What is NFV? And what does it mean to security?

We’ve been starting to write more about the software-defined data center here at Business Insights because it’s become clear this is where enterprise networks are quickly moving. While software-defined networking gets all of the headlines — Network Functions Virtualization (NFV) is a big part of the software-defined data center.

This is because NFV is about unleashing services that run on networks — think intrusion detection/prevention, access control, anti-malware, encryption and so on — from dedicated hardware. This promises to make networks much more agile and cost effective.

But what are the security risks, if any, associated with NFV? There are always tradeoffs, especially when it comes to information security. While it’s been out for a few weeks now, I finally got to reading Network Function Virtualization [.pdf] by the Cloud Security Alliance, a cloud security trade group. The rather utilitarian titled paper aims to highlight NFV associated security risks. The paper found six primary challenges when it comes to deploying NFV: hypervisor dependences, elastic network boundaries, dynamic workloads, service insertion, stateful versus stateless inspection, and available resources scalability.

As explained thoroughly in CSA’s paper, NFV unleashes network functions from the hardware layer through virtualization. These functions aren’t just security functions, to be clear, but all types of network capabilities such as network routing, content delivery networks, load balancing, as well as the security functionality mentioned above. “Multiple network functions can be consolidated into the same hardware or server. NFV allows network operators and users to provision and execute on-demand network functions on commodity hardware or CSP platforms,” the CSA said.

It’s also important to point out that NFV and SDN are not dependent on each other — both can be implemented independently. According to the CSA, however, SDN can improve performance and enable a rich feature set known as VNF Service Chaining. “This capability simplifies and accelerates deployment of NFV-based network functions,” the paper states.

Still, and not surprisingly, NFV is often associated with Software Defined Networking (SDN). And “together, SDN and NFV create additional complexity and challenges for security controls. It is not uncommon to couple an SDN model with some method of centralized control to deploy network services in the virtual layer. This approach leverages both SDN and NFV as part of the current trend toward data center consolidation,” the paper continues.

For anyone interested in NFV security, the CSA paper is a worthwhile read. There isn’t a lot of detail in the paper about how to secure different NFV and SDN architectures, however it does set up the foundation for future papers that do just that. The paper provides a solid overview on NFV and SDN concepts, highlights related security concerns, and details NFV management in what it calls a “NFV Security Framework.” The paper also defines many SDN concepts, since SDN is critical to virtualization and the software-defined data center.

Papers like this one from the CSA are a welcomed start at building the concepts enterprises will need to understand to properly secure their software-defined data centers now and in the years ahead, as well as take advantage of the many benefits associated with NFV, SDN, and the Software Defined Data Center.