NFV: Security Issue or Security Opportunity?

PALO ALTO, Calif. -- Carrier Network Virtualization -- Service providers are jacked up about the benefits of NFV, which include flexibility, agility and reduced costs, but there are also new security risks to consider.

Bryan Larish, a director of technology at Verizon, discussed the risks and rewards of security in NFV infrastructure (NFVi) at the Carrier Network Virtualization conference on Wednesday in Palo Alto, Calif.

Larish asked at the beginning of his presentation if security was an issue or opportunity in NFVi.

"I think it's both," he said at the end. "There are security issues. There are new things you need to be aware of and if you're not paying attention to them you're gong to have major security problems.

"From our perspective, we actually see NFV as an opportunity to improve security and to do things we couldn't do in our legacy network. The new capabilities that you can implement, which just weren't available before, present a huge opportunity."

Larish said that in his opinion, security issues were the result of complex systems that "we don't understand, therefore they're hard to secure." To get a handle on security in NFVi, Verizon Communications Inc. (NYSE: VZ) came up with three pillars to help remove and understand security complexities.

"The first pillar is the hardening the NFV infrastructure," he said. "The second one is, now that I have this fancy new NFV infrastructure how can I use it to implement new capabilities that just weren't feasible or practical with my legacy infrastructure? The third piece is with all of my VNFs coming and implementing new functionality, how do I make sure those are secure?"

The first pillar of hardening the infrastructure is a relatively easy fix for security. The good news, according to Larish, is that most of the infrastructure and components are primarily Linux-based IT systems with well-known mechanisms to harden them.

"I'm assuming everyone is pretty much using OpenStack as your VIM, and there are well known ways to harden Linux operating systems," he said. In a similar vein, most commodity x86 servers have a trusted platform modules in them.

"So to me that's the good news. There are well known ways to harden significant portions of your NFV infrastructure," Larish said. "Now the important piece here is you have to actually do it. You can't just deploy this stuff and assume it's going to be there by default. You have to go through and implement the different pieces of guidance to harden your infrastructure."

But Larish said "it's not all rainbows and roses" because NFV does introduce new aspects that require specific consideration when it comes to hardening guidance, including:

• More interfaces that previously were not accessible via the network
• More modular solutions require explicit resource coordination
• Consolidated functionality (such as OpenStack) make certain elements a bigger attack target
• Mobility of network functions requires tracking mechanisms for effective monitoring
• The dynamic nature of the environments, such as virtual machines located on different servers across a network, require careful change management

For the second pillar, the SDN/NFV infrastructure provides a way to have more control over how network elements behave or work. One example was reducing unknown configurations and flows in a network.

"From a security perspective, that's great because that makes it harder to snoop traffic on my network and probably makes it harder to do things like cache poisoning attacks," Larish said.

Service providers could also take a page out of Netflix's playbook by deploying "chaos monkeys" in their NFVi. Netflix's chaos monkey are programs that were purpose built to "kill" certain pieces of equipment on Netflix's networks so its developers learn how to write programs that will work in those disabled environments.

By using chaos monkeys in NFVi, carriers could knock out VNFs. virtual switches and links so that developers and vendors learn to design services that power through failures.

Other examples cited by Larish included fine-grained, on-demand deployment of different security VNFs instead of funneling all of the traffic through a bottleneck so it can be examined by a large firewall.

"In a VNF environment, maybe I can take a more targeted approach." Larish said. "Now I have a scalpel instead of an axe. Instead of chopping away at things, I can be more targeted and hopefully much more effective from a capabilities perspective."

For the last pillar, making sure VNFs are secure, Larish said while Verizon hasn't explored the possibilities in depth to date, one example would be security testing in a virtual environment, which would speed up the process considerably.

"The security process is painful," he said. "With the NFV infrastructure, all of the testing can be automated with the push of a button. Now if you're the engineering team, or operations team, you're no longer waiting for the security team to do their testing so you can continue your project.

"Overall, I think we're really positive on the issue of NFV security and I'm looking forward to working with our partners to take advantage of all of the things that are available."

— Mike Robuck, Editor, Telco Transformation