07 March 2017
| James Pearce
As carriers wait for cost efficiencies from SDN and NFV to appear, security professionals and vendors continue to debate the right approach to cloud-based security, writes Peter Kirwan.
During any industry-wide technology upgrade, it makes sense
to look at the extremes of opinion. These tell us something
about the velocity of change, and the extent to which any
remaining obstacles might act to slow down transformation.
The virtualisation of carrier networks is transforming the
way in which the industry thinks about security. But so, too,
are developments on the debit side of the ledger, including the
advent of sophisticated application-level attacks, the rise of
massive Mirai-style botnets, and the increasing prevalence of
encryption, which is progressively making the internet a darker
Michael O’Malley, vice-president of strategy
and business development at the security vendor Radware, sees
carriers "reacting very well, by and large" to this combination
of challenges. The most obvious symptom, he suggests, is a
shared impulse among carriers to upgrade their security
The industry-wide upgrade cycle is likewise affecting
wholesale carriers, O’Malley notes: "They are
largely acting in the same way because it is seeing benefits in
offering clean and secure pipes to other carriers. They need to
protect themselves and offer clean traffic in the hand
Software-define networks (SDN) and network functions
virtualisation (NFV) are "probably the most exciting things
going on in the security space today", says
"Virtualisation eliminates the biggest trade-off when
deploying security," he says. "Previously when I had
custom-based hardware, which was expensive, the question always
was: where in the network have I aggregated enough traffic to
make it cost effective to start to install my
"With virtual instances that can run on white-box hardware,
I can put security instances in the cloud and I can drop them
all over the network like popcorn. Now I can now detect threats
On the sunnier side of the virtualisation-security debate,
SDN and NFV look like success stories: technologies that
deliver a winning combination of enhanced security and reduced
At Interoute, which delivers most of its services across
virtualised networks, Mark Lewis, executive vice-president for
communications and connectivity, sees the costs associated with
hardware-based security receding, for both carriers and for our
"There’s very little point if enterprise
customers just copy what they have in a physical world into the
cloud world," he says. "We advise customers to consider how
they can use the new paradigms of virtualisation and NFV to
simplify a world that in other ways has become more
complicated. This has a whole ripple effect for service
providers, including the likes of us."
However, Bernd Gunze, solutions architect at F5 Networks,
cautions against swallowing whole the argument that security
can become much simpler, even as networks become more agile and
"I would agree with those service providers who say it
becomes simpler, in the sense that after I have protected my
physical infrastructure, orchestration tools make it easy to
spin up a firewall," he says.
"But you now have a physical layer on which you run your SDN
components, which is then abstracted. So you need two layers of
protection in the network. It looks like you are simplifying
the world. But I think it’s the contrary from the
security perspective. You have more planes to look at."
Eric Loos, senior product manager at BICS, echoes
Gunze’s argument. With virtualisation, he says,
"the data flows and everything that has to be secured still
follows historical flows, I would say. And in that sense, the
angles of the threats and what I call the generic attack
surface haven’t really changed."
However, in at least one sense, the overall attack surface
– the the total sum of the vulnerabilities that are
accessible to a hacker – may well be larger under
"The platforms used for virtualisation are a very, very
dense point of attack," says Loos. "The moment you get into the
infrastructure hosting the NFV, the amount of mayhem you can
cause is almost unlimited. That’s because the
traditional methods that would be used by operators –
like auditing, authorisation accounting – all of these
things cease to make sense. Because the moment you can
manipulate the memory of these virtual images, you can do
However, the potential expansion of the attack surface under
NFV is both "well-understood" and relatively rarified. "Garden
variety hackers will not be able to do such a thing," says
Loos. "I think we’re talking about protecting
virtualisation infrastructure against very advanced
cyber-attacks, which typically receive some form of government
Loos sees SDN as a source of additional challenges. "The
traditional way of protecting the perimeter involves making
sure to look for particular traffic flows as a way of
attempting to detect compromised systems: a lot of that could
be bypassed by SDN," he says.
Concern over DDos attacks
"If you have several applications that have access somehow
through the forwarding layer, there has to be only one
that’s compromised. They can encapsulate packets
in another way, make them bypass certain elements in the
network that have been discovered. They can make header
modifications. There are so many things they can do. This is
not something that a typical organisation is ready to
Like most of the industry figures interviewed by Capacity,
Loos voiced concern about the recent spate of DDoS attacks
coordinated by Mirai malware, and mediated by hundreds of
thousands of low-end devices around the world, including
webcams and video recorders.
Targets of these attacks have included Dyn, Deutsche
Telekom, and two UK companies, TalkTalk and the Post Office,
which offers a broadband service.
It’s the sheer size of the threat
that’s most worrying. The attack on Dyn in October
2016 appeared to top out at over 1Tbps, and the attack on
Deutsche Telekom the following month took 900,000 broadband
At F5 Networks, Gunze says recent conversations with service
providers suggest that the threat of an IoT/Mirai attack is
presently "being taken extremely seriously indeed".
Loos foresees the architecture of SDN as a source of help.
"The only way this will be stopped for good is if devices are
forced to authenticate against an SDN network, so that the
network only accepts legitimate flows out of the device," he
"In the past, this would have been completely unviable for
an operator. I think that SDN offers the opportunity to put
every new flow under scrutiny. This could be a value-added
service. Perhaps the carriers are the ones who are in the best
position to bring this level of security into the market."
This raises the question of where the deepest sources of
expertise will reside: with vendors, or with carriers, within
software, or inside the human brain?
At Radware, O’Malley foresees the policy-based
automation of security contributing replacing much of the
manual intervention that occurs inside security operations
"It’s a huge cost saver for the carriers, so it
helps them with their opex problem," he says. "But it also
eliminates mistakes. Because as much as we love our efficient
SOC engineers, the more things we can automate, the more we can
avoid manual errors."
Words of warning
Here, however, Loos issues a word of caution: at some point,
carriers will need to strike a balance between investments in
external and internal expertise.
"Carriers have been used to locking down the perimeter," he
says. "But they knew that there were some potential things they
didn’t understand about the behaviour of the
boxes. Now they are in a world where in order to stop this risk
of traffic flow manipulation they will have to secure all of
these end points."
He foresees a need for carriers to bring a lot more
knowledge back into the company: "Unless carriers get that
skill set in-house to securely integrate all of these
components, they will not feel comfortable virtualising
everything and running it on the same compute stack."
"They will feel the need to separate out major functions.
Why? Because their teams cannot give them the confidence that
there is no overflow possible between all of these
In the annals of technology adoption, this feels like a
familiar trope. The industry-wide argument about SDN and NFV is
largely over, and deployment has started. What’s
less clear is whether the industry has reached a final
consensus on how to organise its security efforts to protect
the virtualised networks now under construction.