Delivering Security Virtually Everywhere with SDN and NFV

Similar documents
Data Center Security Strategies and Vendor Leadership: North American Enterprise Survey

The Evolution of SDN and NFV Orchestration

A Presentation at DGI 2014 Government Cloud Computing and Data Center Conference & Expo, Washington, DC. September 18, 2014.

SDN and NFV in the WAN

Leveraging SDN and NFV in the WAN

High-End Firewall Strategies

Delivering Managed Services Using Next Generation Branch Architectures

OpenFlow-enabled SDN and Network Functions Virtualization. ONF Solution Brief February 17, 2014

Customer Benefits Through Automation with SDN and NFV

Virtualization, SDN and NFV

The Benefits of SD-WAN with Integrated Branch Security

Business Case for Virtual Managed Services

The Promise and the Reality of a Software Defined Data Center

Transforming Service Life Cycle Through Automation with SDN and NFV

Introduction to Software Defined Networking (SDN) and how it will change the inside of your DataCentre

What is SDN all about?

Infonetics Research White Paper Infonetics Research, Inc.

WHITE PAPER. Data Center Fabrics. Why the Right Choice is so Important to Your Business

Center SDN & NFV. Modern Data IN THE

The New IP Networks: Time to Move From PoC to Revenue

Panel: Cloud/SDN/NFV 黃 仁 竑 教 授 國 立 中 正 大 學 資 工 系 2015/12/26

The Role of Virtual Routers In Carrier Networks

White Paper. SDN 101: An Introduction to Software Defined Networking. citrix.com

Management & Orchestration of Metaswitch s Perimeta Virtual SBC

Using SDN-OpenFlow for High-level Services

Software defined networking. Your path to an agile hybrid cloud network

The Mandate for a Highly Automated IT Function

ALEPO IN THE VIRTUALIZED CORE NETWORK

How OpenFlow -Based SDN Transforms Private Cloud. ONF Solution Brief November 27, 2012

SOFTWARE-DEFINED NETWORKS

The Distributed Cloud: Automating, Scaling, Securing & Orchestrating the Edge

Network Functions Virtualization (NFV) for Next Generation Networks (NGN)

SDN, NFV & Future Technologies. Chris Thompson Director of Product Management, Cloud Connectivity Solutions

Juniper Solutions for Turnkey, Managed Cloud Services

What is SDN? And Why Should I Care? Jim Metzler Vice President Ashton Metzler & Associates

SDN Security Considerations in the Data Center. ONF Solution Brief October 8, 2013

ETSI NFV ISG DIRECTION & PRIORITIES

Trend Micro InterScan Web Security and Citrix NetScaler SDX Platform Overview

SDN PARTNER INTEGRATION: SANDVINE

Understanding the Business Case of Network Function Virtualization

SDN Architecture and Service Trend

Testing Challenges for Modern Networks Built Using SDN and OpenFlow

Network Function Virtualization Primer. Understanding NFV, Its Benefits, and Its Applications

Why Service Providers Need an NFV Platform Strategic White Paper

ADVANCED SECURITY MECHANISMS TO PROTECT ASSETS AND NETWORKS: SOFTWARE-DEFINED SECURITY

WHITE PAPER. How To Compare Virtual Devices (NFV) vs Hardware Devices: Testing VNF Performance

PLUMgrid Open Networking Suite Service Insertion Architecture

Securing Virtual Applications and Servers

Business Case for NFV/SDN Programmable Networks

Designing Virtual Network Security Architectures Dave Shackleford

NFV Management and Orchestration: Enabling Rapid Service Innovation in the Era of Virtualization

A Mock RFI for a SD-WAN

SINGLE-TOUCH ORCHESTRATION FOR PROVISIONING, END-TO-END VISIBILITY AND MORE CONTROL IN THE DATA CENTER

Enterprise Networking and Communication Vendor Scorecard

VIRTUALIZING THE EDGE

Unified Threat Management, Managed Security, and the Cloud Services Model

Ensuring end-user quality in NFV-based infrastructures

The Virtual Ascent of Software Network Intelligence

Business Case for Open Data Center Architecture in Enterprise Private Cloud

Cisco Hybrid Cloud Solution: Deploy an E-Business Application with Cisco Intercloud Fabric for Business Reference Architecture

Dynamic Service Chaining for NFV/SDN

Expert Reference Series of White Papers. Is Network Functions Virtualization (NFV) Moving Closer to Reality?

The Road to SDN: Software-Based Networking and Security from Brocade

FROM A RIGID ECOSYSTEM TO A LOGICAL AND FLEXIBLE ENTITY: THE SOFTWARE- DEFINED DATA CENTRE

Threat-Centric Security for Service Providers

Cisco and Citrix: Building Application Centric, ADC-enabled Data Centers

SOFTWARE DEFINED NETWORKING

Making the Case for Open Source Controllers

Building Blocks of the Private Cloud

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

Testing Software Defined Network (SDN) For Data Center and Cloud VERYX TECHNOLOGIES

white paper Introduction to Cloud Computing The Future of Service Provider Networks

Network functions Virtualisation CIO Summit Peter Willis & Andy Reid

How To Extend Security Policies To Public Clouds

Ensuring Success in a Virtual World: Demystifying SDN and NFV Migrations

CoIP (Cloud over IP): The Future of Hybrid Networking

A Coordinated. Enterprise Networks Software Defined. and Application Fluent Programmable Networks

The Future Of The Firewall

EVOLVED DATA CENTER ARCHITECTURE

Flexible SDN Transport Networks With Optical Circuit Switching

U s i n g S D N - and NFV-based Servi c e s to M a x i m iz e C SP Reve n u e s a n d I n c r e ase

IT Infrastructure Services. White Paper. Utilizing Software Defined Network to Ensure Agility in IT Service Delivery

Simplify IT. With Cisco Application Centric Infrastructure. Roberto Barrera VERSION May, 2015

Network Virtualization Solutions

Global Headquarters: 5 Speen Street Framingham, MA USA P F

Transcription:

INFONETICS RESEARCH WHITE PAPER Delivering Security Virtually Everywhere with SDN and NFV April 2015 By Principal Analyst Jeff Wilson 695 Campbell Technology Parkway Suite 200 Campbell California 95008 t 408.583.0011 f 408.583.0031 www.infonetics.com Silicon Valley, CA Boston, MA London, UK

Table of Contents INTRODUCTION 1 DRIVERS FOR SERVICE PROVIDERS 1 THE ROLE OF SECURITY IN SDN AND NFV 2 SDN AND SECURITY IN THE DATA CENTER: DELIVERING FLEXIBLE CLOUD SERVICES 5 NFV AND SECURITY: DELIVERING SERVICES TO CUSTOMERS AND VIRTUALIZING INFRASTRUCTURE 7 CONCLUSION 8 List of Exhibits Exhibit 1 Service Provider SDN and NFV Drivers 2 Exhibit 2 SDN Architecture 3 Exhibit 3 Operator SDN and NFV Timeline, 2013 2020 4 Exhibit 4 Virtual Appliances Deployed in Service Provider Data Centers 6 Exhibit 5 The Move to NFV 7

INTRODUCTION Without a doubt, SDN and NFV are among the most-discussed and frequently confused topics in all of networking. Though SDN and NFV have applicability beyond security, their implementation has serious impact on security architecture, and will enable a new generation of security services. From its academic beginnings at Stanford University in 2005 to practical applications in data centers and telecommunications carrier networks during the past 4 years, SDNs (software defined networks) show the potential to solve significant operational problems. The Open Networking Foundation (ONF) is the group dedicated to defining and promoting SDN technology, and they define SDN as an emerging network architecture where network control is decoupled from forwarding and is directly programmable. This migration of control, formerly tightly bound in individual network devices, into accessible computing devices enables the underlying infrastructure to be abstracted for applications and network services, which can treat the network as a logical or virtual entity. This sounds simple enough, and security is certainly one of the services that can be paired with logical or virtual network infrastructure. The first important point to make about SDN is that it works in physical networks and virtual networks. Logical networks where traditional network infrastructure (like switches and routers) is configured logically using technology like VLANs are widely deployed today, and will be the starting place for many early SDN deployments. To get to fully virtual networks, where all network components run in software on top of common hardware, we have to take the first step, which is NFV (network functions virtualization). NFV was initiated by service providers, who want to be in the driver s seat to move the industry and all vendors in the same direction to move network functions off specialized network hardware onto commercial servers, with a goal of preventing vendor lock-in. Standards for NFV are being curated by the ETSI (European Telecommunications Standards Institute), and their work in NFV is focused on helping major telecommunications service providers streamline their networks and shed their dependence on specific vendors hardware for key functions like BRAS, message routing, DPI, SGSN/GGSN, carrier NAT, and you guessed it security. So in the end, SDN and NFV are complementary technologies and architectural initiatives aimed in the same direction: to make networks and network services more agile. DRIVERS FOR SERVICE PROVIDERS SDN is an architecture that abstracts control from forwarding, allowing for physical or virtual networks and services for enterprise campus and data center networks as well as large service provider data centers and telecommunications networks. Large service providers will use SDN technology (particularly SDN orchestration tools like controllers, which essentially become the brains of an SDN deployment) to provision their infrastructure and services once their network functions have been virtualized per NFV. Service providers around the globe are very motivated to roll out solutions that leverage SDN and NFV as quickly as possible because they expect significant improvements in cost and agility, as outlined in the chart below, an excerpt from our SDN and NFV Strategies: Global Service Provider Survey. 1

Exhibit 1 Service Provider SDN and NFV Drivers Source: SDN and NFV Strategies: Global Service Provider Survey, July 2013 Looking down the list of drivers for SDN and NFV, we see that many of these benefits can be directly applied to security, and for many providers tinkering with SDN and NFV, security is among the first applications they look to deploy. With SDN and NFV in place, service providers can offer customers things like on demand advanced malware protection, cloud-based URL filtering, web application security for a cloud-based application testing and development environment, and granular customization per-application or per-tenant. THE ROLE OF SECURITY IN SDN AND NFV Though SDN and NFV are hot topics in networking, and will force vendors who build networking products and applications to offer new form factors and re-architect some of their solutions, security vendors have been working on adapting threat detection and mitigation solutions to work in virtualized (under a hypervisor) environments for over 5 years, typically building what they refer to as virtual appliance versions of their traditional hardware/software products. The reason for this is quite simple: as soon as server virtualization was introduced, anyone who deployed it realized they were challenged to meet the security scale requirements of their virtualized infrastructure, and they needed a way to secure traffic moving between virtual machines this traffic was essentially invisible to their existing threat mitigation tools. Buyers leaned on their preferred security vendors to deliver the same types of control (firewalling, anti-virus, intrusion prevention, etc.) inside the virtualized environment as outside, and thus the virtual security appliance was born. 2

Initially, virtual security appliances needed to be hypervisor aware, to interface directly with the buyer s chosen hypervisor so that a single virtual appliance could work in concert with the hypervisor to deliver customized security to each instance it was protecting. Security vendors had to invest resources to map their security products to the hypervisor API(s) to attain multitenant capability and visibility into east-west traffic. As the market moves toward SDN and NFV, it is fairly easy for most security vendors to adjust the work they did building virtual appliances for hypervisors like vsphere, XenServer, or Hyper-V to work with vendors open or closed SDN orchestration tools and controllers such as OpenStack. In short, security vendors are ready to support rollouts of SDN and NFV. In the next exhibit, which shows the basic SDN architecture, security is simply one of the network services in the center, provisioned and managed by the SDN control layer and paired with business applications above and virtualized or logical infrastructure below. In the beginning, it s unlikely that SDN controllers will communicate directly with virtual security appliances (the hypervisor is generally the intermediary), but that is where the technology and products are headed. Exhibit 2 SDN Architecture 3

Though the SDN controller infrastructure is the brain of the operation, the real power is in combining that orchestration capability with a wide variety of virtualized network functions (VNFs) to build customized services in a very easy way; that s the agility advantage of SDN and NFV. In security alone there are more than a dozen core functions that will become their own VNF, like firewall, web filtering, virus scanning, IPS, DDoS mitigation, web application firewall, network access control, DLP. These functions can be stitched together to building individual service offerings tailored to the customers need. The range of solutions needed for a service provider to roll out SDN in their data centers, or to build networks and services that leverage full NFV are just starting to become widely available. As the timeline below shows, we re already into SDN/NFV field trials and some commercial deployments, and many of these trials have selected security as an early use case. Exhibit 3 Operator SDN and NFV Timeline, 2013 2020 To explore how SDN and NFV technology, standards, and architecture translate into security solutions for customers, we ll look at two cases: SDN in the data center to deliver a range of security tools to protect hosted/cloud infrastructure, and NFV in a large carrier network to deliver a virtual firewall to the perimeter of the customer s network, replacing a physical on-premises firewall. 4

SDN AND SECURITY IN THE DATA CENTER: DELIVERING FLEXIBLE CLOUD SERVICES As the traditional hosting market (dedicated, shared, and colocation) rapidly transitions to full-featured public and private cloud services, hosting and cloud providers are looking to: Save money on the infrastructure they build and maintain to deliver services Increase the speed with which they can add to or change services Deliver a richer set of services to their customers To achieve these goals, many have virtualized much of their infrastructure, and are looking to SDN orchestration platforms to help them provision and manage services. In the old days, if a customer wanted to deploy a server with a custom web-based application, but they required a specific type of security in front of that application (specific vendor or product), they had to buy colocation space, or find a hosting provider that offered dedicated hosting services and the ability to install a security appliance into the rack with their application. After that was done, they had to figure out a way to parse management of those tools between the hosting provider and the customer; not terribly agile at all. Today, things are very different; many cloud providers offer services that can be purchased online and automatically provisioned (compute, storage, applications) and can automatically bundle virtualized security solutions that are provisioned simultaneously. Using SDN technology, cloud providers enable customers deploying a single web application on cloud infrastructure to automatically provision a virtual web application firewall (WAF) simultaneously and without human intervention. That WAF can be managed by the customer, and will follow the web application wherever it goes. In the case of something like a test deployment of a new web application, the WAF can be provisioned during testing, and easily shut down once the test is over, at no real operating cost for the hosting provider. In more complex cases, customers looking to cloud providers to outsource portions of their network infrastructure can now buy compute, storage, and even networks, and then deploy and manage network-level security solutions (firewalls, IPS, even DDoS mitigation) virtually. To the buyer, these security tools look exactly like their hardware counterparts, but they re provisioned by the SDN controller/hypervisor and follow the virtual infrastructure wherever it goes. Solutions like this are available today from a wide range of large hosting and cloud providers (including Microsoft Azure, Amazon Web Services, and others). In our 2014 study of 26 of the largest and most influential cloud/hosting service providers around the globe, we found plans to offer a wide range of virtual security appliance solutions to customers, with many providers offering multiple platforms from multiple vendors. With these virtual appliance platforms in place, cloud/hosting providers can begin to build customized security service offerings for their customers; we can see already that many providers have the ability to offer web application firewalls, mail security, web filtering, firewall, and DDoS mitigation via virtual appliances. 5

Exhibit 4 Virtual Appliances Deployed in Service Provider Data Centers Source: Cloud and Data Center Security Strategies and Vendor Leadership, a Global Service Provider Survey, December 2014 The momentum behind SDN in service provider data centers to deliver agile services (including a wide range of security services) is only going to grow, and the development done to support large providers is trickling down to enterprise customers who are starting to dabble with SDN in their own data centers and campus networks. When the time comes for enterprises to deploy security solutions for their SDN-enabled environments, they ll find a fairly mature product set from the market in general, and their current vendors for different security appliances will likely be offering virtual appliance solutions already. 6

NFV AND SECURITY: DELIVERING SERVICES TO CUSTOMERS AND VIRTUALIZING INFRASTRUCTURE The case for NFV and security is simple to make. Virtualizing infrastructure of all types and allowing providers to deploy network functions and services on common hardware just makes sense. As you can see in the diagram below, the problems carriers are looking to solve with NFV are broad, and virtualizing network functions is really only one part. They ll use technology developed for SDN to provide the orchestration and automation portion of the vision. Security is among hundreds of pieces of network infrastructure that ultimately will be virtualized as providers get more serious about NFV. The diagram below includes firewall, but in truth carriers will look to virtualize every bit of security technology they ve deployed, from a single security appliance at the customer edge to the Gi/SGi firewalls they use to protect mobile backhaul networks, and everything in between. Exhibit 5 The Move to NFV 7

The long-term vision for providers deploying NFV network-wide is similar to the use-cases for the SDN-enabled data center; agile deployment of revenue generating services, and the ability to match virtualized security to virtualized network infrastructure, making sure the appropriate security functions follow the network wherever it goes. From a practical standpoint, this means, for example, enabling providers to place a common hardware device (any device capable of running a virtual machine) on the customer premises, then automatically deploy a wide range of services to that hardware device (or even allow the customer to deploy and manage as needed), so CPE services like routing, firewall, voice/uc, and WAN optimization can be delivered without having to send out discreet appliances for each function. It also means allowing providers to use common hardware to build tailored security solutions for very specific environments. Mobile providers can combine security and mobile network functions into one tool in the backhaul network and leverage common hardware platforms to build massively scalable threat analytics and mitigation solutions for their transport networks, changing vendors and functions as needed without having to roll out new hardware each time. CONCLUSION The move to SDN and NFV is underway now; for most service providers the benefits are impossible to ignore. Service agility for shorter time to revenue: Service providers can quickly add, drop, and change the services they offer by using SDN control software and VNFs on commercial servers, rather than having to invest in new, specialized network hardware and manually reconfigure the network to deploy each new service. With SDN and NFV, service providers can cost-effectively test new services on small groups of customers, modify the service and give it another try, or simply scrap it without too great an investment if it s not working out. SDN can be deployed alongside existing network infrastructure, migrating customers gradually. Global view of the network for provisioning across multi-vendor, multi-layer, and multiple network domains: Rather than relying on each vendor s management system to view the status of traffic and equipment in their networks, carriers want to use SDN to make all the equipment from various vendors in their network visible, configurable, and manageable, from a single console so that services can be easily created and deployed across the entire network. The fine-grained control offered by SDN will enable carriers to run their networks at higher utilization while minimizing the equipment they need. This translates into considerable capex and opex reductions. Many security technology vendors, including market-leading vendors like Check Point, Cisco, and Juniper, are far down the path in developing virtual appliance solutions for enterprises and service providers who began demanding security as soon as they started to deploy server virtualization. As a result, many of these security vendors are uniquely positioned to be first-movers in the SDN/NFV application business. Security technology companies are not done innovating, and security tools for virtualized environments will evolve. Since the goal of SDN and NFV is to flatten visibility and control, it s not hard to imagine a world where the operating systems that run individual service platforms go away, and each discreet function of an existing security appliance becomes a service operated by the controller/orchestration infrastructure, allowing for better visibility and ultimate granularity in deployment. Using SDN and NFV to deliver security offers an unprecedented blend of centralized control and distributed enforcement. 8

WHITE PAPER AUTHOR Jeff Wilson Principal Analyst, Security Infonetics Research +1 408.583.3337 jeff@infonetics.com Twitter: @securityjeff Commissioned by Juniper to educate the industry about the role of security in SDN and NFV, this paper was written autonomously by analyst Jeff Wilson based on Infonetics independent research. ABOUT INFONETICS RESEARCH Infonetics Research is an international market research and consulting analyst firm serving the communications industry since 1990. A leader in defining and tracking emerging and established technologies in all world regions, Infonetics helps clients plan, strategize, and compete more effectively. REPORT REPRINTS AND CUSTOM RESEARCH To learn about distributing excerpts from Infonetics reports or custom research, please contact: North America (West) and Asia Pacific Larry Howard, Vice President, larry@infonetics.com, +1 408.583.3335 North America (East, Midwest, Texas), Latin America, and EMEA Scott Coyne, Senior Account Director, scott@infonetics.com, +1 408.583.3395 Greater China, Southeast Asia, and India 大 中 华 区 及 东 南 亚 地 区 Jeffrey Song, Market Analyst 市 场 分 析 师 及 客 户 经 理 jeffrey@infonetics.com, +86 21.3919.8505 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information