2 research outputs found
On the placement of security-related Virtualised Network Functions over data center networks
Middleboxes are typically hardware-accelerated appliances such as firewalls, proxies, WAN optimizers, and NATs that play an important role in service provisioning over today's data centers. Reports show that the number of middleboxes is on par with the number of routers, and consequently represent a significant commitment from an operator's capital and operational expenditure budgets. Over the past few years, software middleboxes known as Virtual Network Functions (VNFs) are replacing the hardware appliances to reduce cost, improve the flexibility of deployment, and allow for extending network functionality in short timescales.
This dissertation aims at identifying the unique characteristics of security modules implementation as VNFs in virtualised environments. We focus on the placement of the security VNFs to minimise resource usage without violating the security imposed constraints as a challenge faced by operators today who want to increase the usable capacity of their infrastructures. The work presented here, focuses on the multi-tenant environment where customised security services are provided to tenants. The services are implemented as a software module deployed as a VNF collocated with network switches to reduce overhead. Furthermore, the thesis presents a formalisation for the resource-aware placement of security VNFs and provides a constraint programming solution along with examining heuristic, meta-heuristic and near-optimal/subset-sum solutions to solve larger size problems in reduced time.
The results of this work identify the unique and vital constraints of the placement of security functions. They demonstrate that the granularity of the traffic required by the security functions imposes traffic constraints that increase the resource overhead of the deployment. The work identifies the north-south traffic in data centers as the traffic designed for processing for security functions rather than east-west traffic. It asserts that the non-sharing strategy of security modules will reduce the complexity in case of the multi-tenant environment. Furthermore, the work adopts on-path deployment of security VNF traffic strategy, which is shown to reduce resources overhead compared to previous approaches
SDNFV-based DDoS detection and remediation in multi-tenant, virtualized infrastructures
As ICT resources are increasingly hosted over Cloud Data Center infrastructures,
Distributed Denial of Service (DDoS) attacks are becoming a major concern
for Cloud service providers and tenants. The lack of physical resource isolation
over a Cloud environment exposes non-targeted tenants to indirect performance
degradation while it is increasingly challenging to distinguish between safe (e.g.,
internal, DMZ) and external zones. Traditional DDoS detection and prevention systems
employ high-performance and high-cost bespoke appliances (middleboxes) in
fixed locations of the physical infrastructure. However, this limits their provisioning
abilities to a static specification, hindering extensible functionality and resulting in
vendor lock-in.
In this chapter, we propose a softwarised orchestration framework for DDoS detection
and mitigation in the cloud. We exploit latest advances in Network Function
Virtualization (NFV) to devise a modular security framework through the dynamic
deployment of lightweight network functions where and when required to
protect the infrastructure at the onset of DDoS attacks. We rely on the networkwide,
logically-centralised management of traffic and network services provided by
Software-Defined Networking (SDN) for the placement of NFs and to (re-)route
traffic to them. Using an example of a DDoS remediation service, we demonstrate
the benefits of an extensible and reconfigurable DDoS security system that uses
dynamic security module duplication and placement to remediate the performance
impact of the attack on the underlying infrastructure