NFV Home

Service Providers Need an Intelligent Approach to NFV Security

By Special Guest
Dilip Pillaipakam, VP of service provider strategy and products at Infoblox
June 15, 2017

By replacing dedicated network appliances, such as routers and firewalls, with software running on commercial, off-the-shelf servers, Network Functions Virtualization (NFV) is transforming the way communication service providers (CSPs) deliver network services.

And the benefits that NFV offer are becoming increasingly clear to CSPs in the Middle East. As well as delivering savings by reducing operation costs and the need for truck rolls to deploy new hardware, it also allows operators to improve the speed at which new services are introduced.

But, with more network functionality being managed by software than ever before comes some unique considerations around security, particularly when an organization moves its Domain Name System (DNS) infrastructure to an NFV implementation.

Planning such a transition requires extra thought to be given around the protection in place. Many operators are still using open source or commodity software, for example, to protect their virtualized environments, which can involve risks they may be unaware of.

A more intelligent approach

Firewalls, intrusion detection tools and other traditional security solutions tend not to be designed with DNS protection in mind, especially in an NFV environment. Some aspects of NFV, such as centralization and virtual machine (VM)-level security, can offer improved protection.

However, the increased flexibility and higher level of configuration available can potentially result in network functions being misconfigured, which can open up new attack vectors.

And even if these configuration issues don’t actually lead to security being compromised, the cascading effect they can create can impair the overall functionality of a network by giving the appearance of security issues where there are none.

But, of course, genuine malicious actions do exist.

Network resources can be quickly overwhelmed by a DNS-based DDoS attack which, by generating too many resolution requests for the DNS

Dilip Pillaipakam

system to handle, will prevent legitimate requests from being resolved and effectively shut down the network.

Attackers can replace a valid IP address with another that redirects the requestor to a malicious website. In other cases, individual VMs will be attacked using tunnelling techniques, which encrypt and exfiltrate information through channels not normally analyzed by traditional security software.

Furthermore, VMs, in common with physical hardware, are susceptible to infection by malware. If a machine isn’t quarantined sufficiently quickly after becoming infected, the infection can rapidly spread, disrupting the functionality of other machines throughout the network from within.

Built in, not bolted on

Such examples serve to illustrate why DNS-based security needs additional attention, and why monitoring the virtualized environment requires a different set of tools to those used in traditional network security.

Rather than being bolted on, DNS security needs to be built into the NFV architecture. The integration of DNS-specific protection will help minimize any gaps in coverage that may be overlooked by add-on solutions, and exploited by attackers.

Steps must be taken as soon as possible to minimize the impact of any attack that does take place. For example, the virtual environment must be able to rapidly deploy resources by spinning up new VMs without the need for operators to be involved. Automatically adding capacity in this way, while at the same time managing the attack, will prevent any interruption to service, thus reducing the risk of lost productivity and revenue.

NFV-based security ought to be capable of detecting previously unknown threats such as zero-day vulnerabilities by continuously analyzing network behavior while simultaneously defending against established threats.

Virtualized infrastructure should be able to track provisioned VMs, analyse their IP addresses, and monitor all DNS traffic to detect suspicious behavior as it occurs. It should also be able to quarantine infected VMs when necessary to prevent the infection from spreading.

And importantly, while threats such as DDoS attacks may come from outside the firewall, malware on existing VMs can be just as dangerous. For this reason, any DNS-based security for NFV should include internal analysis and resource tracking as well as external.

Lastly, we’ve seen how issues around configuration can cause security and performance problems, illustrating the need for network discovery and automation tools which are able to determine correctly – and incorrectly – configured network functions, and identify potential issues.

NFV is emerging as the next stage in creating highly dynamic, automated networks. But, as technology continues to evolve, so network planning must evolve with it, managing the risks while reaping the rewards. Security must be addressed at the implementation stage rather than seen as an afterthought. Only then can service providers enjoy a flexible and transparent network that will meet their current and future needs, while continuing to protect their most valuable resources.

Edited by Alicia Young

Related Articles

Winners of the 2018 INTERNET TELEPHONY NFV Innovation Award Announced

By: TMCnet News    6/4/2018

TMC announced the recipients of the 2018 INTERNET TELEPHONY NFV Innovation Award, presented by INTERNET TELEPHONY magazine.

Read More

Harnessing Pervasive Visibility to Unleash the Power of the Cloud

By: Michael Segal    11/9/2017

Cloud computing is having an unprecedented influence on companies throughout the world; according to research from BDO, an overwhelming number (74%) o…

Read More

Nokia Introduces SDAN Solution

By: Paula Bernier    10/10/2017

Nokia has unveiled a Software-Defined Access Network solution. This offering consists of cloud-native software, integration services, open programmabl…

Read More

Stating with Attestation, a Core Foundation of Computer Security for Sensitive Systems

By: Special Guest    10/3/2017

The European Telecommunication Standards Institute (ETSI) held their annual Security Week event and along with a representative from the UK National C…

Read More

Assuring Business Outcomes on Your DX Journey

By: Michael Segal    9/7/2017

When it comes to implementing strategies for digital transformation (DX), there are nearly as many methods as there are companies using them.

Read More