SDN and NFV to Go Mainstream in 2015: But What Are the Security Implications?

Data centers have evolved from owned physical entities to potentially outsourced, virtualized, and geographically distributed infrastructures. Virtualization involves the use of an encapsulating software layer—hypervisor or virtual machine monitor (VMM)—that surrounds or underlies an operating system and provides the same inputs, outputs, and behavior that would be expected from an actual physical device. Today, the data center has reached a tipping point. Over the years, complexity has crept into the network in an attempt to accommodate the growth of applications; now a solution is needed to tackle scalability issues of large-scale cloud deployments.

Software-defined networking (SDN) and network functions virtualization (NFV) are complementary approaches that offer a new way to design, deploy, and manage the network and its services. NFV decouples network functions such as network address translation (NAT), firewalling, intrusion detection, domain name service (DNS), and caching from proprietary hardware appliances, so that these functions can run in software. Beyond reducing dependency on dedicated hardware-based appliances, virtualizing network functions also reduces the complexity associated with introducing new services across the entire network. The goal of SDN is to separate the control plane from the data forwarding plane in the network architecture, bringing more flexibility into the deployment and management of networks.

While virtualization offers a significant number of benefits to enterprises, it also comes with a set of challenges. Virtualization technology is the focus of many new potential threats and exploits, and presents new vulnerabilities that must be managed. In addition, there are a vast number of configuration options that security and system administrators need to understand, with an added layer of complexity that has to be managed by operations teams. Virtualization technologies also connect to network infrastructure and storage networks, and require careful planning with regard to access controls, user permissions, and traditional security controls.

The majority of organizations are still using the same tools for their virtualized environments—i.e., antivirus and firewalls—as they did for their in-house physical machine setups. This shows that virtualization security is still being viewed as an afterthought, as businesses make do with the same security policies, processes, and tools they would use in a physical environment. This approach is leaving organizations open to the risk of cyberattack, as they fail to realize that a new security mindset is required.

Ideally, security is something that must be built in at the design stage of the data center, and security controls should be developed for each modular component of the data center: servers, storage, data, and network. It is important for data center operators to develop and enforce policies that are context-, identity-, and application-aware, and can be applied consistently across physical, virtual, and cloud environments.  It is necessary to monitor everything continuously at the network level to be able to look at all assets, physical and virtual, that reside on the LAN, even those that are offline, as well as all interconnections between them.

Next-generation data centers require security technologies that are virtualization-aware, with security working at the network rather than the server level. These include: next-generation firewall, next-generation intrusion prevention systems, next-generation unified threat management, virtual security appliances, identity and access management solutions, application layer security, and third-party solutions such as reporting and analytics, security information and event management (SIEM), and vulnerability management.

To defend corporate systems and data assets in today’s data centers, organizations need a strategy that encompasses all the components of their IT environment, from the network to the perimeter, data, applications, servers, and end points. This is not possible by deploying a single solution but requires multiple technologies to be deployed. These technologies are most effective when applied as layers. This way, should one defensive layer be breached, the other layers will continue to provide security. Although virtualization can reap substantial benefits to businesses, failing to implement robust protective tools may jeopardize server health and make it more difficult for firms to experience any advantages.