Virtual Security Functions Research Articles

A Network Function Virtualization Architecture for Automatic and Efficient Detection and Mitigation against Web Application Malware

This paper proposes and implements a Network Function Virtualization (NFV) security architecture to provide automatic and efficient detection and mitigation against Web application malware. The mitigation is given by dynamically chaining a Virtual Security Function (VSF) to the data stream to block malicious exploitation traffic without affecting the benign traffic. We implement an NFV Security Controller (NFV-SC) that interacts with an Intrusion Detection System and a Web Application Firewall (WAF), both implemented as VSFs. We also implement a vulnerability scanner and a mechanism to automatically create rules in advance in the WAF-VSF when a security vulnerability is found in an application, even if no malicious traffic has attempted to exploit the flaw. In addition, it dynamically identifies and removes no longer used security rules to improve performance. We implement and evaluate our security proposal in the Open Platform for NFV (OPNFV). The evaluation results in our experimental scenarios show that the NFV security architecture automatically blocks 99.12% of the HTTP malicious traffic without affecting 93.6% of the benign HTTP requests. Finally, we show that the number of rules in the WAF-VSF severely affects the latency to load HTTP response headers and that the number of redirection OpenFlow rules within Open vSwitches is not enough to significantly impact the end-user experience in modern web browser applications.

Reliability Assurance Dynamic SSC Placement Using Reinforcement Learning

Software-defined networking (SDN) and network function virtualization (NFV) make a network programmable, resulting in a more flexible and agile network. An important and promising application for these two technologies is network security, where they can dynamically chain virtual security functions (VSFs), such as firewalls, intrusion detection systems, and intrusion prevention systems, and thus inspect, monitor, or filter traffic flows in cloud data center networks. In view of the strict delay constraints of security services and the high failure probability of VSFs, we propose the use of a security service chain (SSC) orchestration algorithm that is latency aware with reliability assurance (LARA). This algorithm includes an SSC orchestration module and VSF backup module. We first use a reinforcement learning (RL) based Q-learning algorithm to achieve efficient SSC orchestration and try to reduce the end-to-end delay of services. Then, we measure the importance of the physical nodes carrying the VSF instance and backup VSF according to the node importance of VSF. Extensive simulation results indicate that the LARA algorithm is more effective in reducing delay and ensuring reliability compared with other algorithms.

A Scalable Stateful Approach for Virtual Security Functions Orchestration

Previous works suggested different approaches to implementing service chaining. Their goal is to enhance the performance of the middleboxes and satisfy the expectations of the cloud providers and users. To meet these expectations, the delay factor, i.e., flow through the low-cost paths, as well as the best node processing factor, are considered. Achieving these two goals simultaneously turns the middlebox optimal placement into an NP-hard problem. Therefore, when the problem size is large, it is infeasible to obtain an optimal solution at a reasonable time. One of the important issues which has not been considered in the previous works is stateful optimal placement when receiving a new request. Due to resource constraints as well as financial costs for the customers, it is not possible to create functions for all requests. Therefore, not only it is possible to integrate the same network functions between new flows, but it will also be examined between new on-demand network functions as well as existing ones. Our proposed approach not only reduces the creation of network functions that can be cost-effective for the customer but also because of the migration of previous network functions (integration with on-demand network functions) to optimize new requests, overall, it will optimize the entire network cost over time. We formulated the problem as 0-1 programming problem. The results of this article are based on a fat-tree data center. To show that our stateful solution is scalable in large networks, we use network zoning and topology partitioning heuristics. Our simulations show that we were able to scale our placement model to a network with 54K nodes and 1.5M edges.

Design and Implementation of Virtual Security Function Based on Multiple Enclaves

Network function virtualization (NFV) provides flexible and scalable network function for the emerging platform, such as the cloud computing, edge computing, and IoT platforms, while it faces more security challenges, such as tampering with network policies and leaking sensitive processing states, due to running in a shared open environment and lacking the protection of proprietary hardware. Currently, Intel® Software Guard Extensions (SGX) provides a promising way to build a secure and trusted VNF (virtual network function) by isolating VNF or sensitive data into an enclave. However, directly placing multiple VNFs in a single enclave will lose the scalability advantage of NFV. This paper combines SGX and click technology to design the virtual security function architecture based on multiple enclaves. In our design, the sensitive modules of a VNF are put into different enclaves and communicate by local attestation. The system can freely combine these modules according to user requirements, and increase the scalability of the system while protecting its running state security. In addition, we design a new hot-swapping scheme to enable the system to dynamically modify the configuration function at runtime, so that the original VNFs do not need to stop when the function of VNFs is modified. We implement an IDS (intrusion detection system) based on our architecture to verify the feasibility of our system and evaluate its performance. The results show that the overhead introduced by the system architecture is within an acceptable range.

Energy-efficient virtual security function placement in NFV-enabled networks

In network functions virtualization (NFV) environments, network security is provided with the deployment of virtual security functions (VSF) on general-purpose servers to filter and monitor the incoming traffic. However, the traffic handled by VSFs may have different security requirements in a network. On the other hand, there are some operational objectives that differ according to the needs of the network such as minimizing cost, latency, and energy consumption etc. Therefore, the issue of placing VSFs considering both security requirements and operational objectives is an important research challenge. In this paper, we tackle the problem of energy-efficient VSF placement (EE-VSFP) to minimize energy consumption while meeting flow-level security requirements as well as resource constraints. We develop an integer linear programming (ILP) model for this problem to minimize server energy consumption, and also propose a novel heuristic algorithm to solve the problem for larger scale network instances within practical time limits. Evaluation results show that our heuristic reduces energy consumption by up to 48 % compared to baseline placement solutions. In addition, we demonstrate that in most cases our heuristic can provide optimal solutions while running much faster than the ILP, and drastically reduces the average flow path length by up to 53 % compared to the ILP.

S-Blocks: Lightweight and Trusted Virtual Security Function With SGX

Despite the advantages of scalability and flexibility, Security Function Virtualization (SFV) raises concerns about its own security. To enhance the security of SFV, a promising approach is to run critical components of off-the-shelf security software inside SGX enclaves. This idea, however, is hardly practical due to the difficulty of detaching components from the monolithic security function and the unacceptable cost of running them in enclaves. In this work, we propose S-Blocks, an architecture to modularize a virtual security function (VSF) and protect its key modules with SGX in an efficient manner. Through systematically decomposing modules of a VSF into related elements, it is easy to put the key modules and elements of the VSF into an enclave. Furthermore, aiming at addressing state consistency and secure migration issues of security function scaling, we design a fine-grained state synchronization and migration mechanism to ensure lose-free, order-preserving, and state security for VSFs. To demonstrate the effectiveness of our approach, we prototype S-Blocks using Fast-Click on a real Skylake platform and implement three main types of virtual security functions based on the S-Blocks architecture. Our evaluation results show that S-Blocks only imposes a manageable performance overhead, and low latency and resource consumption when protecting VSFs.

SDN/NFV-Based Security Service Function Tree for Cloud

Network security for cloud computing is very important. Service function chain (SFC) that integrates software defined network (SDN) and network function virtualization (NFV) can provide a new approach for solving the network security issues for cloud computing. In this paper, we combine multiple SFCs into a security service function tree (or SecSFT, for short) to reduce requirement for resources in allocating virtual security functions. According to the idea of decision tree used for classification, we assign decision rules and detection rules to the nodes of the SecSFT so that they can identify and split suspicious flows from the mixed traffic and detect/prevent intrusions in the suspicious ones. The nodes of the SecSFT implement various virtualized functions including security-related network functions (e.g., load balancing, and traffic shaping), network security functions (e.g., intrusion detection, firewall), and virtualized network security hardware. Finally, we build a SecSFT in an experiment cloud and test and validate its security services in detection and mitigation of network attacks.

Virtual Security Functions and Their Placement in Software Defined Networks: A Survey

Software Defined Networking (SDN) and Network Functions Virtualization (NFV) are two important technologies gaining prominence thanks to their benefits for improving the flexibility and cost efficiency in networks. These technologies have been utilized extensively for providing new age security solutions in recent years. Through the use of SDN and NFV, network security functions are virtualized and deployed in a hardware-independent manner, thus reducing costs as well as enabling faster innovations and developments. Functions virtualized with NFV such as firewall, deep packet inspection, intrusion detection systems etc. can reside as applications in the SDN architecture. The issue of where to place these functions in the network is an important problem discussed in the literature. When placing these functions, objectives such as efficient use of network resources, energy consumption, cost, network load, delay etc. must be considered for each function, in addition to ensuring that network security requirements are met. This paper provides a critical survey on the placement of virtualized network security functions in software defined networks and identifies open problems in this field. We briefly describe SDN and NFV technologies, touch upon the relationship between them, exemplify and review the most common virtual security functions in SDN. We also examine and compare the studies on the optimal placement of virtual security functions. Finally, we identify several open research challenges in this area and suggest potential future directions to be considered by researchers.

Enabling Virtual AAA Management in SDN-Based IoT Networks †.

The increase of Software Defined Networks (SDN) and Network Function Virtualization (NFV) technologies is bringing many security management benefits that can be exploited at the edge of Internet of Things (IoT) networks to deal with cyber-threats. In this sense, this paper presents and evaluates a novel policy-based and cyber-situational awareness security framework for continuous and dynamic management of Authentication, Authorization, Accounting (AAA) as well as Channel Protection virtual security functions in IoT networks enabled with SDN/NFV. The virtual AAA, including network authenticators, are deployed as VNF (Virtual Network Function) dynamically at the edge, in order to enable scalable device’s bootstrapping and managing the access control of IoT devices to the network. In addition, our solution allows distributing dynamically the necessary crypto-keys for IoT Machine to Machine (M2M) communications and deploy virtual Channel-protection proxys as VNFs, with the aim of establishing secure tunnels among IoT devices and services, according to the contextual decisions inferred by the cognitive framework. The solution has been implemented and evaluated, demonstrating its feasibility to manage dynamically AAA and channel protection in SDN/NFV-enabled IoT scenarios.