This is the third and final post in a series on new virtual networks and their related technologies. In the first post, “Security and the Virtual Network: Part I,” we discussed how network function virtualization (NFV) and software-defined networks (SDNs) are changing the traditional enterprise infrastructure. Part two explored some security challenges and implementation risks involved with the technology.
In this post, we recommend improvements and certain security frameworks for protecting your virtual network based on a white paper from Cloud Security Alliance.
Acclimating to New Technologies
One of the simplest models of NFV is to have a series of virtual machines (VMs), each of which is running a particular security appliance; one could be a firewall, another an intrusion prevention or data loss prevention device, and a third could be running an endpoint protection tool. This is called network function chaining. It isn’t much of a stretch from a typical physical security deployment, but it can get an IT department familiar with basic VM concepts and management frameworks.
The next step up in complexity is to integrate the NFV components into a single management console that is purpose-built for virtualization so that elements of a network firewall are taken into consideration as part of the overall anti-malware protection. The idea here is to force IT staff to manage a single entity rather than having specialized teams that only see a particular domain such as the firewall or the desktop.
While this sounds simple, an IT staff has to carefully manage the transition from the physical-only network. “Because deploying a virtual router is much easier than a physical network device, controls should be put in place at the orchestration layer to avoid VNF [virtual network function] sprawl, unintended topology and network flow path changes,” the report stated.
Creating a Secure Virtual Network
A further step is handling the entire virtual infrastructure as a single entity. You want to be able to manage not just the VM hypervisors, but also the entire domain for your network security functions. Part of this includes providing better NFV access control security so that privileged accounts can be limited and controlled properly.
Another aspect is to have “end-to-end trust management in place in the orchestration and management domain,” as the report suggested. This is so security roles can be properly specified.
Similarly, operators will have to keep track of the state of the various VMs. “Virtual network components can change their state from hibernation, sleep, resumption, abort, restore, power-on and power-off dynamically. An outdated or a poorly configured or tempered device that suddenly respawns in a network can easily compromise security,” cautioned the report.
Virtual networks’ dynamic nature means IT staff have to take time to document its topology and data flows carefully and keep up with any changes to its structure. The report recommended that topology validation should be enforced at the orchestration layer and as part of the NFV itself. The authors also suggested putting continuous network monitoring tools in place to help with any forensic analysis and defensive measures.