Dilip Pillaipakkamnatt, Vice President, Service Provider Business, Infoblox, discusses the need for an intelligent security approach when it comes to virtualised environments.
By now it’s been well established that Network Functions Virtualisation (NFV) provides important benefits to service providers. Not only does it provide cost savings by reducing operational costs and truck rolls to deploy new hardware, but it also improves the speed with which new network services can be introduced. Along with that flexibility, however, there are important considerations companies should keep in mind, particularly when moving a Domain Name System (DNS) infrastructure to an NFV implementation.
Security is one area in which moving DNS architecture to NFV raises unique security considerations. With software managing more of the networking functionality than ever before, a rethink of traditional protection should accompany the change. Many operators are still running open source or commodity software to protect the virtualised environment, but that entails risks they may be unaware of. Here are a few concerns that highlight the need for an intelligent approach to security in NFV:
– Traditional firewalls and intrusion detection systems aren’t designed for securing DNS , especially in the NFV environment. The same flexibility that allows software to provide a higher degree of flexibility and configuration than a traditional architecture also means that there are more ways to potentially misconfigure network functions. This opens new avenues for attack, even as other aspects of NFV improve protection, such as centralisation visibility and VM-level security. Even where security isn’t compromised, configuration issues can cause a cascading effect that impairs the network’s overall functionality, giving the appearance of a security issue where in fact none exists.
– Attacks such as DNS-based distributed denial of service (DDoS) can quickly overwhelm network resources by generating too many resolution requests for the DNS system to handle, effectively shutting down the network by preventing legitimate requests from being resolved. Other attacks replace valid IP addresses with those directing the requestor to malicious websites or use tunneling to attack individual virtual machines, encrypting and stealing information through channels not normally analysed by traditional security software.
– Virtual machines provide network operations with centralised control over resources and enable the rapid deployment of on-demand resources. But just as with physical hardware, VMs are susceptible to malware infection. Once a machine is infected and isn’t rapidly quarantined, the infection can spread to other machines throughout the network and disrupt functionality from within. Monitoring the virtualised environment requires a different set of tools from traditional network security.
With DNS-related security issues requiring additional attention as carriers adopt NFV, they should ensure that their security environment meets these requirements.
Security for NFV should be built into the DNS architecture instead of bolted on. A higher degree of integration through the use of a DNS-specific protection helps minimise gaps in coverage that may be left by add-on solutions and can easily be exploited by attackers.
To minimise the impact of an attack as it happens and address it as quickly as possible, the virtualised network needs to be able to rapidly scale resources by spinning up new machines without the need for operator involvement. Automatically adding capacity while the attack is managed prevents service interruption. In return, this reduces lost revenue and productivity.
With dangers such as zero day vulnerabilities, NFV-based security should have the capacity to detect previously unknown threats by continuously analysing network behaviour, while also defending against established threats such as off-the-shelf attack toolkits designed for a specific kind of attack.
