Unlimited possibilities, unlimited mayhem?

07 March 2017 | James Pearce

As carriers wait for cost efficiencies from SDN and NFV to appear, security professionals and vendors continue to debate the right approach to cloud-based security, writes Peter Kirwan.

During any industry-wide technology upgrade, it makes sense to look at the extremes of opinion. These tell us something about the velocity of change, and the extent to which any remaining obstacles might act to slow down transformation.

The virtualisation of carrier networks is transforming the way in which the industry thinks about security. But so, too, are developments on the debit side of the ledger, including the advent of sophisticated application-level attacks, the rise of massive Mirai-style botnets, and the increasing prevalence of encryption, which is progressively making the internet a darker place.

Michael O’Malley, vice-president of strategy and business development at the security vendor Radware, sees carriers "reacting very well, by and large" to this combination of challenges. The most obvious symptom, he suggests, is a shared impulse among carriers to upgrade their security defences.

The industry-wide upgrade cycle is likewise affecting wholesale carriers, O’Malley notes: "They are largely acting in the same way because it is seeing benefits in offering clean and secure pipes to other carriers. They need to protect themselves and offer clean traffic in the hand offs."

Software-define networks (SDN) and network functions virtualisation (NFV) are "probably the most exciting things going on in the security space today", says O’Malley.

"Virtualisation eliminates the biggest trade-off when deploying security," he says. "Previously when I had custom-based hardware, which was expensive, the question always was: where in the network have I aggregated enough traffic to make it cost effective to start to install my security? 

"With virtual instances that can run on white-box hardware, I can put security instances in the cloud and I can drop them all over the network like popcorn. Now I can now detect threats anywhere."

On the sunnier side of the virtualisation-security debate, SDN and NFV look like success stories: technologies that deliver a winning combination of enhanced security and reduced cost.

At Interoute, which delivers most of its services across virtualised networks, Mark Lewis, executive vice-president for communications and connectivity, sees the costs associated with hardware-based security receding, for both carriers and for our customers.

"There’s very little point if enterprise customers just copy what they have in a physical world into the cloud world," he says. "We advise customers to consider how they can use the new paradigms of virtualisation and NFV to simplify a world that in other ways has become more complicated. This has a whole ripple effect for service providers, including the likes of us."

However, Bernd Gunze, solutions architect at F5 Networks, cautions against swallowing whole the argument that security can become much simpler, even as networks become more agile and complex.

Orchestrating safety

"I would agree with those service providers who say it becomes simpler, in the sense that after I have protected my physical infrastructure, orchestration tools make it easy to spin up a firewall," he says. 

"But you now have a physical layer on which you run your SDN components, which is then abstracted. So you need two layers of protection in the network. It looks like you are simplifying the world. But I think it’s the contrary from the security perspective. You have more planes to look at."

Eric Loos, senior product manager at BICS, echoes Gunze’s argument. With virtualisation, he says, "the data flows and everything that has to be secured still follows historical flows, I would say. And in that sense, the angles of the threats and what I call the generic attack surface haven’t really changed."

However, in at least one sense, the overall attack surface – the the total sum of the vulnerabilities that are accessible to a hacker – may well be larger under NFV. 

"The platforms used for virtualisation are a very, very dense point of attack," says Loos. "The moment you get into the infrastructure hosting the NFV, the amount of mayhem you can cause is almost unlimited. That’s because the traditional methods that would be used by operators – like auditing, authorisation accounting – all of these things cease to make sense. Because the moment you can manipulate the memory of these virtual images, you can do anything."

However, the potential expansion of the attack surface under NFV is both "well-understood" and relatively rarified. "Garden variety hackers will not be able to do such a thing," says Loos. "I think we’re talking about protecting virtualisation infrastructure against very advanced cyber-attacks, which typically receive some form of government funding."

Loos sees SDN as a source of additional challenges. "The traditional way of protecting the perimeter involves making sure to look for particular traffic flows as a way of attempting to detect compromised systems: a lot of that could be bypassed by SDN," he says. 

Concern over DDos attacks

"If you have several applications that have access somehow through the forwarding layer, there has to be only one that’s compromised. They can encapsulate packets in another way, make them bypass certain elements in the network that have been discovered. They can make header modifications. There are so many things they can do. This is not something that a typical organisation is ready to address."

Like most of the industry figures interviewed by Capacity, Loos voiced concern about the recent spate of DDoS attacks coordinated by Mirai malware, and mediated by hundreds of thousands of low-end devices around the world, including webcams and video recorders. 

Targets of these attacks have included Dyn, Deutsche Telekom, and two UK companies, TalkTalk and the Post Office, which offers a broadband service. 

It’s the sheer size of the threat that’s most worrying. The attack on Dyn in October 2016 appeared to top out at over 1Tbps, and the attack on Deutsche Telekom the following month took 900,000 broadband subscribers offline. 

At F5 Networks, Gunze says recent conversations with service providers suggest that the threat of an IoT/Mirai attack is presently "being taken extremely seriously indeed".

Loos foresees the architecture of SDN as a source of help. "The only way this will be stopped for good is if devices are forced to authenticate against an SDN network, so that the network only accepts legitimate flows out of the device," he says. 

"In the past, this would have been completely unviable for an operator. I think that SDN offers the opportunity to put every new flow under scrutiny. This could be a value-added service. Perhaps the carriers are the ones who are in the best position to bring this level of security into the market."

This raises the question of where the deepest sources of expertise will reside: with vendors, or with carriers, within software, or inside the human brain? 

At Radware, O’Malley foresees the policy-based automation of security contributing replacing much of the manual intervention that occurs inside security operations centres (SOCs).

"It’s a huge cost saver for the carriers, so it helps them with their opex problem," he says. "But it also eliminates mistakes. Because as much as we love our efficient SOC engineers, the more things we can automate, the more we can avoid manual errors."

Words of warning 

Here, however, Loos issues a word of caution: at some point, carriers will need to strike a balance between investments in external and internal expertise.

"Carriers have been used to locking down the perimeter," he says. "But they knew that there were some potential things they didn’t understand about the behaviour of the boxes. Now they are in a world where in order to stop this risk of traffic flow manipulation they will have to secure all of these end points."

He foresees a need for carriers to bring a lot more knowledge back into the company: "Unless carriers get that skill set in-house to securely integrate all of these components, they will not feel comfortable virtualising everything and running it on the same compute stack." 

"They will feel the need to separate out major functions. Why? Because their teams cannot give them the confidence that there is no overflow possible between all of these entities."

In the annals of technology adoption, this feels like a familiar trope. The industry-wide argument about SDN and NFV is largely over, and deployment has started. What’s less clear is whether the industry has reached a final consensus on how to organise its security efforts to protect the virtualised networks now under construction. 

Topics: Capacity Magazine, Capacity Media, Security, cloud-based security, wholesale telecoms, virtualised networks