The journey towards NFV has been underway for some time, with a pivotal milestone being the establishment of the NFV Industry Specification Group (ISG) by the European Telecommunications Standards Institute (ETSI). ETSI ISG NFV played a vital role in defining open-source standards for NFV and creating open-source implementations of NFV.

NFV Component Architecture

The foundation of NFV relies on three key components:

1. NFV Infrastructure (NFVI): NFVI encompasses all the software and hardware elements constituting the environment where NFVs operate. When NFVI spans multiple sites, the connecting network is considered an integral part of the NFVI.

2. Virtualized Network Functions (VNF): VNFs are network functions that can be implemented as software and deployed within the NFVI environment. Examples of VNFs include firewalls, software-defined WAN (SD-WAN) solutions, routing capabilities, and Quality of Service (QoS) management.

3. Management, Automation, and Network Orchestration (MANO): NFV MANO orchestrates and manages VNFs within the NFVI. It encompasses functional blocks, data repositories, reference points, and interfaces that facilitate communication while orchestrating and managing both NFVI and VNFs.

Network Functions Virtualization Use Cases

NFV finds application in various use cases, some of which include:

1. Service Chaining: Communication Service Providers (CSPs) can chain and interlink services or applications such as firewalls and SD-WAN network optimization, offering them as on-demand services.

2. Software-Defined Branch and SD-WAN: SD-WAN network optimization and SD-Branch security functionalities can be virtualized as NFVs, enabling their provisioning as fully virtualized services.

3. Network Monitoring and Security: NFV allows the implementation of firewalls, offering fully virtualized network flow monitoring and the application of security policies for traffic routed through the firewall.

NFV vs. SDN

NFV and Software-Defined Networking (SDN) are often viewed as complementary options for shaping the future of networks.

SDN abstracts network infrastructure into application, control plane, and data plane layers, making network control directly programmable. This facilitates automated provisioning and policy-based resource management. For instance, network changes can be made in software, eliminating the need for manual cable rearrangements.

NFV can be considered a use case of SDN, and vice versa. However, it’s entirely feasible to implement VNFs independently of SDN, and conversely.

Benefits of Network Functions Virtualization (NFV)

NFV offers several advantages, including:

1. Cost Reduction: Traditional physical appliances require purchasing, configuration, and consume space, power, and cooling. NFVs run on standard servers, often with significantly lower overhead requirements.

2. Rapid Deployment: NFVs are software-based, enabling swift deployment and easy updates. Compared to physical systems, initial deployment and updates are more time and resource-efficient.

3. Automation Support: As software entities, NFVs can be configured and managed programmatically. This allows organizations to leverage automation for rapid configuration changes or large-scale updates.

4. Enhanced Flexibility: NFVs, being software-based, can dynamically scale up or down by allocating more or fewer resources as needed. This flexibility is not feasible with physical appliances, which require the acquisition of additional units in fixed-size increments.

5. Reduced Vendor Lock-In: Physical security appliances often lead to vendor lock-in due to the complexity and expense of switching platforms. NFVs, capable of running on diverse hardware, empower organizations to choose hardware that aligns best with their specific needs.

Below is a relevant link for a technical article on Network Functions Virtualization (NFV):

ETSI NFV ISG – Official page of the European Telecommunications Standards Institute (ETSI) NFV Industry Specification Group, providing detailed information on NFV standards.

What is Routing Security?

Routing security refers to the measures taken to protect the routing infrastructure of a network from attacks or other forms of unauthorized access. This includes securing routers, switches, and other network devices that are involved in directing traffic. The goal of routing security is to ensure that traffic is routed correctly and securely, without interference or interception by unauthorized parties.

Why is Routing Security Important?

Routing security is critical to maintaining the integrity and availability of the network. A compromised routing infrastructure can result in the following:

Loss of Confidentiality: Attackers can intercept sensitive data by redirecting traffic to a malicious endpoint.
Loss of Integrity: Attackers can modify or tamper with data packets, potentially compromising the data’s authenticity and reliability.

Loss of Availability: Attackers can disrupt network traffic by blocking or redirecting packets, causing downtime for critical services.

Best Practices for Securing a Network’s Routing Infrastructure
There are several best practices that network administrators can follow to secure their routing infrastructure. These include:

Implement Access Control Lists (ACLs)
ACLs are a set of rules that determine which traffic is allowed or denied access to a network. They can be used to block traffic from specific IP addresses, protocols, or ports, and can be applied at different levels of the network. For example, an ACL can be applied to a router to block traffic from a specific IP address or port, or it can be applied to a switch to block traffic from a particular VLAN.
Here is a sample Cisco ACL configuration:

Router(config)# access-list 100 deny ip 10.0.0.0 0.255.255.255 any
Router(config)# access-list 100 permit ip any any
Router(config)# interface fa0/0
Router(config-if)# ip access-group 100 in

This configuration creates an ACL that denies traffic from any IP address in the 10.0.0.0/8 network and permits all other traffic. The ACL is then applied to the inbound interface of the router’s Fa0/0 interface.

Use Routing Protocols with Authentication
Routing protocols are used to exchange routing information between routers and switches. However, these protocols can be vulnerable to attacks that attempt to manipulate the routing tables. To prevent this, it is recommended to use routing protocols that support authentication, such as OSPFv3 or BGP. Authentication ensures that only authorized devices can participate in the routing process.

Here is a sample Cisco OSPFv3 configuration:

Router(config)# interface fa0/0
Router(config-if)# ipv6 ospf authentication message-digest
Router(config-if)# ipv6 ospf message-digest-key 1 md5 cisco123
Router(config)# ipv6 router ospf 1
Router(config-rtr)# area 0 authentication message-digest

This configuration enables OSPFv3 authentication using MD5 encryption with the key “cisco123”. It also enables authentication for the router’s OSPFv3 area.

Use Secure Management Practices
Network devices must be securely managed to prevent unauthorized access or modifications. This includes setting strong passwords for user accounts, disabling unnecessary services, and limiting access to management interfaces.

Here is a sample Cisco configuration to enable secure management:

Router(config)# enable secret cisco123
Router(config)# line vty 0 4
Router(config-line)# login
Router(config-line)# transport input ssh
Router(config)# ip ssh version 2

This configuration sets the enable secret to “cisco123”, requiring a password to access privileged mode. It also configures the virtual terminal lines for SSH access only and enables SSH version 2 for secure remote access.

Implement Network Segmentation
Network segmentation involves dividing the network into smaller, isolated segments, each with its own security controls. This reduces the attack surface and limits the impact of a potential breach. For example, critical servers and services can be placed in a separate segment that is only accessible to authorized personnel. Here is a sample Cisco configuration for VLAN segmentation:

Switch(config)# vlan 10
Switch(config-vlan)# name Finance
Switch(config-vlan)# exit

Switch(config)# vlan 20
Switch(config-vlan)# name HR
Switch(config-vlan)# exit

Switch(config)# interface fa0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10
Switch(config-if)# exit

Switch(config)# interface fa0/2
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 20
Switch(config-if)# exit

This configuration creates two VLANs for Finance and HR, respectively. The switch’s Fa0/1 interface is assigned to the Finance VLAN, and the Fa0/2 interface is assigned to the HR VLAN. This creates a logical separation between the two segments, limiting communication between them.

Keep Software Up-to-Date
Keeping network device software up-to-date is critical to address security vulnerabilities and bugs. Regularly check for firmware and software updates from the vendor and apply them as soon as possible. Here is a sample Cisco configuration to upgrade the IOS image:

Router# copy tftp://192.168.1.10/c2960x-universalk9-mz.152-4.E6.bin flash:
Router# configure terminal
Router(config)# boot system flash:/c2960x-universalk9-mz.152-4.E6.bin
Router(config)# exit
Router# reload

This configuration copies the new IOS image from a TFTP server with the IP address of 192.168.1.10 and saves it to the device’s flash memory. It then sets the new IOS image as the default boot image and reloads the device to apply the update.

Conclusion

Routing security is critical to maintaining the integrity and availability of a network’s infrastructure. Following best practices, such as implementing access control lists, using routing protocols with authentication, implementing network segmentation, and keeping software up-to-date, can help mitigate the risks of attacks and unauthorized access. Cisco devices provide many security features and configurations to help secure a network’s routing infrastructure, and these code samples are just a few examples of how to do so. It is crucial to continuously monitor and update the network’s security to stay ahead of potential threats.

In this article, we will provide a step-by-step guide to help you understand IP subnetting.

Step 1: Determine the IP Address Class

The first step in subnetting is to determine the IP address class. IP addresses are divided into 5 classes: A, B, C, D, and E. Classes A, B, and C are commonly used for networking.

Class A networks have a default subnet mask of 255.0.0.0, Class B networks have a default subnet mask of 255.255.0.0, and Class C networks have a default subnet mask of 255.255.255.0.

Step 2: Determine the Number of Subnets Needed

The next step is to determine the number of subnets needed. This is based on the number of departments, locations, or other factors that require separate networks. To determine the number of subnets, you need to borrow bits from the host portion of the IP address.

For example, if you need 4 subnets, you need to borrow 2 bits (2^2 = 4) from the host portion of the IP address.

Step 3: Determine the Number of Hosts Needed per Subnet

The next step is to determine the number of hosts needed per subnet. This is based on the number of devices that need to be connected to the network in each subnet.

To determine the number of hosts per subnet, you need to subtract 2 from the total number of IP addresses in the subnet. The first IP address is used for the network address, and the last IP address is used for the broadcast address.

For example, if you need 100 hosts per subnet, you need to have a subnet that provides at least 102 IP addresses (100 + 2).

Step 4: Create the Subnet Mask

The subnet mask determines the range of IP addresses available for hosts in each subnet. To create the subnet mask, you need to determine the value of the bits you borrowed from the host portion of the IP address.

For example, if you borrowed 2 bits from the host portion of the IP address, you need to determine the binary value of those bits. In this case, the binary value would be 11 (2 bits).

The subnet mask for this example would be 255.255.255.192 (or /26 in CIDR notation). This subnet mask provides 64 IP addresses (2^6 = 64) per subnet.

Step 5: Determine the Valid Host Range

The valid host range is the range of IP addresses available for hosts in each subnet. To determine the valid host range, you need to subtract 2 from the total number of IP addresses in the subnet.

For example, if you have a subnet with a subnet mask of 255.255.255.192, the total number of IP addresses in the subnet is 64. Subtracting 2 gives you 62, which is the number of valid IP addresses in the subnet.

The first IP address in the subnet is used for the network address, and the last IP address is used for the broadcast address. Therefore, the valid host range for this example would be 192.168.1.1 – 192.168.1.62.

Conclusion

Subnetting is an important tool that allows you to optimize your network performance and improve security. By dividing a larger network into smaller subnets, you can reduce network congestion, increase efficiency, and create separate segments for different departments or functions within your organization.

Follow another step by step walkthrough here – https://www.expertnetworkconsultant.com/subnetting/step-by-step-guide-to-understanding-ip-subnetting/