In the first of this three-part series, “Security and the Virtual Network: Part I,” we discussed how network function virtualization (NFV) and software-defined networks (SDN) are changing the typical enterprise infrastructure.
In a new white paper from Cloud Security Alliance, there is some great information on some security challenges and increased risks of implementing virtual networks.
What Are the Risks?
First, SDN by its very nature has to be centralized around an overall controller that keeps track of the virtual network deployments and operations. This goes against the nature of some cloud computing environments, which are more distributed. Understanding this difference is critical to any successful SDN deployment.
Second, NFV infrastructure may not be compatible with your existing virtual machine hypervisors and cloud servers. Some of these existing cloud-based systems may use their own security apparatus that won’t function in another virtual network.
Third, the typical SDN deployment has its own hardware and management systems that may be unfamiliar to network administrators who are steeped in running traditional networks. This will require training and understanding the new default security settings. Professionals also need to learn new ways to configure the systems properly and ensure that the integrity of network operations is maintained.
Pros and Cons of a Virtual Network
The added complexity of NFV can hide potentially dire consequences. For example, as the Cloud Security Alliance paper stated, “a successful intruder could manipulate underlying network routes to bypass NFV security devices.” It goes on to describe how a malicious user could construct multiple security policies that could hide malware inside normal network traffic.
Another potentially troublesome situation could arise if two or more cloud-based networks were connected in such a way that the SDN controller wasn’t aware of the connecting components and couldn’t manage this traffic.
But not all is gloom and doom when it comes to maintaining a virtual network infrastructure. There are some big benefits that can improve your enterprise security profile, too. For instance, with properly planned NFV, you can build in security functions as part of your network fabric, such as intrusion prevention devices, virtual load balancers and firewalls. As your network expands and changes, the protection changes to match it appropriately.
You can construct a network with dynamic threat responses and a more flexible response because you can quickly provision these resources. “The NFV control plane can quickly provision different types of virtual security appliances, while the SDN controller can steer, intercept or mirror the desired traffic for security inspection, thereby creating a security service chain,” the white paper explained.
Be sure to read our final post in this series, in which we recommend improvements and certain security frameworks for protecting a virtual network.