As NFV and SDN usher in a new era of software telcos, there are just so many pieces which have to be put into place to enable solutions from disparate vendors to interoperate smoothly. Moreover, carriers are always looking for one throat to choke and NFV really opens up the carrier network is so many new ways that determining who is responsible for issues is more difficult.
Security has always been a major focus for operators. Indeed, when their networks were proprietary and thought to be bulletproof, it was determined a simple whistle distributed in a box of Captain Crunch cereal could give access to hackers.
NFV allows software to run on standard virtualized servers and moreover this software will likely come from smaller players. While this is not inherently a less secure way of building networks, it goes without saying that loosely connecting systems from various vendors on PC servers will open up new areas of attack for hackers and fraudsters.
To that end, Alcatel-Lucent has been focusing on shoring up NFV security – so networks of the future powering software telcos are as secure as possible. David Amzallag Vice President, Virtual Telecommunications and CloudBand CTO has an in-depth post on what his company has been doing in the space.
Interesting points from the piece include the ETSI SFV security group started with just six members and has well over a hundred now – when you factor in passive members as well. This tells me the interest in security is great as vendors and carriers realize they have to get it right up front to eliminate headaches later.
Here is more:
Our vision emphasizes the necessity of building the trust chain for NFV components in three major steps. The first step is securing the platform— reinforcing deliberately disconnected islands of compute, storage, and networking infrastructure as well as the management system. The second step is the deployment of virtual security appliances, such as firewalls that transform the islands into controlled network zones, and virtual DNS servers that help to mitigate denial-of-service attacks. In the third step, virtualized functions in support of applications are placed in the zones established previously. The security of that deployment is assured by a combination of native application security controls and virtual security appliances, and then it is further enhanced by NFV platform capabilities. Once deployed, the security services provided by the applications can, in turn, be used to improve platform security further. For instance, the IMS virtualized Home Subscriber Server (HSS) can be used to provide an extra authentication factor for access to platform software. With these three steps in place, a centralized management and orchestration system can ensure a consistent, horizontal implementation of security through systematic application of security policies that will be enforced through the policy management mechanism of an NFV orchestrator, as in the CloudBand Management System.
Another important point is a well-orchestrated network of virtualized routers can actually be more resilient in the face of DDoS attack than legacy systems. The idea is highly intuitive – in-fact, DDoS mitigation seems to be an NFV killer app as the added flexibility and instant scaleability make software telco networks much harder to take down.
Another point Amzallag makes is OpenStack needs to have its security beefed up… Something the company is working on. For more details, I refer you to the article which also references a corresponding white paper (registration may be required) with more information – specifically addressing these security issues which accompany virtualization:
- Reliance on additional software (that is, hypervisors and modules for management and orchestration) and hence a longer chain of trust
- Reduced isolation of network functions
- Fate-sharing due to resource pooling and multi-tenancy
- Effective key escrow for hosted network functions
To learn even more – be at Software Telco Congress August 12-14 in Las Vegas.