Carriers and network service providers have unprecedented opportunities to provide more flexible and effective...
security services to their customers with the advent of NFV and SDN.
With software-defined networking, network service providers can far more easily adopt zero-trust models for networking across shared infrastructures. One of the primary reasons people deploy SDN technologies is to achieve network microsegmentation of infrastructure, which implements fine-grain restrictions on which network entities -- physical or virtual machines, containers or network segments -- can talk to other entities.
Network microsegmentation is foundational to zero-trust architectures. In a microsegmented model, the network knows which systems are allowed to talk to which other systems, in which ways and under what circumstances. Network microsegmentation allows sanctioned traffic to pass, allows each network node to see only what it needs to talk to or listen to and hides the rest.
True zero-trust security has to layer on various other protections, including traffic inspection and mutual authentication of systems communicating with each other. This is the "trust, but verify" approach, that is: Trust the network, but verify the communications and the partner.
In an SDN environment, some of this processing can be done using data plane devices as distributed policy enforcement points. Network functions virtualization (NFV) offers further help to the service provider implementing zero-trust models by making it easier to put security processing in virtual network function (VNF) packages and download it as needed to compute nodes immediately preceding or following (proximate) to the traffic being processed.
Network microsegmentation enables new security services
SDN also makes it easier to implement dynamic security services with greater client control, thanks to the inherent programmability of SDN products. For example, SDN can simplify implementing client portal-based control of segmentation in a zero-trust environment, leading to a more responsive and flexible service.
SDN can ease traffic profiling and monitoring, again by making it possible to distribute the work across data plane devices. NFV offers even more leverage. Broader and deeper monitoring is necessary to build an accurate picture of "normal" traffic, which is the baseline of behavior necessary to perform network behavioral threat analysis. This is a key new security service providers could and should be offering.
NFV makes it possible to consolidate the functions of many special-purpose appliances traditionally placed on the customer side of the network into a single, universal customer-premises equipment (uCPE) box. This is more than a traditional multifunction device like a router or a unified threat management security appliance because NFV allows new functionality to be downloaded on demand, to supplement or replace older functions without touching the hardware.
So, NFV offers a no-Capex, no-truck-roll approach to adding and upgrading security functionality via as-needed downloads of VNFs to a uCPE box.
In addition, the ability to distribute the work to the edge can be especially helpful with security analytics and other processor-intensive tasks. For example, NFV-based analytics can push preliminary analysis of network usage data to the CPE devices and leave the service provider core to handle aggregation of preprocessed usage data from all wide area network locations and deeper analysis of the aggregate data looking for anomalous behavior in the WAN as a whole.
Between them, NFV and SDN give network service providers unprecedented opportunities to design detailed network microsegmentation in order to develop, deploy and provide more flexible and effective security services to their customers.
SDN security goes granular with microsegmentation
How to avoid SDN security risks linked to controller implementation
Network microsegmentation for Cisco and VMware virtualization security
Real-time behavioral threat analytics -- security's next frontier