Fortinet Security PNFs and VNFs SDN Integration for Automated Control-Plane Security
The Need For Security PNF/VNF SDN Integration
Software-defined networking (SDN) separates the control plane of network equipment, physical network function (PNF), and virtual network function (VNF) from the forwarding plane abstract’s lower level functions and moves them to a normalized control plane, which manages network behavior through application program interfaces (APIs). From a software-based, centralized control plane, network administrators can provide services through a multi-vendor network with PNF and VNF components and the constantly changing networking environment.
Within 4.5G and 5G, SDN is used to provide an overall framework enabling functionality across a control plane. It can provide better data flows as data moves across the network. In addition, SDN architecture can minimize network bandwidth and boost latency. Finally, it provides a way to manage and automate network scalability and redundancy from a centralized control plane, circumnavigating major outages by determining optimal data flows in real time. Security integration with SDN is required because:
- As security is required at the core of the mobile network for both 4G and 5G, so must it integrate with the SDN ecosystem in place to provide the appropriate flow/user-based security service/functionality as standalone or within a larger service chain.
- With 5G innovative services such as network slicing and Multi-access Edge Computing (MEC) security, VNFs must be delivered dynamically and where and when required. This ensures security from the edge cloud, through the core, and onto the Telco cloud/Internet/third-party cloud and services. For efficient and agile deployment and utilization of these security resources, integration with both management and orchestration (MANO) and SDN is required.
- SDN allows for dynamic and efficient security VNFs auto-scaling in response to real-time changes in traffic volume, service scalability requirements, SLA fulfillment, and high availability scenarios.
Fortinet Fabric Connectors for API-Based SDN Integration
With Fabric Connector technology, Fortinet has developed deep integration using APIs or specific code to provide security automation with simplified, consistent management and DevOps support in a dynamic, multi-vendor environment. The following Fabric Connectors for SDN provide dynamic policy integration with the following SDN platforms:
Fortinet Support for Service Function Chaining (SFC) Network Service Header (NSH)
The term service function chaining (SFC) is used to describe the definition and instantiation of an ordered list of instances of such service functions and the subsequent "steering“ of traffic flows through those service functions. The set of enabled service function chains reflects operator service offerings and is designed in conjunction with application delivery and service and network policy. Network Service Header (NSH – RFC 8300) is a service-chaining protocol that is added to network traffic, in the packet header, to describe a sequence of service nodes (PNFs or VNFs) that the packet must be routed to prior to reaching its destination address, thus creating a service chain.
During a joint European Telecommunications Standards Institute (ETSI) – Open Platform for NFV (OPNFV) plugtest, and with close partnership with SUSE, Fortinet was the first to demonstrate a commercial SFC/NSH-capable VNF. This highlights Fortinet's commitment to meeting communication service providers’ specific requirements.