On the placement of security-related Virtualised Network Functions over data center networks

Middleboxes are typically hardware-accelerated appliances such as firewalls, proxies, WAN optimizers, and NATs that play an important role in service provisioning over today's data centers. Reports show that the number of middleboxes is on par with the number of routers, and consequently represent a significant commitment from an operator's capital and operational expenditure budgets. Over the past few years, software middleboxes known as Virtual Network Functions (VNFs) are replacing the hardware appliances to reduce cost, improve the flexibility of deployment, and allow for extending network functionality in short timescales. This dissertation aims at identifying the unique characteristics of security modules implementation as VNFs in virtualised environments. We focus on the placement of the security VNFs to minimise resource usage without violating the security imposed constraints as a challenge faced by operators today who want to increase the usable capacity of their infrastructures. The work presented here, focuses on the multi-tenant environment where customised security services are provided to tenants. The services are implemented as a software module deployed as a VNF collocated with network switches to reduce overhead. Furthermore, the thesis presents a formalisation for the resource-aware placement of security VNFs and provides a constraint programming solution along with examining heuristic, meta-heuristic and near-optimal/subset-sum solutions to solve larger size problems in reduced time. The results of this work identify the unique and vital constraints of the placement of security functions. They demonstrate that the granularity of the traffic required by the security functions imposes traffic constraints that increase the resource overhead of the deployment. The work identifies the north-south traffic in data centers as the traffic designed for processing for security functions rather than east-west traffic. It asserts that the non-sharing strategy of security modules will reduce the complexity in case of the multi-tenant environment. Furthermore, the work adopts on-path deployment of security VNF traffic strategy, which is shown to reduce resources overhead compared to previous approaches

SDNFV-based DDoS detection and remediation in multi-tenant, virtualized infrastructures

As ICT resources are increasingly hosted over Cloud Data Center infrastructures, Distributed Denial of Service (DDoS) attacks are becoming a major concern for Cloud service providers and tenants. The lack of physical resource isolation over a Cloud environment exposes non-targeted tenants to indirect performance degradation while it is increasingly challenging to distinguish between safe (e.g., internal, DMZ) and external zones. Traditional DDoS detection and prevention systems employ high-performance and high-cost bespoke appliances (middleboxes) in fixed locations of the physical infrastructure. However, this limits their provisioning abilities to a static specification, hindering extensible functionality and resulting in vendor lock-in. In this chapter, we propose a softwarised orchestration framework for DDoS detection and mitigation in the cloud. We exploit latest advances in Network Function Virtualization (NFV) to devise a modular security framework through the dynamic deployment of lightweight network functions where and when required to protect the infrastructure at the onset of DDoS attacks. We rely on the networkwide, logically-centralised management of traffic and network services provided by Software-Defined Networking (SDN) for the placement of NFs and to (re-)route traffic to them. Using an example of a DDoS remediation service, we demonstrate the benefits of an extensible and reconfigurable DDoS security system that uses dynamic security module duplication and placement to remediate the performance impact of the attack on the underlying infrastructure