Attacks such as DNS-based distributed denial of service (DDoS) can quickly overwhelm network resources by generating too many resolution requests for the DNS system to handle, effectively shutting down the network by preventing legitimate requests from being resolved. Other attacks replace valid IP addresses with those directing the requestor to malicious websites or use tunneling to attack individual virtual machines, encrypting and stealing information through channels not normally analyzed by traditional security software.

Virtual machines provide network operations with centralized control over resources and enable the rapid deployment of on-demand resources. But just as with physical hardware, VMs are susceptible to malware infection. Once a machine is infected and isn't rapidly quarantined, the infection can spread to other machines throughout the network and disrupt functionality from within. Monitoring the virtualized environment requires a different set of tools from traditional network security.

With DNS-related security issues requiring additional attention as carriers adopt NFV, they should ensure that their security environment meets these requirements.

Security for NFV should be built into the DNS architecture instead of bolted on. A higher degree of integration through the use of a DNS-specific protection helps minimize gaps in coverage that may be left by add-on solutions and can easily be exploited by attackers.

To minimize the impact of an attack as it happens and address it as quickly as possible, the virtualized network needs to be able to rapidly scale resources by spinning up new machines without the need for operator involvement. Automatically adding capacity while the attack is managed prevents service interruption. In return, this reduces lost revenue and productivity.

With dangers such as zero day vulnerabilities, NFV-based security should have the capacity to detect previously unknown threats by continuously analyzing network behavior, while also defending against established threats such as off-the-shelf attack toolkits designed for a specific kind of attack.

A DNS security strategy for NFV should include internal as well as external analysis and resource tracking. While many threats such as DDoS attacks may be external, malware on existing VMs is just as dangerous. The virtualized infrastructure needs the ability to track virtual machines that are provisioned, analyze their IP addresses, and monitor all traffic to detect suspicious behavior on virtual machines in real-time. Additionally, it should have the ability to quarantine VMs to prevent the infection from spreading.

Because configuration issues lead to security and performance problems, security in the NFV environment should include network discovery and automation tools that determine what network functions are properly configured and identifies potential problems.

With each new generation of technology, network planning has had to work to manage the risks while gaining the rewards, and NFV is simply the next step in creating tomorrow's highly dynamic, automated networks. When service providers proactively address security during the implementation process rather than as an afterthought, the result is a flexible, transparent network that meets immediate and future needs while keeping valuable resources safe.

— Dilip Pillaipakkamnatt, Vice President, Service Provider Business, Infoblox Inc.