This is the third and final post in a series on new virtual networks and their related technologies. In the first post, “Security and the Virtual Network: Part I,” we discussed how network function virtualization (NFV) and software-defined networks (SDNs) are changing the traditional enterprise infrastructure. Part two explored some security challenges and implementation risks involved with the technology.

In this post, we recommend improvements and certain security frameworks for protecting your virtual network based on a white paper from Cloud Security Alliance.

Acclimating to New Technologies

One of the simplest models of NFV is to have a series of virtual machines (VMs), each of which is running a particular security appliance; one could be a firewall, another an intrusion prevention or data loss prevention device, and a third could be running an endpoint protection tool. This is called network function chaining. It isn’t much of a stretch from a typical physical security deployment, but it can get an IT department familiar with basic VM concepts and management frameworks.

The next step up in complexity is to integrate the NFV components into a single management console that is purpose-built for virtualization so that elements of a network firewall are taken into consideration as part of the overall anti-malware protection. The idea here is to force IT staff to manage a single entity rather than having specialized teams that only see a particular domain such as the firewall or the desktop.

While this sounds simple, an IT staff has to carefully manage the transition from the physical-only network. “Because deploying a virtual router is much easier than a physical network device, controls should be put in place at the orchestration layer to avoid VNF [virtual network function] sprawl, unintended topology and network flow path changes,” the report stated.

Creating a Secure Virtual Network

A further step is handling the entire virtual infrastructure as a single entity. You want to be able to manage not just the VM hypervisors, but also the entire domain for your network security functions. Part of this includes providing better NFV access control security so that privileged accounts can be limited and controlled properly.

Another aspect is to have “end-to-end trust management in place in the orchestration and management domain,” as the report suggested. This is so security roles can be properly specified.

Similarly, operators will have to keep track of the state of the various VMs. “Virtual network components can change their state from hibernation, sleep, resumption, abort, restore, power-on and power-off dynamically. An outdated or a poorly configured or tempered device that suddenly respawns in a network can easily compromise security,” cautioned the report.

Virtual networks’ dynamic nature means IT staff have to take time to document its topology and data flows carefully and keep up with any changes to its structure. The report recommended that topology validation should be enforced at the orchestration layer and as part of the NFV itself. The authors also suggested putting continuous network monitoring tools in place to help with any forensic analysis and defensive measures.

More from Network

Cybersecurity in the Next-Generation Space Age, Pt. 4: New Space Future Development and Challenges

View Part 1, Introduction to New Space, Part 2, Cybersecurity Threats in New Space, and Part 3, Securing the New Space, in this series. After the previous three parts of this series, we ascertain that the technological evolution of New Space ventures expanded the threats that targeted the space system components. These threats could be countered by various cybersecurity measures. However, the New Space has brought about a significant shift in the industry. This wave of innovation is reshaping the future…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Cybersecurity in the Next-Generation Space Age, Pt. 2: Cybersecurity Threats in New Space

View Part 1 in this series, Introduction to New Space. The growth of the New Space economy, the innovation in technologies and the emergence of various private firms have contributed to the development of the space industry. Despite this growth, there has also been an expansion of the cyberattack surface of space systems. Attacks are becoming more and more sophisticated and affecting several components of the space system’s architecture. Threat Actors' Methodology Every space system architecture is composed of three…

Beware of What Is Lurking in the Shadows of Your IT

This post was written with contributions from Joseph Lozowski. Comprehensive incident preparedness requires building out and testing response plans that consider the possibility that threats will bypass all security protections. An example of a threat vector that can bypass security protections is “shadow IT” and it is one that organizations must prepare for. Shadow IT is the use of any hardware or software operating within an enterprise without the knowledge or permission of IT or Security. IBM Security X-Force responds…