March 29, 2016 By David Strom 2 min read

This is the third and final post in a series on new virtual networks and their related technologies. In the first post, “Security and the Virtual Network: Part I,” we discussed how network function virtualization (NFV) and software-defined networks (SDNs) are changing the traditional enterprise infrastructure. Part two explored some security challenges and implementation risks involved with the technology.

In this post, we recommend improvements and certain security frameworks for protecting your virtual network based on a white paper from Cloud Security Alliance.

Acclimating to New Technologies

One of the simplest models of NFV is to have a series of virtual machines (VMs), each of which is running a particular security appliance; one could be a firewall, another an intrusion prevention or data loss prevention device, and a third could be running an endpoint protection tool. This is called network function chaining. It isn’t much of a stretch from a typical physical security deployment, but it can get an IT department familiar with basic VM concepts and management frameworks.

The next step up in complexity is to integrate the NFV components into a single management console that is purpose-built for virtualization so that elements of a network firewall are taken into consideration as part of the overall anti-malware protection. The idea here is to force IT staff to manage a single entity rather than having specialized teams that only see a particular domain such as the firewall or the desktop.

While this sounds simple, an IT staff has to carefully manage the transition from the physical-only network. “Because deploying a virtual router is much easier than a physical network device, controls should be put in place at the orchestration layer to avoid VNF [virtual network function] sprawl, unintended topology and network flow path changes,” the report stated.

Creating a Secure Virtual Network

A further step is handling the entire virtual infrastructure as a single entity. You want to be able to manage not just the VM hypervisors, but also the entire domain for your network security functions. Part of this includes providing better NFV access control security so that privileged accounts can be limited and controlled properly.

Another aspect is to have “end-to-end trust management in place in the orchestration and management domain,” as the report suggested. This is so security roles can be properly specified.

Similarly, operators will have to keep track of the state of the various VMs. “Virtual network components can change their state from hibernation, sleep, resumption, abort, restore, power-on and power-off dynamically. An outdated or a poorly configured or tempered device that suddenly respawns in a network can easily compromise security,” cautioned the report.

Virtual networks’ dynamic nature means IT staff have to take time to document its topology and data flows carefully and keep up with any changes to its structure. The report recommended that topology validation should be enforced at the orchestration layer and as part of the NFV itself. The authors also suggested putting continuous network monitoring tools in place to help with any forensic analysis and defensive measures.

More from Network

New cybersecurity sheets from CISA and NSA: An overview

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) have recently released new CSI (Cybersecurity Information) sheets aimed at providing information and guidelines to organizations on how to effectively secure their cloud environments.This new release includes a total of five CSI sheets, covering various aspects of cloud security such as threat mitigation, identity and access management, network security and more. Here's our overview of the new CSI sheets, what they address and the key takeaways from each.Implementing…

Databases beware: Abusing Microsoft SQL Server with SQLRecon

20 min read - Over the course of my career, I’ve had the privileged opportunity to peek behind the veil of some of the largest organizations in the world. In my experience, most industry verticals rely on enterprise Windows networks. In fact, I can count on one hand the number of times I have seen a decentralized zero-trust network, enterprise Linux, macOS network, or Active Directory alternative (FreeIPA). As I navigate my way through these large and often complex enterprise networks, it is common…

Easy configuration fixes can protect your server from attack

4 min read - In March 2023, data on more than 56,000 people — including Social Security numbers and other personal information — was stolen in the D.C. Health Benefit Exchange Authority breach. The online health insurance marketplace hack exposed the personal details of Congress members, their families, staff and tens of thousands of other Washington-area residents. It appears the D.C. breach was due to “human error”, according to a recent report. Apparently, a computer server was misconfigured to allow access to data without proper…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today