Dynamic and Application-Aware Provisioning of Chained Virtual Security Network Functions

Dynamic and Application-Aware Provisioning of Chained Virtual Security Network Functions

This is the author’s version of an article that has been published in IEEE Transactions on Network and Service Management. Changes were made to this version by the publisher prior to publication. The final version of record is available at https://doi.org/10.1109/TNSM.2019.2941128. The source code associated with this project is available at https://github.com/doriguzzi/pess-security. Dynamic and Application-Aware Provisioning of Chained Virtual Security Network Functions Roberto Doriguzzi-Corinα, Sandra Scott-Haywardβ, Domenico Siracusaα, Marco Saviα, Elio Salvadoriα αCREATE-NET, Fondazione Bruno Kessler - Italy β CSIT, Queen’s University Belfast - Northern Ireland Abstract—A promising area of application for Network Func- connected to the network through an automated and logically tion Virtualization is in network security, where chains of Virtual centralized management system. Security Network Functions (VSNFs), i.e., security-specific virtual functions such as firewalls or Intrusion Prevention Systems, The centralized management system, called NFV Manage- can be dynamically created and configured to inspect, filter ment and Orchestration (NFV MANO), controls the whole or monitor the network traffic. However, the traffic handled life-cycle of each VNF. In addition, the NFV MANO can by VSNFs could be sensitive to specific network requirements, dynamically provision complex network services in the form such as minimum bandwidth or maximum end-to-end latency. of sequences (often called chains) of VNFs. Indeed, Network Therefore, the decision on which VSNFs should apply for a given application, where to place them and how to connect them, Service Chaining (NSC) is a technique for selecting subsets should take such requirements into consideration. Otherwise, of the network traffic and forcing them to traverse various security services could affect the quality of service experienced VNFs in sequence. For example, a firewall followed by an by customers. Intrusion Prevention System (IPS), then a Network Address In this paper we propose PESS (Progressive Embedding of Translation (NAT) service and so on. NSC and NFV enable Security Services), a solution to efficiently deploy chains of vir- tualised security functions based on the security requirements of flexible, dynamic service chain modifications to meet the real individual applications and operators’ policies, while optimizing time network demands. resource utilization. We provide the PESS mathematical model A promising area of application for NSC and NFV is in and heuristic solution. network security, where chains of Virtual Security Network Simulation results show that, compared to state-of-the-art Functions (VSNFs), i.e., security-specific VNFs such as a application-agnostic VSNF provisioning models, PESS reduces computational resource utilization by up to 50%, in different firewall or an IPS, can be dynamically created and configured network scenarios. This result ultimately leads to a higher to inspect, filter or monitor the network traffic. The flexibility number of provisioned security services and to up to a 40% of the NSC and NFV paradigms brings many benefits, among reduction in end-to-end latency of application traffic. others: (i) highly customizable security services based on Index Terms—Network Function Virtualization, Network Ser- the needs of the end-users, (ii) fast reaction to new security vice Chaining, Progressive Embedding, Application-Aware Net- work Security. threats or variations of known attacks, and (iii) low Operating Expenditure (OpEx) and Capital Expenditure (CapEx) for the operator. On the other hand, compared to specialized HAs, I. INTRODUCTION VSNFs may have a significant impact on the performance Network security implemented by Telecommunication Ser- of the network and on the Quality of Service (QoS) level vice Providers (TSPs) has traditionally been based on the experienced by the users. The virtualization overhead, the deployment of specialized, closed, proprietary Hardware Ap- utilization level of the servers and the techniques adopted to pliances (HAs). Such HAs are inflexible in terms of function- implement the VSNFs are the most significant contributors to alities and placement in the network, which means that even the QoS degradation. arXiv:1901.01704v4 [cs.NI] 18 Mar 2021 slight changes in the security requirements generally necessi- We argue that, for a wide adoption of NSC and NFV tate manually intensive and time-consuming re-configuration technologies in network security, the provisioning strategies tasks, the replacement of existing HAs or the deployment of should take into account not only the security requirements, additional HAs. but also specific QoS needs of applications (a list of common The Network Function Virtualization (NFV) [1] initiative classes of applications is provided in Table I with their has been proposed as a possible solution to address the corresponding security and QoS requirements). Omitting the operational challenges and high costs of managing proprietary latter may lead, for instance, to a model that blindly forces HAs. The main idea behind NFV is to transform network all the user traffic to traverse the whole chain of VSNFs. functions (e.g. firewalls, intrusion detection systems etc.) based As a result, computationally demanding VSNFs such as IPSs on proprietary HAs, into software components (called Virtual may cause a noticeable performance degradation to latency- Network Functions (VNFs)) that can be deployed and executed sensitive applications (e.g. online games [5]) or bandwidth in virtual machines on commodity, high-performance servers. sensitive applications (e.g. video streaming). On the other By decoupling software from hardware, this approach allows hand, beyond the overall resource consumption and QoS re- any (security) network function to be deployed in any server quirements, the model must also take into account the specific Copyright (c) 2019 IEEE. Personal use is permitted. For any other purposes, permission must be obtained from the IEEE by emailing [email protected]. TABLE I SECURITY AND QOS REQUIREMENTS OF APPLICATIONS. Application class Description Related threats Relevant VSNF 1 QoS requirements Bandwidth: 10Mbps Closed Circuit TV (5 cameras, 720p, 15fps, Port scanning, DDoS Firewall, DPI, CCTV systems for video surveillance H.264, medium quality) password cracking IDS, IPS accessible remotely Latency: 200ms (PTZ2 two-way latency [2]) Email Electronic mail Malware, spam, phishing, data exfiltration DPI, Antispam, IDS, DLP – Instant messaging Real-time text-based Internet chat Malware, DDoS, phishing (out-of-band) DPI, Antispam, IDS, IPS – Audio/video content Bandwidth:3 5Mbps (HD) Media streaming Inappropriate content Parental control accessed over the Internet 25Mbps (UHD) Remote storage File transfer over the network Data exfiltration VPN, Data Encryption Bandwidth Network services Server application DDoS, SQL injection, Firewall, IDS, (DNS, VoD, file accessed by remote – remote code execution WAF, Honeypot sharing, WWW, SSH) client applications Video games played Online game cheating (out-of-band attacks) DPI, Antispam, Latency: 100ms Online gaming over the Internet DDoS (in-band attacks) IDS, IPS (first-person games [3]) Peer-to-peer File sharing over peer-to-peer networks DDoS, malware DPI, IDS, IPS – Video conferencing Real-time audio/video over the Internet DDoS Firewall, IPS Latency: 150ms [4] Applications for browsing Cross-site scripting, phishing, DPI, WAF, Web browsing Latency: 400ms [4] the World Wide Web malware, inappropriate content Parental control 1Acronyms of VSNFs: Deep Packet Inspection (DPI), Intrusion Detection System (IDS), Intrusion Prevention System (IPS), Data Loss/Leakage Prevention (DLP), Virtual Private Network (VPN), Web Application Firewall (WAF). 2PTZ: Pan, Tilt, Zoom. 3Netflix Internet connection speed recommendations. security best practices and policies. Omitting such aspects may community and in today’s market. result in the inappropriate placement of a firewall in the middle • A mathematical formulation for the progressive provi- of the network, thus allowing unauthorized traffic to reach sioning of security services (the PESS ILP model). With hosts that should be protected. respect to the ILP model presented in [6], this work In this paper, we present PESS (Progressive Embedding formulates the estimation of the processing delay based of Security Services), a novel approach to provision security on residual computing resources of the physical nodes, services by composing chains of VSNFs according to the and it formalizes the impact on the end-to-end latency of specific QoS needs of user applications and the security operational services when allocating computing resources policies defined by the TSP. TSP’s security policies (given as for new requests. an input to PESS) include: the kind of VSNFs (e.g., firewall, • A heuristic algorithm, called PESS heuristic, to obtain IPS, etc.) that should be deployed for a specific class of near-optimal solutions of the embedding problem in an applications, their order (e.g., firewall first, then IPS, etc.), acceptable time frame (in the order of a few milliseconds and more (e.g., a parental control should be installed close to even in large network scenarios). the user’s premises). • An evaluation of the heuristic’s performance in terms PESS defines an Integer Linear Programming (ILP) formu- of quality of the solutions (deviation from optimality) lation and a heuristic algorithm to tackle the provisioning prob- and scalability performed on

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    14 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us