A promising area of application for Network Function Virtualization (NFV) is in network security, where chains of Virtual Security Network Functions (VSNFs), i.e., security-specific virtual functions such as firewalls or Intrusion Prevention Systems, can be dynamically created and configured to inspect, filter or monitor the network traffic. However, the traffic handled by VSNFs could be sensitive to specific network requirements, such as minimum bandwidth or maximum end-To-end latency. Therefore, the decision on which VSNFs should apply for a given application, where to place them and how to connect them, should take such requirements into consideration. Otherwise, security services could affect the quality of service experienced by customers. In this paper, we propose PESS (Progressive Embedding of Security Services), a solution to efficiently deploy chains of virtualised security functions based on the security requirements of individual applications and operators' policies, while optimizing resource utilization. We provide the PESS mathematical model and heuristic solution. Simulation results show that, compared to state-of-The-Art application-Agnostic VSNF provisioning models, PESS reduces computational resource utilization by up to 50%, in different network scenarios. This result ultimately leads to a higher number of provisioned security services and to up to a 40% reduction in end-To-end latency of application traffic.
Doriguzzi-Corin, R., Scott-Hayward, S., Siracusa, D., Savi, M., Salvadori, E. (2020). Dynamic and Application-Aware Provisioning of Chained Virtual Security Network Functions. IEEE TRANSACTIONS ON NETWORK AND SERVICE MANAGEMENT, 17(1), 294-307 [10.1109/TNSM.2019.2941128].
Dynamic and Application-Aware Provisioning of Chained Virtual Security Network Functions
Savi Marco;
2020
Abstract
A promising area of application for Network Function Virtualization (NFV) is in network security, where chains of Virtual Security Network Functions (VSNFs), i.e., security-specific virtual functions such as firewalls or Intrusion Prevention Systems, can be dynamically created and configured to inspect, filter or monitor the network traffic. However, the traffic handled by VSNFs could be sensitive to specific network requirements, such as minimum bandwidth or maximum end-To-end latency. Therefore, the decision on which VSNFs should apply for a given application, where to place them and how to connect them, should take such requirements into consideration. Otherwise, security services could affect the quality of service experienced by customers. In this paper, we propose PESS (Progressive Embedding of Security Services), a solution to efficiently deploy chains of virtualised security functions based on the security requirements of individual applications and operators' policies, while optimizing resource utilization. We provide the PESS mathematical model and heuristic solution. Simulation results show that, compared to state-of-The-Art application-Agnostic VSNF provisioning models, PESS reduces computational resource utilization by up to 50%, in different network scenarios. This result ultimately leads to a higher number of provisioned security services and to up to a 40% reduction in end-To-end latency of application traffic.
| File | Dimensione | Formato | |
|---|---|---|---|
|
Doriguzzi-Corin-2020-IEEE Trans Netw Srvice Manag-AAM.pdf
accesso aperto
Tipologia di allegato:
Author’s Accepted Manuscript, AAM (Post-print)
Licenza:
Altro
Dimensione
617.91 kB
Formato
Adobe PDF
|
617.91 kB | Adobe PDF | Visualizza/Apri |
|
Doriguzzi-Corin-2020-IEEE Trans Netw Srvice Manag-VoR.pdf
Solo gestori archivio
Tipologia di allegato:
Publisher’s Version (Version of Record, VoR)
Licenza:
Tutti i diritti riservati
Dimensione
1.73 MB
Formato
Adobe PDF
|
1.73 MB | Adobe PDF | Visualizza/Apri Richiedi una copia |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
