Securing SDN and NFV: are you ready?

Cyber Attack Warning

Mary Meeker’s 2015 Internet trends report contains fascinating, broad reaching data about how the technologies that many of us are involved in developing is used and consumed. Compared to 2014, this year’s report devotes more attention to security: “Cyber Attacks: Growing in Size / Complexity / Risk”. Undoubtedly, the 2016 edition will likely provide even more insights. It’s not surprising considering some recent high profile security breaches.

Some interesting insights from Mary Meeker’s report: insider misuse is a significant source of breaches. It states that over 20% of breaches come directly from insiders with malicious intent. Include well-intentioned insiders, it’s easy to see how the majority of network performance issues or security vulnerabilities can be traced to configuration issues

Service providers have not been immune from cyber attacks either. And the security risks they face are only growing. Service providers are facing an unprecedented set of challenges as billions of IP connected devices are attaching to their networks, from all sorts of locations. New technologies such as SDN and NFV, and DevOps paradigms will create significant disruptions to security and network operations teams.

It’s one of the reasons why Nakina announced NI-DEFENDER, a Secure Network Auditing Platform. The solutions combines network and service configuration scanning, context-aware analytics, with role and attribute based identity access management. It can be used to protect today’s fixed and mobile networks, physical and virtual networks, and help operators support new NFV and SDN implementations.

NI-DEFENDER was recognized with two industry innovation awards this week and we will be showcasing the solution next week at LightReading’s Big Telecom Event . We’ll demonstrate how the solution can provide and assure security integrity across a typical heterogeneous mobile network, which includes the Titanium Server, a carrier-class NFV software platform, from our technology partner Wind River.

If you’re in Chicago, plan to stop by and meet the Nakina team and attend our panel discussion on June 10, hosted by Infonetic’s Michael Howard.

NFV vCPE: Too Good to be True? Round 2

VanillaPlus hosted a second NFV roundtable discussion. It was an opportunity for colleagues from Ericsson, Cirtix, Comptel, and RedKnee along with Analysys Mason to discuss how some of the deployment risks can be mitigated. A key question posed is “Why are CPE services a target for virtualization?”

Managed enterprise services are a lucrative revenue stream for many service providers, particularly those looking to offset declining or flat revenues from consumer mobile and wireline services. Managing the customer premise equipment is the single largest expense for service providers. NFV provides the opportunity to eliminate management complexity and expense of customer located equipment, reduce technology obsolescence at customer premise. NFV also enables a pay-as-you-grow CAPEX, requiring small initial investment in virtual machines to support router functions that scale with service. Because enterprise services are in many cases customized (by region, location, vertical, and even by customer), NFV enables workflow automation and self- service provisioning through user accessible portals. Reducing provisioning times and improving time to service is a key driver.

As we discussed on the panel, there are obviously some major challenges. Enterprises are increasingly distributed; remote branch offices are served by a variety of access networks, each with varying degrees of performance, throughput, latency, etc.. It has been estimated that 80% of application performance issues are blamed on the network. And latency is the biggest source of application performance problems. For example, Unified Communications applications generate small packet sizes and ~10x more packets than other applications. Any packet loss, jitter, or degraded performance will have a significant and measurable impact to user experience. Additionally, services are not always ubiquitous, but rather tailored (i.e. vertical specific, location specific, etc.). This means that there will be more configurations and parameters that need to be accurately set in order to meet SLAs and deliver the appropriate service. All this is possible and achievable with of NFV, but one must not overlook the potential increased operational complexity when it comes to properly configuring these service settings, monitoring and troubleshooting. NFV creates the potential for more configuration-induced performance issues. There are more (and different) parameters that can be tuned, and more inter dependencies in this shared, multi-tenant type architecture.

Latency sensitive applications are partially why we’re seeing the industry introduce distributed or edge NFV and other techniques whereby certain capabilities may be hosted on a virtualized platform at the network edge or customer premise, while others centralized. After all it’s not like every enterprise location (particularly remote branch offices) is connected via 10Gbps fiber-fed connections. In fact, most enterprise locations are connected by a range of access technologies, each with varying performance characteristics.

Edge Virtualization for vCPE

This scenario also creates new, creative business models for service providers including a new suite of ‘micro-cloud’ services. Distributed or edge NFV creates a new and different complexities including, most importantly, new security considerations however including an expanded attack surface. New business models will likely could have the service providers maintaining the platform (i.e. the NFVI) and hosting 3rd party virtual machines (VNFs) which belong to the enterprise or another 3rd party. This added challenge created with multi-tenancy and managing the access control policies from a security perspective, and increases troubleshooting and issue isolation complexity. This is why a new, carrier-scale, Identity Access Management strategy is needed.

Automated network data integrity auditing and analytics will be equally crucial in order to understand the exact configurations of the functions in the service chain, isolate and correct misconfigurations instantly, meet service level agreements and customer experience expectations. Automated analysis of service configuration anomalies can dramatically improve resolution of incidents and visibility into service performance. Data-driven analytics helps prioritize remediation, eliminate hours in troubleshooting time, and proactively refine network configurations (such as QoS and TCP/IP settings, which have a direct impact on application performance.

It remains clear that despite the rapid evolution towards NFV, that we’re only scratching the surface of the many operational considerations that are arising. If you missed the live event, a recording of the session is available.

NFV vCPE: Too Good to be True?

Virtual CPE (or vCPE) is one of the most popular use cased for NFV by service providers. It’s not surprising when you consider that the customer premise location, whether a business or a home, is the most complex and costly aspect for a service provider to manage. If you look at the situation today, often service providers have to deploy multiple discrete devices or appliances to deliver a service. And the range of services are pretty diverse, varying by region, market, vertical and customer. Services span everything including managed router, firewall, security (such as intrusion and malware detection), unified communications, application performance management….you get the idea.

vCPE Extreme Case

In some cases, these capabilities may all reside as virtual appliances or agents in more costly and complex converged multi-service devices like integrated service routers. In any case, service providers have to deal with a lot of complexity. Challenges include navigating a myriad of business process and operational complexities spanning from order management to installation, administration and maintenance. Operational issues range from managing equipment obsolescence to service level agreement monitoring and troubleshooting. Identifying the root causes and remotely re mediating issues can be time consuming and costly. And with the uptake in cloud services there are more business critical (and performance-sensitive) application transactions traversing networks.

The outcomes are as expected: high operational costs, longer times to revenue, and ongoing operational complexity. All impact service profitability. Not surprisingly, virtualizing customer premise equipment (vCPE) has been a key target use case for NFV. A target market is small-to-medium enterprises, which collectively represent a very lucrative segment for service providers, with high recurring revenues. But all this obviously comes with some challenges.

By moving functions (like firewalls, application accelerators, and even routing, from the premise and into a data center) there is now even more critical transactions traversing networks. Incorrect QoS parameter settings, for instance, anywhere along the service chain could cause excessive latency causing some applications, such as interactive video, to experience unacceptable quality. Ensuring network configuration integrity end-to-end is even more crucial.

Partially for these reasons, we’re also seeing different types of virtualization strategies emerge. Virtualization-capable platforms are migrating outside the confines of the data center, all the way to the customer premise. This newer breed of device can host virtualized functions. Some of these functions are maintained and owned by the service provider, or perhaps the service provider is hosting these for the enterprise or another 3rd party. This multi-tenancy scenario requires that security integrity be preserved, and strong identity access management policies be in place.

vCPE NFV Typical Case

Implementations will vary and there will be no single universal vCPE recipe. One thing is for certain, this is a rapidly developing space. We’re only scratching the surface of some of the operational challenges. These will be some of the topics we’re discussing at an April 30th roundtable discussion hosted by VanillaPlus. We’ll be joined with colleagues from Ericsson, Citrix, RedKnee, Comptel and Analysys Mason. Make sure to register.

Until MANO is Solved, Creating New Revenues from NFV will be Delayed

A recently published market research report by Coleman Parkes Research on behalf of HP and reveals the responses from 50 communication service provider CIOs and CTOs regarding their NFV priorities for 2015. There is also great video interview from Mobile World Congress with Julia Ochinero, HP’s Director of NFV Marketing, available from Telecom TV. Importantly, the report provides a comparison of answers to the same questions from the previous year. With emerging technologies such as NFV and SDN, we’re still in such early stages that any ability to monitor progress and spot trends year-over-year is invaluable.

While it’s not surprising that the majority of respondents see migrating from proof-of-concept to trial sometime within the next 3 years, what is surprising is that Opex reduction seems be a more important driver than it was in 2014, while leveraging NFV to enable new revenue received fewer responses than the previous year. The percentage of respondents citing capex reduction as the main driver remained the same as the previous year: “The top business driver for network functions virtualization (NFV) in 2015 is reducing operational expenses (OpEx), selected by 75% of respondents as compared to 59% a year ago—a huge jump.”

HP NFV Survey Responses

The transition from proprietary hardware and software to commercial off-the-shelf (COTS) alternatives makes the business case for Capex reduction relatively straight forward. Opex on the other hand is much more difficult to quantify.

In the video interview, Julia states something that we have been stating for quite some time: there won’t be greenfield opportunities for NFV. Service providers will continue to face the realities of continuing to run and expand traditional physical networks. Initially, a lot of discussions involving NFV management and orchestration (MANO) were really walled-garden in nature. That is, orchestration was focused on a single pool of virtualized network infrastructure and virtual network functions. The reality is that networks will span multiple clouds, and multiple networks both physical and virtual. This implies that MANO must extend between physical and virtual networks, and span next generation as well as legacy networks. Unless a seamless service-oriented view to end-to-end orchestration is achieved, the promises of operational savings will not be realized.

At Nakina, we believe a MANO Enablement platform is required to harmonize service orchestration across any type of network and to extend orchestration across hybrid physical and virtual networks. NI-FRAMEWORK, our MANO enablement platform, mediates, abstracts and offloads complex management utilities, allowing orchestrators to easily connect and manage physical and virtual network functions. It extends orchestration, visibility and control to physical and legacy networks.

Another interesting finding from the survey is that in 2015 driving new revenue was selected by 63% of respondents as a key driver for NFV, a drop from at 78% last year. Does this imply that creating new revenue is not as important as previously believed? Rather, it is likely that service providers have realized that NFV itself does not instantly spawn new revenue opportunities and perhaps the focus should initially be centered on the operational hurdles.

MANO enablement helps operators more quickly realize the operational savings, allowing focus to shift towards developing new revenue creating services. Watch this short video to learn more and contact us:


Mobile World Congress Wrap Up

Barcelona Fira

Despite months of planning, it never ceases to amaze me how fast another Mobile World Congress came and went. Despite the long flight, crowded metro, and inflated prices, the event remains one of the most important in our industry.

Anyone here not Zone 1 or Zone 2?

It seems like it is one the of few remaining gatherings where it is possible to meet either by chance or by pre-arrangements with peers, colleagues, influencers, customers and suppliers. Yet the event has grown so large that even scheduling meeting themselves proved to be a logistical challenge. Given the passenger list for my flight alone, United Airlines in fact could have offered a concierge service to arrange in-flight meetings. Note: it is interesting to see the boarding process break down virtually the entire passenger manifest is Zone 1 or Zone 2.

Because it came and went so quickly, I’m feeling a sense of urgency to post the obligatory post-event blog before the memory of #MWC15 fades. Here are some of the notable highlights you may have missed, if like me, you struggled to make it past Hall 5.

Even though we’re still in the process of implementing 4G, the industry talk is now all about 5G. The rate of change in the industry is relentless so it’s not surprising we’re now pushing new boundaries with solutions such as small cells, 5G, Internet of Things, etc..

Speaking of which…at #MWC15, NFV continued its forward progress and included live demonstrations of NFV-based networks. Operators are committing to NFV solutions such as the virtual Evolved Packet Core (vEPC) and virtual Radio Access Network (vRAN) in the pursuit of more cost-effective and more agile networks. The supplier community is wholly onboard as well. VMware announced VMware vCloud for NFV with Integrated OpenStack. Some claims: “VMware vCloud for NFV Helps CSPs Achieve Sustainable Cost Reductions, Improve Time To Market”, “VMware Offers CSPs a Fast, Simple Path to OpenStack Adoption”, and “Multi-Vendor vCloud NFV Platform Supports 40+ Virtual Network Functions from 30+ Vendors”.

The progress is undeniable. What still seems to be missing in these discussions, in my opinion, is a frank recognition of how all this becomes truly operational. Demonstrations, lab trials, proof-of-concepts, and small-scale field trials are all encouraging. But implementing, maintaining, and supporting revenue generating services using these new technologies will create new a whole new set of operational requirements, complexities, and challenges.

In a recently published article we wrote: in order to achieve the commercial promises of SDN and NFV, the industry will have to understand and address the operational considerations of rolling out these technologies in scale, while at the same time dealing with the realities of continuing to run and expand traditional network architectures. Assuring network performance, integrity and security in this dynamic, complex environment is vital, yet it has been overlooked, for the most part, in all discussions to date.

These are the topics we covered at #MWC15 in our in-booth seminars and briefings .

We also released a significant announcement describing how Turk Telekom uses Nakina to enable service orchestration and anticipates saving $25 Million.

After all, Network Integrity is the key to enable NFV, management, and orchestration.

Nakina MWC Booth

If you missed visiting our stand , our presentations and video recordings from #MWC15 available from our resource center.

Fins a la propera vegada Barcelona.

Carrier Class NFV – A Guest Blog by Charlie Ashton, Wind River

Charlie Ashton Wind River

Nakina is pleased to welcome Charlie Ashton, Director of Business Development at Wind River, as a guest blogger:

If 2014 was the year NFV became a leading industry buzzword, 2015 may very well be the year when rubber meets the road and the operational realities of implementing carrier class networks become evident. While virtualization is by no means new (enterprise class data centers have been virtualizing servers for a decade), service provider networks present new challenges and requirements.

For instance a service provider workload, unlike common enterprise workloads, requires critical data plane capabilities which, in most cases, are involved in the delivery of services to hundreds of thousands (or more) subscribers. Examples include elements in the Evolved Packet Core (EPC) of a 4G LTE mobile network. Additionally, telecom networks have critical requirements in terms of availability, performance and security. Many Virtual Network Functions (VNFs) need deterministic, low-latency performance, which must be guaranteed by the NFV Infrastructure (NFVI) software.

Assuring the integrity of the network is critical in order to ensure seamless and continuous operation. Configuration parameters of NFVI and VNF components must be maintained to ensure that their performance supports Service Level Agreements (SLAs) for both business and consumer services, implying a mix of real-time, content-rich and interactive applications. It is easy to see how this becomes more challenging in virtualized networks in in which configurations are more dynamic, workload performance is key and protecting the security integrity of the environment critical.

The joint solutions from Wind River and Nakina address many of the looming operational complexities in NFV. Wind River Titanium Server is the industry’s first fully-integrated and feature-complete NFV software platform. It’s the only platform to guarantee six-nines (99.9999%) uptime for NFV infrastructure. No other commercial server solution enables service providers to maintain the rigorous uptime required as networks transition to a virtualized infrastructure. Nakina’s management and orchestration enablement solutions include a suite of orchestratable applications used to assure network and operational data integrity in physical and virtual networks. These applications continuously audit VNFs and NFVIs to ensure that configuration parameters match those expected by orchestrators, inventory and other OSS systems. Nakina also protects the security integrity of networks, enforcing and tracking the appropriate role-based access policies enforced end-to-end for both personnel and processes (like orchestrators, element management and VNF managers).

Wind River and Nakina will jointly present these and other topics from March 2nd through 5th at Mobile World Congress 2015 in Barcelona. Visit Wind River in Hall 7 Stand 7J65 and visit Nakina in Hall 7, Stand 7J11 .

We look forward to seeing you in Barcelona!

Is the Orchestrator the Brain of NFV?

This was the question posed towards at the end of a recent NFV roundtable discussion hosted by VanillaPlus which included colleagues from Ericsson, Cisco, JDSU, TMForum, Analysys Mason and Nakina. At the time, my knee-jerk response was “yes”.

Is an orchestrator really the brain? I’ve been thinking a lot about that question over the last week. On the one hand, an orchestrator is a central controller for NFV. Its main responsibilities are orchestration of NFVI resources and management of network services between VNFs (or service chaining). But how does an orchestrator decide what actions to take? Does it learn and make its own decisions after processing inputs from multiple sources, like analytic engines, or is it instructed by other systems, like policy engines? Is it the master controller (i.e. like a brain) or is a slave (i.e. another system that acts based on instruction from other sources)?

Orchestration is also only part of an overall MANO (management and orchestration) strategy. Orchestrators will be supported and supplemented by other “intelligent” management systems like VNFMs and VIMs. It is also unlikely that there will be only one master orchestrator. Many service providers are discussing domain-specific orchestration, with multiple orchestrators which would then be federated together in some fashion. Does this mean that there are multiple brains?

Unquestionably, the orchestrator plays a crucial role. But policy managers, OSS/BSS, analytic sources, VNF managers, and other orchestrators are some of the pieces that will comprise a complete solution. Physical networks are not disappearing and legacy networks will continue to be involved in end-to-end service delivery so service orchestration will need to span all these environments. We are still in the early days and there will be growing pains. Over time some questions will become clearer and others will emerge.

Is an orchestrator the brain of NFV? I would say “not really”. What do you think?

Visit our resource center to read more about some of our solutions or contact us.

Jumping the Shark

We were a recent guest blogger on SDx Central where we wrote about some emerging operational challenges facing NFV, including maintaining security integrity.

Securing NFV will be a key topic in 2015 as implementations from from labs and small-scale field trials to commercial implementations. There are many hurdles to first understand, and then overcome. In December we also presented some of our thoughts at a IEEE Standards Association study group on this very topic.

We’re entering an exciting phase in our industry. Realizing the commercial benefits of NFV rests on “crossing the chasm”, not “jumping the shark”.

At Nakina we’re excited to be playing a leading role in enabling this transformation. Visit our Resource Center to learn more and read our new whitepaper regarding Achieving Security Integrity in NFV Environments.

Another Security vulnerability…are we safe yet?

Another week, another security vulnerability makes headlines. As the software running in these network functions become more flexible, sophisticated and complex this trend will continue. After all, the data that networks carry is growing in value, and is valued by more 3rd parties in more ways.  Now Network Function Virtualization, (NFV, do we still need to introduce this acronym?), which moves more networking capabilities from hardware to software and provides a wealth of benefits also raises the question: what are the new security risks? Its clearly going to be an important topic as NFV starts to move from labs to the field the coming months and years. Security vulnerabilities may very well be the new normal. The questions in a NFV environment are: how do you perform Identity Access Management to both systems and humans? Are system interactions passing credentials in cleartext or storing cleartext passwords in an XML file? How do you apply service-aware, network wide, role based access policies? And when new vulnerabilities occur (and they will), how do you rapidly contain, isolate, and lock down your virtualized network? Security is one of the many considerations when “operationalizing” NFV. It’s a key area of focus for Nakina whose customers use our NI-GUARDIAN Identity Access Management solution to secure their networks. Nakina will be a speaker on a panel on this topic and an exhibitor at Carrier Network Virtualization, Dec 9-11 in Palo, Alto California.

Reflections on SDN World Congress

The middle seat on a transatlantic flight returning from the SDN and Openflow World Congress in Dusseldorf was an ideal setting to reflect and collect some thoughts about the event, the state of NFV in the industry, and my favourite movie…….#planestrainsandautomobiles
Keeping my socks on!!

Keeping my socks on!!

Being a service provider driven initiative, at this point, it is fairly safe to say that Network Function Virtualization (NFV) is more than a fleeting trend. The NFV track at the event by far garnered the greatest interest and participation. Many proofs of concepts are underway and it’s clear that virtualization technology will be used in carrier networks. Whether operators will be able to realize the degree of operational savings as well as new service innovation will rest largely on their ability to “operationalize” NFV. Moving from labs to field deployments require deployments at scale. This includes the ability manage and deliver services across heterogeneous networks (multi-technology, multi-vendor, and span physical and virtual networks). The management challenges and complexities that exist today will only be magnified in virtualized environments.
SDN and OpenFlow World Congress

SDN and OpenFlow World Congress

Managing security of virtual network infrastructures as well as virtual network functions is a critical (and seemingly overlooked today) operational consideration. Maintaining, updating, and managing the configurations of virtual network functions (VNFs) may very well be another significant operational hurdle – especially when VNFs can be located in more places, provided by more suppliers, and modified more regularly to keep up with the needs of the services they are supporting.


NFV is a transformation, or evolution, which will happen over time. This transformation is happening quickly, perhaps quicker than any in recent memory in our industry. “Operationalizing” NFV is one of the next frontiers and there are a lot of questions that remain unanswered.