Partnerships Lead to Secure SDN and NFV
Challenges of SDN and NFV
Despite offering technologies that support fast reconfiguration and service requirement changes for cloud data centers, Software-Defined Networking (SDN) and Network Functions Virtualization (NFV) possess a number of characteristics that expose network security to serious challenges. These concerns include complex service orchestration and resource scheduling as well as data forwarding between Virtual Machines (VMs) without involving dynamic changes to the network hardware equipment. This has rendered traditional architectures ineffective for meeting security requirements.
Against this backdrop are a number of proposed security solutions targeted to specific layers from traditional and emerging vendors, and Hypervisor or Virtual Machine Monitor (VMM) developers.
Take the virtualization security solution as an example, which involves six layers. At Layer 1, a physical firewall serves the traditional role. Containers at Layer 2 isolate the applications from the host using IP packet filtering. At Layer 3, the in-kernel firewall performs state detection on traffic in and out of the virtual Network Interface Card (vNIC). Layer 4 houses common virtual firewalls that implement security between Virtual Local Area Networks (VLANs). Layer 5 consists of firewalls that implement similar functions to traditional firewalls between VMs. At Layer 6, VM-oriented firewalls provide security defense for endpoints and services.
Traditional versus Virtualized
Traditional- and virtualization-based security solutions differ vastly, with traditional systems focusing more on host and network security (Layers 1 and 6), which are encapsulated by the entire virtualization set.
Traditional security vendors enjoy a competitive edge in the use of Layer 1 physical firewalls and provide the opportunity to establish VM-based filters at Layers 4 and 5 because physical firewalls and Intrusion Protection Systems (IPSs) can also be applied at these two layers.
In virtualized systems, the physical firewalls do not process east- and west-bound traffic between VMs. Traditional Layer 1 firewalls are irrelevant here because they cannot determine whether traffic between VMs is risky. Traditional vendors have repeatedly launched virtual firewalls for Layers 4 and 5; however, the virtual firewalls offered by traditional security vendors do not work independently at these two layers, as the diversion and scheduling of virtualized traffic at these layers remains in the domain of the Hypervisor and vSwitch vendors.
The results produced by SDN and NFV as they have evolved are often similar to the results seen using virtualization-based security solutions. Examples include cloud-based resource pools that meet the requirements of tenants running very different services; IPS and load-balancing services that adapt to user requirements; and SDN controllers that coordinate with security management stacks to produce optimal results.
Who Owns This?
Both traditional vendors and Hypervisor vendors are currently seeking the most effective SDN and NFV security solutions available, so determining the roles of each at this stage is difficult.
The lack of standards or any clear evolution for SDN-enabled or NFV cloud automation adapted for security solutions results in a variety of complicated offerings. To a large extent, the situation reflects changes in business partnerships between players in the security industry chain.
Competition and Cooperation
Partnerships in the area of virtualization-based security are undergoing two types of changes. First, the division of labor in the industry chain has created the opportunity for more participants as some vendors focus on hardware firewalls and others on virtual firewalls or security at the container layer.
The second type of change involves players in the industry chain who are racing to make inroads into one another’s markets. For example, while traditional security vendors are entering the cloud data center market through virtual firewalls, Hypervisor vendors are expanding their reach via security solutions at the kernel and vSwitch layers.
To address the division of labor, security vendors and systems integrators are providing security solutions integrated with SDN and NFV that include chips, hardware platforms, hardware and software firewalls, and data security applications. Meanwhile, suppliers of every type are vying for a bigger slice of the market for virtual security platforms.
Because security assurance requires systematic engineering — more frequently than ever before — competing SDN and NFV security vendors are collaborating with one another as absolute security will never be achieved by single systems alone.
Security vendors have a deep understanding of network protocols for fast processing and superb analysis that Hypervisor vendors do not possess. Likewise, antivirus vendors are specialists in malicious file identification, and anti-leakage vendors have powerful algorithms for monitoring inbound and outbound data.
Hypervisor vendor capabilities now include CPU, memory, and Input/Output (I/O) isolation as well as the prioritization of cloud Operating System (OS) instructions and refined control of VM access to virtualized memory.
Building Security Together
The SDN and NFV security industry must build open, flexible, and elastic networks to establish healthy competition and beneficial partnerships. ‘Open’ means that security Hypervisor vendors, hardware manufacturers, chip vendors, and users must explore and collaborate on the multitude of requirements to connect SDN and NFV to the security and ICT infrastructures:
- Complete and reliable security solutions
- Consensus throughout the industry chain
- Ratified and de facto standards for software and hardware interfaces
To accomplish this level of cooperation, investors need to increase their financial commitments in the area of SDN and NFV alliances to support market-ready solutions for SDN controllers that are organized to manage customized scheduling and policy orchestration for the cloud OS.
Vendors must also build unified and integrated testing platforms to improve the readiness of SDN security solutions that support fast service innovation and flexible deployments.
The Cloud Security Alliance (CSA) is a non-profit organization with 86 local chapters worldwide. Members include the following large organizations:
- IT service providers Google and Microsoft
- Telecommunications operators AT&T and Orange
- Security vendors CA Technologies, McAfee, and Symantec
- Equipment vendors Huawei, Cisco, and Citrix
Among CSA’s most important tasks is facilitating a collective discussion for the purpose of defining standards and regulations related to cloud, SDN, and NFV security. The goal is the creation of favorable conditions for the development of SDN and NFV security in the areas of architecture, management, compliance, application, and data schemas.
The benefit of encouraging competitors in the ICT and security industry chains to work together is the opportunity for each partner to draw on the strengths of others to improve the overall technical competence and efficiency of this critical sector. Through these relationships, vendors can provide users with high-quality solutions and join forces to build future-oriented and secure SDN and NFV services.