How Service Providers Can Leverage Software-Defined Security (SD-Security)
February 16, 2017
In our last post, we talked about the benefits of network function virtualization (NFV) for managed service providers. Taking a step further, we’ll now examine how providers that deploy NFV can further benefit from this rapidly growing industry trend of evolving previously hardware-centric networks by leveraging security technologies into software-based services.
A core element of NFV is the virtualized network function (VNF), which is a software-based or virtualized version of a specific function such as a next-generation firewall (NGFW). Employing VNFs goes far beyond just converting from point hardware to virtualized software instances such as an NGFW. VNFs, which are centrally managed, policy orchestrated, zero-touch provisioned and service-chained, address many of the operational challenges noted earlier (that virtualized single instances are still prone to).
Applying NFV (and VNFs) to enterprise security and managed security services results in the ability to software-define security in terms of both form-factor and operations (policy creation and enforcement). These benefits are compounded by the fact that software-defined security (SD-Security) created from NFV de-couples security functions from proprietary hardware, enabling security functions in software to run on commodity x86 servers and appliances.
Another key aspect of SD-Security using NFV is its ability to service-chain to easily achieve multi-layer security. For example, a SD-WAN provider can service-chain a NG Fire Wall and secure web gateway to provide security for direct Internet access. Because the traffic flow has been service-chained centrally, each branch office is easy to deploy using a centralized orchestration tool.
Other advantages to creating a software-defined managed security service or enterprise deployment include:
- Elasticity: When deploying branch security through a software-defined and NFV-based model, capacity can easily and dynamically be scaled up or down without having to replace proprietary security appliances. For example, a branch firewall can be doubled in capacity in minutes using commands from the central provisioning portal, with no truck roll or firewall appliance swap-out required.
- Flexible and distributed service architecture: With the advent of NFV, SD-WAN providers and large enterprise have the capability (and flexibility) to decide where to run each layer of required security – either on-premises in the branch office or centrally in the data center or PoP. For example, compute-intensive services such as malware sandboxing, intrusion prevention (IPS) and anti-virus (AV) filtering can be run centrally, while services that are key in the branch, such as a firewall and a web gateway for securing direct Internet access, can be run locally.
- Centralized, automated operations: A software-defined and NFV-based approach to security also provides a way to deliver services from a single point of control, avoiding the challenging requirement for skilled personal available to be on-site whenever needed. Instead, services can be deployed, increased in capacity and enhanced with additional functions, all without requiring any on-site presence, hardware refreshes or manual provisioning. Also, if a particular customer site (or sites) requires a different set of security functions, it can be configured individually from a single management portal within a few minutes instead of in days or weeks.
In summary, the best SD-Security solution is the one that fits your enterprises’ needs. This flexibility is actually one of the widely touted advantages in the move towards SDN, NFV and virtual CPE. So it comes as no surprise that vendors are gravitating towards a software-defined architecture that encompasses all the different needs of the valuable enterprise WAN and branch network market. The recent IHS Infonetics survey is a case-in-point; according to this survey of service providers controlling 43 percent of worldwide telecom CapEx, 95 percent have deployed or evaluated NFV in 2016. One hundred percent will evaluate NFV by 2017.