The SDN security conundrum: threat or opportunity?
<iframe src="https://www.youtube.com/embed/h7D1Ml4cLLk?modestbranding=1&rel=0" width="970" height="546" frameborder="0" scrolling="auto" allowfullscreen></iframe>
With SDN and NFV becoming the architectural building blocks of the next generation of telecoms networks, it stands to reason that the issue of security must be addressed from the outset, even as these standards are still being developed. After all, in this future world of software controlled networks with virtualised functions and programmable configurations – all of which is being developed at a blisteringly fast pace – hackers must be jumping up and down in delight at the prospect of profitable new challenges.
And so there is a growing body of voices that are warning of the dangers of SDN and the need for concerted efforts to head off any threats before they happen. All well and good, you would thing. But there’s an equally large body of opinion that says SDN poses no greater security risks than today’s networks, and that everything is in hand and we should view security as more of an opportunity than a threat. So who to believe?
Last week’s SDN & OpenFlow World Congress in Dusseldorf was yet again another excellent event that attracted a Who’s Who of SDN specialists and showcased back-to-back technical presentations of this critically important technology. Yet there were many attendees who were walking around in a dazed state, worried that they now knew less about SDN than before they left for Germany – such is the fast rate of development of the standard. TelecomTV was there to film a series of interviews, panel discussions and demos on SDN, and as we publish this year's videos you can watch them here.
One of our panels was on the subject of security, and featured experts from Cisco, HP ConteXtream and Radware. We asked how secure is SDN compared to legacy networks, and is there any truth that the centralised control plane creates a single attack path for hackers? Or rather, does security provide an opportunity for vendors and providers, as the architecture can decouple security from the physical network? If you are confused over the SDN security question (as was I), then the discussion is well worth a look.
ETSI to address security in NFV Stage 3
Meanwhile, leading standards group ETSI says security in the NFV/SDN environment is “one of the major challenges the industry needs to address for 2016 but it should also be seen as an enormous opportunity”. So both a threat (although ETSI is sufficiently well versed politically not to use the word, but rather “challenge”) and an opportunity.
ETSI is perhaps more concerned with NFV than SDN at this stage, given that it is the major backer and driving force behind the development of NFV through its industry standards group (ISG), which has just celebrated its third anniversary – and already has an NFV ISG Security Working Group in place.
“We recognized early on that security needed to be proactively addressed in an NFV world and one of our first priorities was to convene an expert group on security to identify the challenges and to recommend actions,” said Don Clarke, Chair of the Network Operator Council of the ETSI NFV ISG. “The Security Working Group is the world’s leading discussion forum on this vital topic and includes security experts from government agencies as well as vendors and operators.”
The combination of analytics with network agility enabled by NFV and SDN is the key to improving the resilience of networks to security threats, according to ETSI. But we shouldn’t force the issue and over-specify for all possible scenarios and risk factors.
“We are now at a critical stage; the industry is stretched and standards development organisations (SDOs), including the NFV ISG, must focus their efforts on what is really needed to be done to foster innovation in an open ecosystem,” said Clarke. “We should not go too far in trying to anticipate what specifications might be needed in the future. SDOs should also identify how to work collaboratively with open source communities.”
TelecomTV has heeded his message, and is pleased to announce that we will be attending the OPNFV Summit in San Francisco next month, working alongside the OPNFV to create a series of interviews and panel discussions. If you would like to take part, then please do get in contact with me.
But it is not just the SDOs that need to work together – the SDN and the NFV communities are developing a mutual understanding that the integration of those two concepts is increasingly important.
“Each community has its own challenges but many of the required solutions will come out of a joint approach to addressing those problems and we are seeing an acknowledgement of this as we move forward,” said Diego Lopez, Chairman of ETSI ISG NFV Technical Steering Committee.
ETSI’s NFV ISG still has 35 work items under development before it can sign-off Release 2015 of the standard, which is expected to be published by Q1 2016. For the next release (2016 and onwards), members will be tackling NFV stage 3 standardisation and strengthening relationships with other SDOs and open source communities working in NFV and SDN.