The implementation of virtualized networks and services creates new challenges to ensure efficient, network-wide cyber security, all the way from virtual machines (VMs) to applications in the form of virtual network functions (VNFs).
In 2018, cyber security will be defined through network-wide rules and methods that manage a large number of applications. This is similar to the broad policies that have already been successfully implemented for charging, based on describing behavior by category and defining their fundamental characteristics. By managing categories instead of individual instances, it is possible to efficiently scale management and operations.
In the case of security, this method can be used to automate security policy audits.
As an example, east-west traffic between VMs or containers can be described via VNF descriptors or Docker files. Based on this, it is possible to check that actual traffic is in line with expected traffic according to policy and that there are no security breaches.
In terms of technology, probes based on Deep Packet Inspection (DPI) can analyze traffic in real-time, detect breaches in policy, generate alarms and trigger automatic remedial actions.
From 2018, network-wide security policy will become visible, shared, and auditable for an entire organization.
Telecom service providers are starting to design networks that can function without human involvement.
The foundation of this automation will be built using:
The quality and the extent of telco cloud automation will depend on these tools, which enable a mix of individual customization (“pet approach”) and mass deployment (“cattle approach”).
For example, NFVI software managed by NETCONF instead of Ansible allows a customized service for each enterprise while ensuring a flexible and structured service offering. On the other hand, Ansible can leverage NETCONF elements as they are deployed to scale management and configuration tasks.
Starting in 2018, NETCONF and Ansible will be used in combination to enable both customized and scalable network automation.
Initially, VMs have been used to deploy leading commercial VNFs for SD WAN, FW, vRouters etc. As a next step, containers will appear to manage first access platforms, and then VNFs.
Containers bring clear advantages in terms of flexibility, simplicity and footprint; this means that basing value added applications on containers is a relatively easy and natural next step. These containers will benefit from their simple and efficient orchestration companion tools such as Kubernetes or Docker Compose/Swarm. This approach is an interesting alternative to the more complex and immature ETSI-based recommendations.
In practice, management agents, websites, applications, and probes will start running as a set of containers managed centrally and automatically based on predefined rules.
In 2018, we will see more Kubernetes and Docker Compose/Swarm in uCPEs.
Article first published on December 8th 2017 in The Fast Mode
About The Author:
As NFV CTO for Enea, Nicolas is involved in the company’s initiatives in open and virtualized networks. He contributes to standards bodies such as ONF SDN, ETSI NFV and IETF SFC, and Open Source Projects centred around Network Virtualization. Nicolas has spent over 20 years in the telecommunications and information systems field. Early in his career, he was instrumental in creating HP’s OpenCall business. Then as the R&D manager of Inovatel, the advanced research organization of SFR, Nicolas led several innovative projects highlighting the impact of internet technologies on Mobile Operators. Nicolas was also CTO and founder of Volubill (2001), a company building a Policy and Charging Rules Function (PCRF) product for the Mobile Network Market. Volubill was a spinoff of the work he led as R&D Manager of Cegetel’s Internet research lab. Nicolas holds several patents relating to Mobile Data Charging. Nicolas has an engineering degree from the French schools Ecole Polytechnique and Les Mines de Paris.11