4

Pipeline-Digital-Reprint_NakinaNFV_Feb2015

Embed Size (px)

Citation preview

By Patrick Rhude

In order to achieve the commercial promises of SDN and NFV, the industry will have to understand and address the operational considerations of rolling out these technologies in scale, while at the same time dealing with the realities of continuing to run and expand traditional network architectures. Assuring network performance, integrity and security in this dynamic, complex environment is vital, yet it has been overlooked, for the most part, in all discussions to date.

SDN and NFV change how networks are built and managed in unprecedented ways. At the same time, traditional networking technologies are still in use, with no end of life in sight. The commercial benefits of these technologies are not just about cost savings, but also about new services and value creation. Achieving these will require wide-scale and pervasive implementation. This requires a service-oriented view to end-to-end orchestration. In the early phases, a lot of discussions were really “walled-garden” in nature. That is, orchestration was focused on a single pool of virtualized network infrastructure and virtual network functions.

The reality is that networks will span multiple clouds and multiple networks both physical and virtual. This implies that orchestration must extend between physical and virtual networks, and next-generation as well as legacy networks. Unfortunately, there is a lot of underlying network complexity and many different legacy and vendor-proprietary API and management interfaces. It will be complex for orchestrators to communicate ubiquitously.

In fact, hybrid physical and virtual networks are both likely and necessary. Service provider operations and orchestration systems must now deal with networks which are fluid, dynamic, and programmatic. Unfortunately, BSS and OSS systems were never architected with the notion that networks will be as programmatic, fluid and dynamic as they will be with NFV and SDN.

Network data integrity is essential for efficient network operations and automation. Based on our own experience working with communication service providers, data inaccuracies – that is, the discrepancy between what a service provider thinks it has in its network and what really is – can range from 20 percent to as high as 80 percent. If there are significant data discrepancies between inventory systems and databases with the live network, business processes quickly break down. Poor network data integrity has numerous costly repercussions:

• Network quality issues can take longer to isolate, impacting the customer experience;

• Capacity problems not being identified in time can lead to revenue loss or leakage;

• Inaccurate network asset information may impact regulatory or business process compliance;

• Inefficient use of operations resources can cause higher expenses and delay time to revenue; and

• Incorrect security policies can result in data breaches and financial impacts.

The challenges, and consequences, are exacerbated with the transformation to SDN and NFV, with the potential for orders of magnitude more network functions more service-affecting programmable parameters in a continuously changing nature. Accurate data is crucial for efficient network operations, automation, orchestration, cost optimization, and revenue assurance. Service providers must eliminate data inaccuracies in OSS, BSS and orchestration systems and correct discrepancies in network configurations automatically.

Assuring network data integrity in orchestrated networks is necessary for automation and end-to-end orchestration. The parameters, settings, and configurations of physical network functions (PNFs), virtual network functions (VNFs), and underlying network function virtualization infrastructure (NFVI) need to be matched with centralized OSS and orchestration systems. If data integrity is not synchronized, automated end-to-end service orchestration will fail. Because

1 www.pipelinepub.com

Volume 11, Issue 8

Network Integrity: The Key to NFV

there will be more automated systems, orchestrators and humans programming the network, adjusting parameters, and configurations, the likelihood for poor network data integrity is increased. Given the heightened performance inter-dependencies between VNF and NFVI configurations to service quality and performance, there is an important need to continuously collect, audit, and compare data to “gold-standard” configuration templates.

Complementing real-time performance analytics, data network integrity analytics will help ensure orchestrators can make the correct, informed, and timely decisions. A scalable and automated auditing of data quality allow discrepancies to be easily identified and corrected. Data network integrity analytics can also be used as part of network planning an optimization processes when correlated with real-time performance analytics. Trends can be studied and new configurations, service parameters, and settings can be recommended based on predicted future demands or needs.

Because of the shared, multi-tenant nature of virtualized networks, maintaining security integrity is even more challenging. Multi-tenancy environments pose significant challenges when trying to maintain configuration integrity, and common cloud infrastructure could easily have hypervisor vulnerabilities introduced as a result of integrity failures. Virtual Machine, guest OS, or VNF manipulation could also compromise the integrity of the hypervisor. It will be important that logging and monitoring of hypervisor activities be performed. Similarly,

it will be important that VNF configurations themselves are audited to understand whether configuration or operating system changes may have an impact to security integrity.

An important driver for NFV is to create a more flexible and elastic network to enable new service provider business models and revenue opportunities. VNFs will be instantiated, retired, or moved in a more dynamic fashion in order to meet the service delivery requirements. New business models could include VNF or VNF-as-a-Service whereby service providers could host different 3rd party VNFs within their own distributed, virtualized infrastructure. Some NFV implementations may involve hosting VNFs from different 3rd parties within a common service provider virtualized infrastructure. Without periodic integrity auditing, VNFs could be arbitrarily instantiated by Virtual Infrastructure Managers on suitable or available hypervisors. This could create vulnerable co-residency scenarios should the hypervisor become exploited or the security policies not be applied properly to the respective VNFs.

Retiring or removing VNFs is equally critical as some VNFs inadvertently left instantiated could result in security breaches or result in susceptibility to denial-of-service attacks. For instance, VNFs may be instantiated for temporary troubleshooting or service testing during service activation. These may include virtual test agents, traffic generators, virtual taps, and packet analysis. If they are mistakenly left instantiated or fail to be retired by an automated process, they can

be exploited maliciously or inadvertently during routine network maintenance, resulting in service disruption and extended operational expenses.

Assuring security integrity becomes even more challenging when multi-cloud or multi-site NFV is considered. Virtual networks may span from data centers, remote points-of-presences, to mobile base stations, and to customer premise locations. Not all VNFs are suitable to be centrally hosted for a variety of reasons, including latency, bandwidth and performance. The resulting architecture is very effective and practical for hosting various types of VNFs and changes the convention definition of a security perimeter.

Clearly, maintaining configuration integrity will be necessary in order to meet regulatory and compliance requirements, which will be increasingly challenging and potentially expensive in virtualized networks.

Network Integrity: The Key to NFV

www.pipelinepub.com 2

An effective network data integrity assurance strategy must be highly scalable. It must be able to collect, compare and report on tens-of-millions of real-time configuration and service parameters from hundreds-of-thousands of physical and virtual network functions, NFVI (i.e. servers, hypervisors, etc.), and management and orchestration systems. It must have the ability to discover network service topology and compare to inventory databases, automatically reconciling mismatches and discrepancies. Identifying, alerting, and correlating network data integrity analytics with security events will be important to maintain a reliable and secure network. Lastly, any strategy must be open and interoperable, and easily integrated into BSS, OSS, and orchestration systems, as well as multi-vendor physical and virtual network functions.

The benefits that can be gained from a holistic network data integrity strategy include:

• Lower operational expenditures through reduced fallout caused by incorrect inventory data;

• Accuracy in network asset information for reliable financial and regulatory reporting;

• Speed and simplicity to identify which network function are instantiated, their location, and the number of instances;

• Faster resolution of network faults from accurate inventory data;

• Improved customer satisfaction and revenue assurance with “right first time” network configuration; and

• Higher user confidence in decision-making processes based on accurate inventory data.

We’ve reached the end of the beginning of SDN/NFV transformation. The time is now time to focus on deployability. Most of the challenges, including network data integrity, which exist with today’s convention networks will become magnified with new hybrid physical and virtual networks. And new ones will emerge. We are beginning a massive market transformation where many of the operational barriers first need to be identified, and then overcome.

3 www.pipelinepub.com © Copyright 2015, Pipeline Publishing, L.L.C. All Rights Reserved

We’ve reached the end of the beginning of SDN/NFV transformation.

Network Integrity: The Key to NFV

About Nakina

Nakina offers a suite of Network Integrity applications for managing, securing, and optimizing physical and virtual networks. Nakina’s applications are built upon our Network Integrity Framework - open and modular software platform that abstracts network complexity, normalizes multi-vendor management, and bridges the physical and virtual worlds for Management and Orchestration systems. Our software is proven, trusted and protects the world’s largest and most important networks.

Nakina Systems

80 Hines Road, Suite 200 Ottawa, Ontario Canada K2K 2T8

Tel: 613.254.7351 Fax: 613.254.7352

www.nakinasystems.com