With the paradigm shift of 5G in terms of computing and infrastructure, 5G security is confronted with new challenges due to the promising introduction of Software Defined Networks (SDN), Network Function Virtualization (NFV) and Cloud Computing. While most of current works on 5G security are focused on high-level analysis of challenges and threats to satisfy the emerging use cases. Software Defined Security (SDS), as a new security paradigm which provides flexible and centralized security protection for varieties of networks especially for SDN and Cloud environment, can be a potential security solution in 5G. Lots of work have focused on the implementations and details of SDS, and most researchers, however, are focusing on the controller design and security policy design. There are few work on the placement strategy of Network Security Functions (NSFs) and devices, which plays a significant role in SDS to improve the optimize defence effects. Most of existing placement schemes are modelled as Integer Linear Programming (ILP) by considering the constrains in terms of resource, time, security and so on, and introduce various heuristic algorithm to reduce its computing complexity. While in this paper, we propose a placement scheme of NSFs and devices in SDS based on underlying routing characteristic and evaluate its performance defending virus attack. The proposed scheme adopts Group Routing Betweenenss Centrality (GRBC) as a metric and introduces a successive algorithm to compute the GRBC. Different to traditional Routing Betweenness Centrality which only considers the importance of single node, the proposed scheme can find the key group of nodes in a SDS underlying network, where the NSFs and security devices should be deployed. In the performance evaluation, we apply our scheme to the scenario of computer virus and worms control in SDS, and the results show that the proposed scheme can improve the performance of security functions in SDS system.