.This new release includes a total of five CSI sheets, covering various aspects of cloud security such as threat mitigation, identity and access management, network security and more. Here's our overview of the new CSI sheets, what they address and the key takeaways from each.Implementing…

Databases beware: Abusing Microsoft SQL Server with SQLRecon

20 min read - Over the course of my career, I’ve had the privileged opportunity to peek behind the veil of some of the largest organizations in the world. In my experience, most industry verticals rely on enterprise Windows networks. In fact, I can count on one hand the number of times I have seen a decentralized zero-trust network, enterprise Linux, macOS network, or Active Directory alternative (FreeIPA). As I navigate my way through these large and often complex enterprise networks, it is common…

Easy configuration fixes can protect your server from attack

4 min read - In March 2023, data on more than 56,000 people — including Social Security numbers and other personal information — was stolen in the D.C. Health Benefit Exchange Authority breach. The online health insurance marketplace hack exposed the personal details of Congress members, their families, staff and tens of thousands of other Washington-area residents. It appears the D.C. breach was due to “human error”, according to a recent report. Apparently, a computer server was misconfigured to allow access to data without proper…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today