Abstract
Security functions are usually deployed on proprietary hardware, which makes the delivery of security service inflexible and of high cost. Emerging technologies such as software-defined networking and network function virtualization go in the direction of executing functions as software components in virtual machines or containers provisioned in standard hardware resources. They enable network to provide customized security service by deploying Security Service Chain (SSC), which refers to steering flow through multiple security functions in a particular order specified by individual user or application. However, SSC Deployment Problem (SSC-DP) needs to be solved. It is a challenging problem for various reasons, such as the heterogeneity of instances in terms of service capacity and resource demand. In this paper, we propose an SSC-based approach to deliver security service to users without worrying about physical locations of security functions. For SSC-DP, we present a three-phase method to solve it while optimizing network and security resource allocation. The presented method allows network to serve a large number of flows and minimizes the latency seen by flows. Comparative experiments on the fat-tree and Waxman topologies show that our method performs better than other heuristics under a wide range of network conditions.
Highlights
Today’s security service delivery approach is limited in dynamics, flexibility, scalability, and efficient resource utilization
Security services are configured in static and inflexible ways, such as deploying hardware firewall and IDS in the key position of network. They are coupled with the underlying physical topology [1], making it difficult to deliver customized security services according to user requirements and network constraints
By combining the advantages of those two methods, we propose that a mapping procedure considers both resource fragmentation and security service latency throughout the mapping process
Summary
Today’s security service delivery approach is limited in dynamics, flexibility, scalability, and efficient resource utilization. Security services are configured in static and inflexible ways, such as deploying hardware firewall and IDS in the key position of network. They are coupled with the underlying physical topology [1], making it difficult to deliver customized security services according to user requirements and network constraints. Reconfiguring existing security service requires time-intensive manual operations, making the approach often inflexible and hard to cope with changeable requirements. There is a serious waste of security resources. It is inefficient for flows from multiusers or multibusinesses to share hardware-based security devices since their positions are fixed. Security devices need to work at full capacity so as to serve incoming flows, especially burst flows in time
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
