ABSTRACT
We present an architecture and implementation of the security wrapper concept for the protection of virtualized network functions in a cloud environment. The security wrapper is the enclosing of a set of virtualized resources within a data plane transparent protective envelope in the network forwarding graph. The extent and capabilities of this envelope are dynamic. We present a prototype implementation of the security wrapper and analyze its behaviour in different operation scenarios. Measurements of the wrapper orchestration delays, resource overhead and data plane traffic impact indicate that the proposed mechanism can be deployed in virtualized networks with little overhead while remaining relatively transparent to the traffic traversing the security wrapper boundary.
- iPerf. https://iperf.fr/. Accessed: 2018-02-01.Google Scholar
- Linux Foundation, Open vSwitch. http://openvswitch.org/. Accessed: 2018-02-01.Google Scholar
- MongoDB. www.mongodb.com. Accessed: 2018-02-01.Google Scholar
- Neutron Firewall as a Service. https://github.com/openstack/neutron-fwaas. Accessed: 2018-02-01.Google Scholar
- OpenStackNeutron. http://specs.openstack.org/openstack/neutron-specs/. Accessed: 2018-02-01.Google Scholar
- OpenStack Project. http://www.openstack.org. Accessed: 2018-02-01.Google Scholar
- sFlow. http://www.sflow.org/. Accessed: 2018-02-01.Google Scholar
- B. Addis, D. Belabed, M. Bouet, and S. Secci. Virtual network functions placement and routing optimization. In 2015 IEEE 4th International Conference on Cloud Networking (CloudNet), pages 171--177, Oct 2015.Google ScholarCross Ref
- Benoit Claise. Cisco Systems NetFlow Services Export Version 9. RFC 3954, October 2015.Google Scholar
- Network Functions Virtualisation ETSI Industry Specification Group. ETSI GS NFV-MAN 001 V1.1.1. Group Specification, December 2014.Google Scholar
- Evangelos Haleplidis, Jamal Hadi Salim, Spyros Denazis, and Odysseas Koufopavlou. Towards a Network Abstraction Model for SDN. Journal of Network and Systems Management, 23(2):309--327, 2015. Google ScholarDigital Library
- Joel M. Halpern and Carlos Pignataro. Service Function Chaining (SFC) Architecture. RFC 7665, October 2015.Google Scholar
- B. Jaeger. Security Orchestrator: Introducing a Security Orchestrator in the Context of the ETSI NFV Reference Architecture. In 2015 IEEE Trustcom/BigDataSE/ISPA, volume 1, pages 1255--1260, Aug 2015. Google ScholarDigital Library
- A. Kalliola, K. Lee, H. Lee, and T. Aura. Flooding DDoS mitigation and traffic management with software defined networking. In Cloud Networking (CloudNet), 2015 IEEE 4th International Conference on, pages 248--254, Oct 2015.Google ScholarCross Ref
- István Pelle, Tamás Lévai, Felicián Németh, and András Gulyás. One Tool to Rule Them All: A Modular Troubleshooting Framework for SDN (and Other) Networks. In Proceedings of the 1st ACM SIGCOMM Symposium on Software Defined Networking Research, SOSR '15. ACM, 2015. Google ScholarDigital Library
- M. Yoshida, W. Shen, T. Kawabata, K. Minato, and W. Imajuku. MORSA: A multi-objective resource scheduling algorithm for NFV infrastructure. In The 16th Asia-Pacific Network Operations and Management Symposium, Sept 2014.Google ScholarCross Ref
- F. Z. Yousaf and T. Taleb. Fine-grained resource-aware virtual network function management for 5G carrier cloud. IEEE Network, 30(2):110--115, March 2016.Google ScholarDigital Library
Recommendations
IoT Cloud Security Review: A Case Study Approach Using Emerging Consumer-oriented Applications
Recent years have seen the rapid development and integration of the Internet of Things (IoT) and cloud computing. The market is providing various consumer-oriented smart IoT devices; the mainstream cloud service providers are building their software ...
Comments