Significant and rapid increases in global IP traffic and the adoption of mobile devices have challenged network service providers to scale and improve infrastructure. To address this network providers are beginning to embrace new approaches such as Network Function Virtualization (NFV) to address the issues of scale. NFV separates the hardware from network functions and uses the technologies of IT virtualization to virtualize entire classes of network node functions into building blocks that may connect, or chain together, to create communication services.
NFV relies upon, but differs from, traditional server-virtualization techniques, such Virtualized Network Function, or VNF. VNF may consist of one or more virtual machines running different software and processes, on top of standard high-volume servers, switches and storage devices, or even cloud computing infrastructure, instead of having custom hardware appliances for each network function.
By combining elements of networking and virtualization technology, NFV does present some newfound security challenges including protecting against attacks like remote hypervisor attacks, Denial of Service (DoS) attacks, Virtual Machine (VM) Hopping, and port scanning.
Software Defined Networking (SDN), similar to NFV, also suffers from security risks which result from abstracting network capabilities away from traditional proprietary technology, and one study has shown the benefits of combined SDN-SDP architecture. NFVs could used SDN’s to separate forwarding form network control.
In response, Software Defined Perimeter (SDP) is a framework to provide logical perimeters around these services, restricting network access and while creating dynamic connections to the SDP-enabled Virtual Network Functions (VNFs) to trusted clients only. Research and testing is bearing out key security benefits as a result of a combined NFV-SDP architecture, including deployment and access controls that are customizeable, catering to a wide array of user needs.
A recent study examined and tested the aforementioned architecture within a virtual environment. A team led by professors, Ahmed Refaey of Manhattan College and Abdallah Shami of Western University, detailed findings and conclusions in a new paper titled, “Multilevel Security Framework for NFV Based on Software Defined Perimeter (SDP).” The experiment modeled a situation where a client and an attacker both attempt to establish a connection to a server.
The results show that the combined architecture is indeed resistant to DoS attacks (blue lines in Fig 4 below). Additionally, the results led to a discussion regarding future research and implementation potentials for this architecture.
Several NFV implementations were explored for the purposes of the paper with Open Baton ultimately being chosen. The install process is highly simplified using Docker and Docker-Compose. Docker was also used as the infrastructure for NFVI-POPs. Thus, all VNFs are deployed as a container and networking is done using Docker networks.
For the SDP implementation, the solution offered by Waverley Labs OpenSDP project was selected. The controller provided by Waverley Labs is configured via a MySQL database. The tables within the database are configured with the list of approved hosts, gateways, and services, as well as the gateway-service relationships. A single controller, gateway, and client were configured using Waverley Labs’ open-source resources, along with a basic service and attacker.
To evaluate the performance of SDP, the team used two metrics to measure the network connectivity performance with and without it in the event of a DoS attack to determine both access control and resilience – Client Packets Captured and Average HTTP Response Time.
Figure 4A (in the paper) illustrates the continued performance of the SDP-protected server during a DoS attack.
Figure 4B in the paper illustrates SDP’s ability to drop bad packets from accessing the server within 0.9 and 1.5 seconds, while allowing legitimate traffic to access the server. It is worth noting that such deployment and access control are customizable, catering to a wide array of user needs.