Security needs to be built into SDN and NFV from the ground up and not bolted on later, a leading security vendor is advising.

Speaking last week at two Light Reading events -- the Future of Cable Business Services and Mobile Network Security Strategies -- Christer Swartz, consulting engineer for data center and virtualization at Palo Alto Networks Inc. , even earned kudos from cable industry vet Jeff Finkelstein, executive director of strategic architecture at Cox Communications Inc. .

"You should listen to this guy, he's very smart," Finkelstein said as a panel discussion on the transition to NFV and SDN was wrapping up. In a later interview, he reiterated the message.

"Security has always been step two -- we design the new WAN, the carrier backbone, and then we decide where to put security, and that creates a big window of opportunity for something bad to happen," Swartz noted. "Security needs to be part of the absolute starting point, so you don't have those problems."

Swartz was personally involved in helping design the distribution network for a major content company which didn't think about security ahead of time and wound up with significant requirements to backhaul traffic to introduce security after the fact -- not the kind of solution most major network operators want to consider.

Moving devices such as firewalls into the virtual realm makes a lot of sense, the Palo Alto Neworks exec agreed -- it's certainly something service providers are already considering as they look at distributed NFV that virtualizes some functions on more generic servers at the customer premises. But being able to spin up virtual instances of a firewall also requires open applications programming interfaces (APIs) that enable the virtual firewall to be quickly tied into the broader reporting and management structure.

Light Reading's Mobile Security section takes an in-depth look at this critical element of mobile networks.

"That enables you to deploy quickly, and once you have it automated, then there is an intelligent way to scale out, and go from hundreds of firewalls to thousands of firewalls," Swartz said.

He also pointed to the need to think of security in new ways, as more application-based and less about building security features around specific network perimeters or even network places.

"If we enforce security based on application rather than ports, network priorities and security priorities no longer conflict," Swartz said. "You can put an enforcement point in a laptop, a PoP [point of presence], and at the core -- it can be present on all those points collecting data without impacting a thing."

The application-based approach lets the security device be able to look at a packet and know what application it is part of, what its content is and who is the user, thus having the context to know what the security issues are. That approach can be scaled, while policy written to protect individual devices in a mobile network cannot. "We need to abstract the security away from physical ports," Swartz noted.

Those comments echoed some made by others at the Mobile Security Strategies Summit that traditional protection of physical network perimeters or devices no longer works in the mobile and app-driven world. (See Ericsson Calls for Data-Centric Security Approach and AT&T Adds Virtual Layer of Security.)

Some other speakers cut European Telecommunications Standards Institute (ETSI) , the organization which initiated NFV through its NFV Industry Specifications Group, a little more slack on the security front than Swartz did. Peter Magaris, director of product and solutions marketing at F5 Networks Inc. (Nasdaq: FFIV) said, for instance, that ETSI is beginning to address security, and the ability to apply security policies on specific flows within service chains.

"It's still loosely defined in terms of how that is going to work well and how it is going to scale," Magaris conceded. "I think they have just scratched the surface but they are aware."

— Carol Wilson, Editor-at-Large, Light Reading