By: Jesse Cryderman
Network virtualization is the hottest innovation to occur in the telecom space since wireless itself; perhaps even more so because it alters our communication framework on such a fundamental level. Some who have been in the telecom space much longer might disagree, but I contend that we are in the process of completely changing the fabric of networking itself, and it is revolutionary.
Virtualization is changing the way vendors and service providers envision their respective future. And it’s moving faster every day. But how does network virtualization differ from software defined networking (SDN) and network functions virtualization? And, more importantly, how does it impact network security?
There are three key concepts that need to be defined in order to effectively address security concerns: network functions virtualization (NFV), software defined networking (SDN) and network virtualization.
Network Functions Virtualization (NFV): Just as the name suggests, the goal of NFV is to abstract physical networking components into software applications that can be run on off-the-shelf x86 servers via virtualization technology. This reduces equipment costs and power consumption, enables quicker delivery of services and offers the ability to scale up or down. These benefits and more are why NFV has been interesting to service providers, as it allows them to launch revenue-generating network services quicker, and also enable network functions to be delivered without hardware dependencies.
Software Defined Networking (SDN): How is NFV different from SDN? The SDN architecture comprises a centralized controller (by separating the control plane from the management plane), along with the ability to support programmable flows, orchestrated by management systems. An SDN architecture may include NFV to virtualize elements in the network. Network functions virtualization fits in an SDN architecture, but is not required. As described by the European Telecommunications Standards Institute (ETSI) in their NFV whitepaper, “Network Functions Virtualization is highly complementary to Software Defined Networking (SDN), but not dependent on it (or vice versa).”
Network virtualization: The challenge with NFV is that even though network functions are virtualized, you still need to configure a number of network devices, albeit virtual machines. Network virtualization provides an abstraction of the virtual network from physical appliances via a high-speed physical switch fabric so that no physical rewiring is needed. The virtual network is a “container” of network services provisioned by software, very similar to a VM operational model (CPU, memory, I/O etc.). This virtual network also facilitates the mobility and adjacency of virtual servers in the network. Note that network virtualization is sometimes associated with SDN because a network controller who understands how the networking devices are connected and how to configure them is present. In addition, network virtualization may be complementary to NFV if network services are delivered on virtualized servers.
SDN on its own--that is the separation of control versus data plane, does not inherently provide operational simplification. Similarly, while NFV has a number of benefits because of the virtualization elements, operational simplification may not be achieved because of the need to touch multiple virtualized devices. Network virtualization in contrast, even without SDN and NFV, delivers significant operational efficiencies.
Network virtualization delivers a number of benefits, but there are also numerous impacts on security that must be considered. In fact, the risks are greater in the virtualized environment, as the number of attacks and virtual services is increasing, there are less physical protections in place, and the platform is still evolving and not as robust or defined like good old fashioned telecom iron.
Pipeline had a chance to speak with Adam Boone, CMO, Certes Networks, to gain some insight into these security challenges. Certes protects data traffic for banks, hospitals, governments, universities, retail businesses and more. The company introduced its first virtualized security product in 2012; with it, IT organizations can either employ this as a specific piece of hardware or a software-only version—a virtualized version that can exist in the cloud or NFV applications.
"Virtualization is another dimension that is introducing new security requirements into the enterprise," said Boone. "You can no longer be certain where application functions are taking place; now various elements are being pushed into the cloud. Organizations must evaluate every aspect of the data and its protection the exact same way as they would in non-virutalized environments."
How and where is your data moving? Which external companies are allowed access to IT systems through federation? Who has control of your encryption and the keys for your encryption? Do mobile applications that run on employee devices in a BYOD environment pose a risk for data exposure? Service providers must double down on data protection in a virtual environment.
Additionally, traditional security policies don't match the traffic flows of a virtualized environment. Since network virtualization facilitates movement of virtual servers, it is paramount that a network security solution has the capability to set dynamic policies. These policies should be updated seamlessly when virtual workloads move around.