Obstfeld writes that Network Function Virtualization (NFV) is the transition of network infrastructure services to run on virtualized computing platform.
According to Pate, Software Defined Network (SDN) provides the ability to program the behavior of the network using well-defined interfaces and allow the network devices to be controlled by a central element. The idea for SDN was started when researchers who were experimenting with new protocols found that software in the network devices needed to be changed for each new approach that they wanted to try (2013). The goal of Software-Defined Networking is to enable cloud and network engineers and administrators to respond quickly to changing business requirements via a centralized control console. SDN encompasses multiple kinds of network technologies designed to make the network more flexible and agile to support the virtualized server and storage infrastructure of the modern data center and Software defined networking was originally defined an approach to designing, building, and managing networks that separates the network’s control (brains) and forwarding (muscle) planes enabling the network control to become directly programmable and the underlying infrastructure to be abstracted for applications and network services.
NFV and SDN are complementary to each other but they are not dependent on each other as shown in the figure.
NFV reduces Capital and Operational Expenditures, Power and Space Consumption. Its goals could be realized using non-SDN mechanisms. However, the SVN could provide enhanced performance, simplified compatibility with existing deployments, and facilitation of operation and maintenance procedures.
In Network Function Virtualization (NFV) process, Dynamic Host Configuration Protocol (DHCP) is a network infrastructure service and it could be virtualized. Once virtualized, keeping the virtualized DHCP safe needs to follow industry practices for safeguarding virtual devices. Waldron reports that the best industry practices include keeping the virtual environment updated with security releases, disabling unnecessary services, helping secure the operating system and all other applications, helping secure network controls, training administrators, performing security auditing, monitoring and testing and enforcing user policies through education and technology controls (2011).
Since virtualization is based on software, multiple DHCP servers could be created in the virtual environment. If one server does get compromised by attacker, the compromised server could be taken offline with little to no impact to the DHCP services. In addition, security is considered a benefit of virtualization especially when the isolation is achieved between guests or host and guest (Vacca, 2013).
In the above network, Software Defined Network (SDN) processes could also be followed to minimize the risk of DHCP spoofing by rouge DHCP servers. According to Clark et el., rouge DHCP servers would be detected and disabled by a programmable network application called Network Flow Guard (NFG). The main features of NFG are its modularity, and automated detection and prevention of rouge DHCP servers while it is accomplished with little impact to the network protocols, architecture and operators. NFG is also easily extensible to include future modules for denial of service attacks, ARP poisoning, anomaly detection, port scans and other threats.
Without the SDN, the task of identifying and disabling a rouge DHCP server is complex, error prone and time consuming (2016). The tasks include, Clark et el. writes "(1) disabling the main DHCP server to determine if hosts continue to receive IP addresses from the rouge server (or investigating host log files for a DHCP-server-identifier), (2) obtaining the IP address of the false default gateway, (3) pinging the default gateway to populate the host's APRP table, (4) viewing the ARP table to obtain a mapping of the IP address and the physical MAC address, (5) setting up a continual running ping to confirm when the device taken down, (6) opening and reviewing the list of MAC addresses contained in the MAC address table of each switch until the offending MAC address is identified, (7) identifying the port hosting the offending MAC, and if found (8) shutting down the port. Of course, if multiple MACs are associated wihht the port identified in (7), then this indicates that another switch is hosting the rouge DHCP server and steps (6 and 7) must be repeated
until step (8) can finally be completed. Moreover, step (1) indicates that these methods will deny other clients access to the network while operators attempt to determine whether a rogue server is active on their network (2016)".
Therefore, when combining Network Function Virtualization (NFV) and Software Defined Network (SDN), the security of network services or devices could be greatly enhanced.
References:
Clark, R.J., Cox, Jr, J.H., & Owen, III, H.L (2016). Leveragin SDN to Imporve the Secrity of DHCP.
Proceedings of the 2016 ACM International Workshop on Security in Software Defined Networks & Network Funtion Virtualization. New Orleans, LA, USA. doi: 10.1145/2876019.2876028
Obstfeld, J. (2013). NFV - Myth, Hype & Reality
Retrieved from http://coseners.net/wp-content/uploads/2013/12/NFV_myth_hype_reality.pdf
Pate, P. (2013). NFV and SDN: What's the Difference?
Retrieved from https://www.sdxcentral.com/articles/contributed/nfv-and-sdn-whats-the-difference/2013/03/
Vacca, J.R. (2013). Computer and Information Security Handbook. (2 ed.). Boston, MA: Morgan Kaufmann Publishers. (ISBN 978-0-123-94397-2)
Waldron, L.H. (2013). Virtualization: Security Best Practices. Retrieved from https://technet.microsoft.com/en-us/security/hh535766.aspx
NFV and SDN. Reprinted from "NFV and SDN: What's the difference?".
Pate P. Retrieved June 2, 2016, from https://www.sdxcentral.com/articles/contributed/nfv-and-sdn-whats-the-difference/2013/03/ Copyright 2013 by SDxCentral. Reprinted with permission