Smart Placement of Security Devices in Cloud Data Center Network

Abstract

The extensive use of cloud services and newly-evolved security threats have made most cloud service providers deploy a variety of security devices such as firewalls, Internet Protocol Security, and intrusion detection systems to control resource access based on the security requirements of the data center. Therefore, security requirements are becoming more fine-grained where the control of access depends on heterogeneous partition levels like filtering network traffic, Internet Protocol Security encryption-based traffic forwarding, and payload inspection. However, today, cloud service providers are looking to systematically harden security by incorporating multiple security devices in the network in a cost-effective way. This requires evaluating several alternative security architectures to satisfy both organizational security requirements and business constraints. In this paper, we present an automated framework to synthesize data center security configurations by exploring various security design alternatives to provide better in-depth defense for the cloud infrastructure. The main design alternatives use different patterns of isolation for different segments of the cloud infrastructure. In this work, we take a dummy data center topology, cloud service provider security (connectivity and isolation) requirements and business constraints (usability and cost) as input ,and synthesize a correct and optimal data center security strategy by way of determining the optimal placement of different security devices in the data center.