Inherent Security Design Patterns for SDN/NFV Deployments

2 likes851 views

The document discusses the inherent security design patterns for Software-Defined Networking (SDN) and Network Functions Virtualization (NFV) deployments, emphasizing the need for security measures that evolve with technology. It highlights the importance of a zero-trust security model, manual deployment challenges, and strategies to protect against cyber attacks throughout their lifecycle. Ultimately, it asserts that security can now be integrated into NFV infrastructure, making it a scalable resource for application workloads.

Technology

Inherent Security Design
Patterns for SDN/NFV
Deployments
John McDowall
Palo Alto Networks

Drivers for Consumers and Providers of Cloud/NFV
Automa'on

Minimize

OPEX
&
CAPEX

Dynamic

Resources

Self-‐Service

Portals

Scalability

Agility
Producers Consumers
Make security easy-to-deploy
by consumers
No Bottlenecks
Need well-defined security posture
New

Business

Models

“….if
innova+on
doesn’t
get
ahead
of
the

hackers,
we
will
likely
see
roadblocks
to

rolling
out
new
SDx
applica+ons
….

….
because
of
the
fear
that
SDx

Infrastructure
cannot
protect
against
and

contain
new
aAacks.
“

SDxCentral SDx Infrastructure Security Report 2015 Edition

Key Security Perspectives
The security perimeter no longer exists.
Understanding the Cyber Attack Pattern Lifecycle
How do we prevent attacks with SDN/NFV ?

Preventing Across the Cyber Attack* Life Cycle
Unauthorized Access Unauthorized Use
Gather
Intelligence
Leverage
Exploit
Execute
Malware
Command
& Control
Actions on
the
objective
Reconnaissance Weaponization
& Delivery
Malware
Communicates
with Attacker
Exploitation Data Theft,
Sabotage,
Destruction
* Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains
Eric M. Hutchins, Michael J. Cloppert, Rohan M. Amin, Ph.D. Lockheed Martin Corporation
Breach
the
Perimeter
1 Deliver
the
Malware
2 Exﬁltrate
Data
4Lateral
Movement
3

Security Challenges with NFV
Manual

Deployments

Slow
and
error-‐
prone
processes
to

enable
security

Transient

Workloads

Workload
lifespan

is
in
hours,
days
or

weeks

Sta'c

Remedia'on

Lack
of
dynamic

remediaCon

measures

Malware

30,000

new
malware
/day

Applying Zero Trust* to NFV
FoundationalSecurity
DesignPattern
* No More Chewy Centers: The Zero Trust Model of Information Security John Kindervag, Forester Research, 2014
Verify
and

Never
Trust

Inspect
and

Log
all
Traﬃc

Design

Network

Inside-‐Out

Predefine:
•  User-Access Controls
•  Layer-7 Interactions
Build:
•  Security Compliance
•  Auditable Entities
Enable:
•  Fine grained kill switch
•  Real-time Security Updates

Foundation Security Blueprint
FoundationalSecurity
DesignPattern
•  Deﬁne
allowable

interacCons

•  Add
applicaCon

security
paOern

•  Sign-‐oﬀ
by
security

team

•  Deploy
zero-‐trust

applicaCon
security

paOern.

•  Merge

parameterized

paOern
with
tenant

instance

•  Deny-‐All
to
Only-‐
Allowed

•  Real-‐Cme
InspecCon

•  Update
threat

paOerns,
sigs
et
al

•  Disrupt
and/or

block
cyber

aOacks

•  Archive
logs
&

policies

•  Perform
forensics

•  Generate
report

Prepare
Deploy
Update
Remove

1 2 3 4
Virtual Function Security Model Virtual Function

Implementation of Foundation Security Pattern
SecureEncapsulation
DesignPattern
Enforce zero-trust
model – block all
traffic until policy is
applied.
Security

Enforcement

Point

VM-‐A

Security

Enforcement

Point

VM-‐A

Security

Enforcement

Point

VM-‐A

Security

Enforcement

Point

VM-‐A

1
Security
Controller
Get signed “security pattern”
from VM deployment
Descriptor and deploy with
application.
2
Get VNI/Tenant ID for
instance mapping
bridge
vxlan nic
Apply policy/tenant
based on tenant ID
and application
security pattern
retrieved from
deployment.
4
3
v-‐wire
v-wire NFV deployed
security enforcement
point.
1
Data
link

Control
link

v-‐wire

Summary
•  Security was one on the biggest impediments to
deployment of NFV.
•  Leveraging NFV to deﬁne a foundational pattern to
protect application workloads.
•  Application Security patterns can now be applied to the
foundational pattern to implement security from the
inside out
•  Security is now a resource that scales with your NFV
infra-structure.
11

More Related Content

What's hot (20)

PDF

Mod SecurityAbhishek Singh

PDF

Cisco amp for merakiCisco Canada

PDF

Cisco umbrella overviewCisco Canada

ODP

Web Application FirewallChandrapal Badshah

PPTX

Equifax cyber attack contained by containersAqua Security

PPTX

TechWiseTV Workshop: OpenDNS and AnyConnectRobb Boyd

PDF

Cloud Native Security: New Approach for a New RealityCarlos Andrés García

PPTX

Pxosys Webinar Amplify your Security🏆Ruben Cocheno💭

PDF

VMworld 2013: NSX Security Solutions In Action - Deploying, Troubleshooting, ...VMworld

PDF

Behind the scene of malware operators. Insights and countermeasures. CONFiden...Marco Balduzzi

PDF

Using Your Network as a Sensor for Enhanced Visibility and Security Lancope, Inc.

PDF

Хакеро-машинный интерфейсPositive Hack Days

PDF

Introduction to Mod security session April 2016Rahul

PDF

VMworld 2013: Security Automation Workflows with NSX VMworld

PDF

ASA Firepower NGFW Update and Deployment ScenariosCisco Canada

PDF

Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...Alert Logic

PDF

Hacking IoT with EXPLIoT FrameworkPriyanka Aash

PPTX

Preventing Today's MalwareDavid Perkins

PPTX

How to Test High-Performance Next-Generation FirewallsIxia

PPTX

Sourcefire Webinar - NEW GENERATION IPSmmiznoni

Mod SecurityAbhishek Singh

Cisco amp for merakiCisco Canada

Cisco umbrella overviewCisco Canada

Web Application FirewallChandrapal Badshah

Equifax cyber attack contained by containersAqua Security

TechWiseTV Workshop: OpenDNS and AnyConnectRobb Boyd

Cloud Native Security: New Approach for a New RealityCarlos Andrés García

Pxosys Webinar Amplify your Security🏆Ruben Cocheno💭

VMworld 2013: NSX Security Solutions In Action - Deploying, Troubleshooting, ...VMworld

Behind the scene of malware operators. Insights and countermeasures. CONFiden...Marco Balduzzi

Using Your Network as a Sensor for Enhanced Visibility and Security Lancope, Inc.

Хакеро-машинный интерфейсPositive Hack Days

Introduction to Mod security session April 2016Rahul

VMworld 2013: Security Automation Workflows with NSX VMworld

ASA Firepower NGFW Update and Deployment ScenariosCisco Canada

Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...Alert Logic

Hacking IoT with EXPLIoT FrameworkPriyanka Aash

Preventing Today's MalwareDavid Perkins

How to Test High-Performance Next-Generation FirewallsIxia

Sourcefire Webinar - NEW GENERATION IPSmmiznoni

Viewers also liked (12)

PPTX

See Your OpenStack Network Like Never Before with Real-time Visibility and Mo...PLUMgrid

PDF

Open Source Means Upstream FirstOPNFV

PDF

Nuts & Bolts of the Dynamic Attack ChainIBM Security

PPTX

IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...Luigi Delgrosso

PPTX

Crack the CodeInnoTech

PPTX

InduSoft System security webinar 2012AVEVA

PPTX

Amien Harisen - APT1 AttackIndonesia Honeynet Chapter

PPTX

Security best practicesAVEVA

PDF

The Anatomy of a Data BreachDavid Hunt

PDF

Openstack meetup: NFV and OpenstackMarie-Paule Odini

PPTX

NfvAhmad Hijazi

PPTX

Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...Knowledge Group

See Your OpenStack Network Like Never Before with Real-time Visibility and Mo...PLUMgrid

Open Source Means Upstream FirstOPNFV

Nuts & Bolts of the Dynamic Attack ChainIBM Security

IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...Luigi Delgrosso

Crack the CodeInnoTech

InduSoft System security webinar 2012AVEVA

Amien Harisen - APT1 AttackIndonesia Honeynet Chapter

Security best practicesAVEVA

The Anatomy of a Data BreachDavid Hunt

Openstack meetup: NFV and OpenstackMarie-Paule Odini

NfvAhmad Hijazi

Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...Knowledge Group

Similar to Inherent Security Design Patterns for SDN/NFV Deployments (20)

PDF

Zero Trust Networks Evan Gilman Doug Barthburacakerina41

PDF

Zero Trust Networks Evan Gilman Doug Barthxovaniparpov15

PPTX

nsx overview with use cases 1.0Ploynatcha Akkaraputtipat

PPSX

Zero-Trust SASE DevSecOpsAraf Karsh Hamid

PPTX

Architecting trust in the digital landscape, or lack thereofJonathan Sinclair

PDF

Cisco Connect 2018 Thailand - Telco service provider network analytics NetworkCollaborators

PDF

Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...NetworkCollaborators

PPTX

SDN and NFV integrated OpenStack Cloud - Birds eye view on SecurityTrinath Somanchi

PPTX

Security Components Across OSI Layers (1-4).pptxMarcKhoury5

PDF

Security in the cloud planning guideYury Chemerkin

PPTX

Protecting endpoints from targeted attacksAppSense

PPTX

Steve Porter : cloud Computing SecurityGurbir Singh

PPT

Cloud Security_Module2.pptArunKumbi1

PDF

The Zero Trust Security Model for Modern Businesses!Caroline Johnson

PPTX

Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Scalar Decisions

PPTX

CISSP Domain 03 Security Architecture and Engineering.pptxgealehegn

PDF

Forrester zero trust_dnaCristian Garcia G.

PDF

Zero Trust Best Practices for KubernetesNGINX, Inc.

DOCX

What is zero trust model of information security?Ahmed Banafa

PDF

Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...Jiunn-Jer Sun

Zero Trust Networks Evan Gilman Doug Barthburacakerina41

Zero Trust Networks Evan Gilman Doug Barthxovaniparpov15

nsx overview with use cases 1.0Ploynatcha Akkaraputtipat

Zero-Trust SASE DevSecOpsAraf Karsh Hamid

Architecting trust in the digital landscape, or lack thereofJonathan Sinclair

Cisco Connect 2018 Thailand - Telco service provider network analytics NetworkCollaborators

Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...NetworkCollaborators

SDN and NFV integrated OpenStack Cloud - Birds eye view on SecurityTrinath Somanchi

Security Components Across OSI Layers (1-4).pptxMarcKhoury5

Security in the cloud planning guideYury Chemerkin

Protecting endpoints from targeted attacksAppSense

Steve Porter : cloud Computing SecurityGurbir Singh

Cloud Security_Module2.pptArunKumbi1

The Zero Trust Security Model for Modern Businesses!Caroline Johnson

Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Scalar Decisions

CISSP Domain 03 Security Architecture and Engineering.pptxgealehegn

Forrester zero trust_dnaCristian Garcia G.

Zero Trust Best Practices for KubernetesNGINX, Inc.

What is zero trust model of information security?Ahmed Banafa

Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...Jiunn-Jer Sun

More from OPNFV (20)

PPTX

How to Reuse OPNFV Testing Components in Telco Validation ChainOPNFV

PPTX

Energy Audit aaS with OPNFVOPNFV

PPTX

Hands-On Testing: How to Integrate Tests in OPNFVOPNFV

PDF

Storage Performance Indicators - Powered by StorPerf and QTIPOPNFV

PDF

Big Data for Testing - Heading for Post Process and AnalyticsOPNFV

PPTX

Testing, CI Gating & Community Fast Feedback: The Challenge of Integration Pr...OPNFV

ODP

How Many Ohs? (An Integration Guide to Apex & Triple-o)OPNFV

PPTX

Being Brave: Deploying OpenStack from MasterOPNFV

PPTX

Upstream Testing Collaboration OPNFV

PDF

Enabling Carrier-Grade Availability Within a Cloud InfrastructureOPNFV

PDF

Learnings From the First Year of the OPNFV Internship ProgramOPNFV

PDF

OPNFV and OCP: Perfect TogetherOPNFV

PDF

The Return of QTIP, from Brahmaputra to DanubeOPNFV

PDF

Improving POD Usage in Labs, CI and TestingOPNFV

PDF

Run OPNFV Danube on ODCC Scorpio Multi-node Server - Open Software on Open Ha...OPNFV

PDF

Distributed vnf management architecture and use-casesOPNFV

PDF

Software-defined migration how to migrate bunch of v-ms and volumes within a...OPNFV

PDF

Securing your nfv and sdn integrated open stack cloud- challenges, use-cases ...OPNFV

PDF

My network functions are virtualized, but are they cloud-readyOPNFV

PDF

Challenge in asia region connecting each testbed and poc of distributed nfv ...OPNFV

How to Reuse OPNFV Testing Components in Telco Validation ChainOPNFV

Energy Audit aaS with OPNFVOPNFV

Hands-On Testing: How to Integrate Tests in OPNFVOPNFV

Storage Performance Indicators - Powered by StorPerf and QTIPOPNFV

Big Data for Testing - Heading for Post Process and AnalyticsOPNFV

Testing, CI Gating & Community Fast Feedback: The Challenge of Integration Pr...OPNFV

How Many Ohs? (An Integration Guide to Apex & Triple-o)OPNFV

Being Brave: Deploying OpenStack from MasterOPNFV

Upstream Testing Collaboration OPNFV

Enabling Carrier-Grade Availability Within a Cloud InfrastructureOPNFV

Learnings From the First Year of the OPNFV Internship ProgramOPNFV

OPNFV and OCP: Perfect TogetherOPNFV

The Return of QTIP, from Brahmaputra to DanubeOPNFV

Improving POD Usage in Labs, CI and TestingOPNFV

Run OPNFV Danube on ODCC Scorpio Multi-node Server - Open Software on Open Ha...OPNFV

Distributed vnf management architecture and use-casesOPNFV

Software-defined migration how to migrate bunch of v-ms and volumes within a...OPNFV

Securing your nfv and sdn integrated open stack cloud- challenges, use-cases ...OPNFV

My network functions are virtualized, but are they cloud-readyOPNFV

Challenge in asia region connecting each testbed and poc of distributed nfv ...OPNFV

Recently uploaded (20)

PDF

Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...darshakparmar

PDF

Reverse Engineering of Security Products: Developing an Advanced Microsoft De...nwbxhhcyjv

PDF

Achieving Consistent and Reliable AI Code Generation - Medusa AImedusaaico

PPTX

MSP360 Backup Scheduling and Retention Best Practices.pptxMSP360

PPTX

Q2 FY26 Tableau User Group Leader Quarterly Calllward7

PDF

How Startups Are Growing Faster with App Developers in Australia.pdfIndia App Developer

PDF

SFWelly Summer 25 Release Highlights July 2025Anna Loughnan Colquhoun

PDF

"Beyond English: Navigating the Challenges of Building a Ukrainian-language R...Fwdays

PDF

Chris Elwell Woburn, MA - Passionate About IT InnovationChris Elwell Woburn, MA

PDF

"AI Transformation: Directions and Challenges", Pavlo ShaternikFwdays

PDF

Blockchain Transactions Explained For EveryoneCIFDAQ

PDF

Log-Based Anomaly Detection: Enhancing System Reliability with Machine LearningMohammed BEKKOUCHE

PDF

Agentic AI lifecycle for Enterprise Hyper-AutomationDebmalya Biswas

PDF

Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025faizk77g

PDF

Using FME to Develop Self-Service CAD Applications for a Major UK Police ForceSafe Software

PDF

The Builder’s Playbook - 2025 State of AI Report.pdfjeroen339954

PDF

CIFDAQ Weekly Market Wrap for 11th July 2025CIFDAQ

PPTX

UiPath Academic Alliance Educator Panels: Session 2 - Business Analyst ContentDianaGray10

PDF

HCIP-Data Center Facility Deployment V2.0 Training Material (Without Remarks ...mcastillo49

PPTX

Top iOS App Development Company in the USA for Innovative AppsSynapseIndia

Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...darshakparmar

Reverse Engineering of Security Products: Developing an Advanced Microsoft De...nwbxhhcyjv

Achieving Consistent and Reliable AI Code Generation - Medusa AImedusaaico

MSP360 Backup Scheduling and Retention Best Practices.pptxMSP360

Q2 FY26 Tableau User Group Leader Quarterly Calllward7

How Startups Are Growing Faster with App Developers in Australia.pdfIndia App Developer

SFWelly Summer 25 Release Highlights July 2025Anna Loughnan Colquhoun

"Beyond English: Navigating the Challenges of Building a Ukrainian-language R...Fwdays

Chris Elwell Woburn, MA - Passionate About IT InnovationChris Elwell Woburn, MA

"AI Transformation: Directions and Challenges", Pavlo ShaternikFwdays

Blockchain Transactions Explained For EveryoneCIFDAQ

Log-Based Anomaly Detection: Enhancing System Reliability with Machine LearningMohammed BEKKOUCHE

Agentic AI lifecycle for Enterprise Hyper-AutomationDebmalya Biswas

Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025faizk77g

Using FME to Develop Self-Service CAD Applications for a Major UK Police ForceSafe Software

The Builder’s Playbook - 2025 State of AI Report.pdfjeroen339954

CIFDAQ Weekly Market Wrap for 11th July 2025CIFDAQ

UiPath Academic Alliance Educator Panels: Session 2 - Business Analyst ContentDianaGray10

HCIP-Data Center Facility Deployment V2.0 Training Material (Without Remarks ...mcastillo49

Top iOS App Development Company in the USA for Innovative AppsSynapseIndia

Inherent Security Design Patterns for SDN/NFV Deployments

1. Inherent Security Design Patterns for SDN/NFV Deployments John McDowall Palo Alto Networks

2. Drivers for Consumers and Providers of Cloud/NFV Automa'on Minimize OPEX & CAPEX Dynamic Resources Self-‐Service Portals Scalability Agility Producers Consumers Make security easy-to-deploy by consumers No Bottlenecks Need well-defined security posture New Business Models

3. “….if innova+on doesn’t get ahead of the hackers, we will likely see roadblocks to rolling out new SDx applica+ons …. …. because of the fear that SDx Infrastructure cannot protect against and contain new aAacks. “ SDxCentral SDx Infrastructure Security Report 2015 Edition

4. Key Security Perspectives The security perimeter no longer exists. Understanding the Cyber Attack Pattern Lifecycle How do we prevent attacks with SDN/NFV ?

5. Preventing Across the Cyber Attack* Life Cycle Unauthorized Access Unauthorized Use Gather Intelligence Leverage Exploit Execute Malware Command & Control Actions on the objective Reconnaissance Weaponization & Delivery Malware Communicates with Attacker Exploitation Data Theft, Sabotage, Destruction * Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains Eric M. Hutchins, Michael J. Cloppert, Rohan M. Amin, Ph.D. Lockheed Martin Corporation Breach the Perimeter 1 Deliver the Malware 2 Exﬁltrate Data 4Lateral Movement 3

6. Security Challenges with NFV Manual Deployments Slow and error-‐ prone processes to enable security Transient Workloads Workload lifespan is in hours, days or weeks Sta'c Remedia'on Lack of dynamic remediaCon measures Malware 30,000 new malware /day

7. Security Design Patterns for NFV

8. Applying Zero Trust* to NFV FoundationalSecurity DesignPattern * No More Chewy Centers: The Zero Trust Model of Information Security John Kindervag, Forester Research, 2014 Verify and Never Trust Inspect and Log all Traﬃc Design Network Inside-‐Out Predefine: •  User-Access Controls •  Layer-7 Interactions Build: •  Security Compliance •  Auditable Entities Enable: •  Fine grained kill switch •  Real-time Security Updates

9. Foundation Security Blueprint FoundationalSecurity DesignPattern •  Deﬁne allowable interacCons •  Add applicaCon security paOern •  Sign-‐oﬀ by security team •  Deploy zero-‐trust applicaCon security paOern. •  Merge parameterized paOern with tenant instance •  Deny-‐All to Only-‐ Allowed •  Real-‐Cme InspecCon •  Update threat paOerns, sigs et al •  Disrupt and/or block cyber aOacks •  Archive logs & policies •  Perform forensics •  Generate report Prepare Deploy Update Remove 1 2 3 4 Virtual Function Security Model Virtual Function

10. Implementation of Foundation Security Pattern SecureEncapsulation DesignPattern Enforce zero-trust model – block all traffic until policy is applied. Security Enforcement Point VM-‐A Security Enforcement Point VM-‐A Security Enforcement Point VM-‐A Security Enforcement Point VM-‐A 1 Security Controller Get signed “security pattern” from VM deployment Descriptor and deploy with application. 2 Get VNI/Tenant ID for instance mapping bridge vxlan nic Apply policy/tenant based on tenant ID and application security pattern retrieved from deployment. 4 3 v-‐wire v-wire NFV deployed security enforcement point. 1 Data link Control link v-‐wire

11. Summary •  Security was one on the biggest impediments to deployment of NFV. •  Leveraging NFV to deﬁne a foundational pattern to protect application workloads. •  Application Security patterns can now be applied to the foundational pattern to implement security from the inside out •  Security is now a resource that scales with your NFV infra-structure. 11