Andrea Danti - Fotolia


With new NFV infrastructure comes new NFV security

Service providers are rapidly adopting NFV infrastructure, but addressing NFV security in the process is essential, with network and security teams working together.

Network functions virtualization, or NFV, brings significant opportunities to improve network security, but with it come new challenges to secure these virtual networks. Service providers must consider how adopting dynamic NFV infrastructure will affect their overall security frameworks. Service provider plans need to build in NFV security when rolling out various NFV applications and virtual network functions, or VNFs.

As they migrate to NFV infrastructure, providers must maintain high reliability and security in their networks, because virtualization and its associated data center resources have different security challenges than traditional black box telecommunications equipment.

Service providers must now be concerned with securing their large flows of east-west traffic, as well as numerous API-to-API communications sessions. Running multiple applications on common data resources -- a key benefit of NFV -- blurs resource boundaries and complicates the process of applying specific security policies. The dynamic workload capability of NFV makes simply inserting security difficult; instead, it must be built in to NFV platforms and applications. NFV adds complexity, as traditional network security is challenged by asymmetries created by multiple, redundant network paths and devices.

Some security threats to the virtual telecom network include:

The open, multivendor nature of NFV infrastructure means greater exposure for sensitive customer data. Service providers should plan for broader use of encryption -- especially for open API-to-API communications. Due to constantly shifting traffic and workloads in NFV, lawful interception -- a requirement for most providers -- is also more challenging in a virtual environment.

NFV security benefits for telecom

The benefits NFV brings to the telecom infrastructure as a whole can be applied to network security. NFV provides significant advantages in terms of agility, scalability and cost-effective use of data center resources. NFV can provide more control and flexibility to network operators, which enables security capabilities that are simply not possible or cost-effective in a traditional environment. For example, service providers can roll out tap-as-a-service capabilities, allowing them to see real-time traffic flows on more parts of the network than previously possible. Centralized control via SDN enables operators to have a real-time, global network view, which is useful for detecting network anomalies.

Implementing NFV security

Because NFV represents a new way of building networks, network security design must adapt to the virtual, open and dynamic networks of the future. New NFV deployments should, if possible, integrate security in each layer of infrastructure. Providers adopting OpenStack as the NFV infrastructure platform will need to harden and secure commercial OpenStack distributions to meet their requirements. At the management and orchestration layer, service providers need to include security management and automation capabilities. And at the application layer, VNFs will need a templated security policy to ensure rapid distribution of new services.

Service providers can leverage SDN in conjunction with NFV to centralize and automate network security. NFV can quickly provision different types of virtual security appliances, while the SDN controller can identify and route suspicious traffic for security inspection.

NFV brings both significant security challenges and opportunities to take a new approach to network security.

For secure virtualized networks, providers can work with a broad variety of suppliers, including traditional network equipment providers, such as Cisco, Ericsson and Nokia; IT players, like Hewlett Packard Enterprise, Oracle and IBM;  semiconductor suppliers, such as Intel and NXP Semiconductors; and a multitude of network security specialists, including Palo Alto Networks, F5, Fortinet and Check Point Software Technologies. Integrating this wealth of IT and network security into providers' existing physical and virtual networks will be a significant challenge, and it may require system-integration resources.

Recommendations for service providers

NFV is rapidly transforming the traditional telecom network into a mix of physical and virtual assets. NFV brings both significant security challenges and opportunities to take a new approach to network security. The trusted security perimeter is rapidly eroding, and service providers must secure traffic inside the network, as well as outside. With careful planning and deployment, NFV can improve network security by providing automation, fine-grained controls and cost-effective scalability. 

NFV security is becoming a policy and an organizational issue for leading service providers. IT, security and network teams must work closely together to plan, manage and operate virtual and physical networks. Providers should plan for security across the application lifecycle, as new VNFs are rapidly deployed in the network. They should develop a template for enabling security services for new applications. Service providers should leverage off-the-shelf security software, but need to customize and integrate network security to meet their specific requirements.

Next Steps

NFV security problems that must be addressed

Understanding the network functions virtualization infrastructure

Time to review SDN and NFV benefits

This was last published in September 2016

Dig Deeper on Network Security