Once merely a buzzword, NFV has become a reality for service providers and is on its way to widespread adoption. NFV investments are predicted to reach $37 billion by 2021 and to grow by a compound annual growth rate of 30 percent from 2016 to 2021. Many service providers — motivated by the desire to deliver managed services more quickly and more cost-effectively to small and medium enterprises — are evaluating and deploying NFV. Enterprise security services are a key area of focus for service providers as they deliver a sticky value-added revenue stream. NFV can enable them to broaden their addressable market without a significant increase in operational overhead.
The idea of moving the security perimeter into the cloud resonates with customers, as many small and medium enterprises are struggling with both the budget and security talent needed to deploy and manage security in-house.
The market for security services is growing steadily — according to various reports from Research and Markets, Allied Market Research, and Report Buyer — with virtual firewalls, web application firewall (WAF), email security, and distributed denial of service (DDoS) protection being key areas of focus. When it comes to DDoS, the reasons for increased demand are obvious. According to Netscout’s Worldwide Infrastructure Security Report, the number of application layer and multi-vector attacks continues to grow each year; our reliance on the connected world continues to deepen; and more businesses are seeing the impact from attacks.
Hybrid DDoS protection is now regarded as the only way to successfully mitigate these threats. Volumetric attacks are detected and blocked using network-wide solutions, deployed by a majority of service providers; while low and slow state-exhaustion and application layer attacks are blocked by smaller inline customer edge DDoS mitigation systems.
How does NFV help? Customer edge DDoS becomes just another virtual network function (VNF) in the service chain. From the design point of view, the DDoS VNF should be placed before other VNFs in the service chain so that stateful functions – unified threat management (UTM), intrusion prevention system (IPS), WAF, and others – are protected from the state exhaustion attacks that would otherwise impact them. Another benefit of this approach is that the DDoS VNF can block commodity threats (IoCs) before they reach other elements of the service chain. The stateless packet processing engine needed for DDoS protection is also very efficient at high-scale reputation matching. This can allow for functionalities similar to those of threat intelligence gateways (TIGs) to be consolidated into the DDoS VNF. If DDoS VNF can block millions of IoCs, it can offload a significant workload from other elements of service chain, leaving them to perform deeper analysis to stop more advanced threats.
From the lifecycle management and orchestration point of view, the on-boarding process is very likely to be similar to generic VNFs such as firewalls and UTMs, regardless of whether you utilize ETSI MANO, ONAP, or another project. The on-boarding process can be divided into two major steps. First is initial on-boarding, where the orchestration vendor and VNF vendor work together to allow the VNF to be programmatically deployed from the orchestrator (this phase is often called Day0). The second phase is about developing logic in the orchestrator that can provision customer-specific configuration, perform automated healing, scale the VNF up and down, and finally terminate the VNF when it is no longer required.
Based on Netscout’s experience of working with leading orchestration platforms — Cisco NSO, Cisco NFVIS, Nokia Cloudband, Amdocs, Netcracker, IBM, OpenStack Tacker, and others — the Day0 phase is pretty simple. It is the second phase that requires more discussion and effort. However, provided that a VNF has a solid REST API for customer-specific configuration (e.g. types of resources protected, security profiles, DDoS countermeasures, and so on) it is easy to implement the necessary logic in the orchestrator.
The challenge is to define this logic as it must represent the services and workflows that will be consumed by end-users. Defining these requires both solid experience in DDoS mitigation and knowledge of the service market, so it is key to work with a partner that knows DDoS inside out and has a proven track record of enabling ISPs, managed security service providers (MSSPs), and datacenters to roll out DDoS protection services.
Another important aspect to consider is the business model shift that NFV represents for a service provider. The number and type of end customers, migration to consumption-based billing mechanisms, subscriptions, or perpetual licenses all represent changes that have to be worked through. The most important part is the VNF licensing. Licensing is expected to be flexible, transparent, and simple enough to support innovative business models. Service providers expect that bulk licenses or “capacity pools” are available, so that DDoS protection capacity (in the form of DDoS VNF instances) can be deployed wherever and whenever it is needed. Moreover, it is expected that licensed capacity can be quickly moved from end customer to end customer, scaled up or down, and even re-used as customers join and leave the service.
Last but not least, when we talk about NFV, and generally about security services in the telco cloud, one obvious concern is whether the Data Centers that host NFV infrastructure are protected in the first place. A single, intelligent DDoS attack against these data centers could make services unavailable – for all customers. Therefore, it is also critical to design protection for the telco cloud itself.
The best current practice includes DDoS attack detection and mitigation at the data center peering edge, using technologies like infrastructure ACLs, netflow telemetry, BGP FlowSpec, and Intelligent DDoS Mitigation Systems (IDMS). This combination allows fast detection and automatic mitigation of volumetric, application, and state-exhaustion attacks against NFV infrastructure.
In summary, the adoption of NFV is starting to accelerate, and it is being used to roll out security services, including DDoS protection. As mentioned above, our reliance on the connected world combined with the increasing scale, frequency, and size of DDoS attacks is driving demand – and this trend is likely to continue in upcoming years.