Analytical Model for Elastic Scaling of Cloud-Based Firewalls

This paper shows how to properly achieve elasticity for network firewalls deployed in a cloud environment. Elasticity is the ability to adapt to workload changes by provisioning and de-provisioning resources in an autonomic manner, such that at each point in time the available resources match the current demand as closely as possible. Elasticity for cloud-based firewalls aims to satisfy an agreed-upon performance measure using only the minimal number of cloud firewall instances. Our contribution lies in determining the number of firewall instances that should be dynamically adjusted in accordance with the incoming traffic load and the targeted rules within the firewall rulebase. To do so, we develop an analytical model based on the principles of Markov chains and queueing theory. The model captures the behavior of a cloud-based firewall service comprising a load balancer and a variable number of virtual firewalls. From the analytical model, we then derive closed-form formulas to determine the minimal number of virtual firewalls required to meet the response time specified in the service level agreement. The model takes as input key system parameters including workload, processing capacity of load balancer and virtual machines, as well as the depth of the targeted firewall rules. We validate our model using discrete-event simulation, and real-world experiments conducted on Amazon Web Services cloud. We also provide numerical examples to show how our model can be used in practice by cloud performance/security engineers to achieve proper elasticity under fluctuating traffic load and variable depth of targeted firewall rules.

[1]  K. K. Ramakrishnan,et al.  NetVM: High Performance and Flexible Networking Using Virtualization on Commodity Platforms , 2014, IEEE Transactions on Network and Service Management.

[2]  Walter Willinger,et al.  On the Self-Similar Nature of Ethernet Traffic ( extended version ) , 1995 .

[3]  Osman Ghazali,et al.  Modeling of cloud system using Erlang formulas , 2011, The 17th Asia Pacific Conference on Communications.

[4]  Khaled Salah,et al.  Enhanced EDoS-Shield for Mitigating EDoS Attacks Originating from Spoofed IP Addresses , 2012, 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications.

[5]  Karl Andersson,et al.  Network Security of Internet Services: Eliminate DDoS Reflection Amplification Attacks , 2015, J. Internet Serv. Inf. Secur..

[6]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[7]  Antonio Pescapè,et al.  A tool for the generation of realistic network workload for emerging networking scenarios , 2012, Comput. Networks.

[8]  Khaled Salah,et al.  Performance evaluation and comparison of four network packet rate estimators , 2010 .

[9]  Averill M. Law,et al.  Simulation Modeling and Analysis , 1982 .

[10]  Sally Floyd,et al.  Wide-area traffic: the failure of Poisson modeling , 1994 .

[11]  Guy Pujolle,et al.  An architecture to manage performance and reliability on hybrid cloud-based firewalling , 2014, 2014 IEEE Network Operations and Management Symposium (NOMS).

[12]  Asser N. Tantawi,et al.  An analytical model for multi-tier internet services and its applications , 2005, SIGMETRICS '05.

[13]  Fouad A. Tobagi,et al.  Analysis of delay and delay jitter of voice traffic in the Internet , 2002, Comput. Networks.

[14]  Ehab Al-Shaer,et al.  A potential low-rate DoS attack against network firewalls , 2011, Secur. Commun. Networks.

[15]  Wanchun Dou,et al.  A clusterized firewall framework for cloud computing , 2014, 2014 IEEE International Conference on Communications (ICC).

[16]  Vyas Sekar,et al.  Stratos: A Network-Aware Orchestration Layer for Middleboxes in the Cloud , 2013, ArXiv.

[17]  Leonard Kleinrock,et al.  Theory, Volume 1, Queueing Systems , 1975 .

[18]  Ming Mao,et al.  A Performance Study on the VM Startup Time in the Cloud , 2012, 2012 IEEE Fifth International Conference on Cloud Computing.

[19]  Khaled Salah,et al.  Assessing the security of the cloud environment , 2013, 2013 7th IEEE GCC Conference and Exhibition (GCC).

[20]  Raouf Boutaba,et al.  Performance Modeling and Analysis of Network Firewalls , 2012, IEEE Transactions on Network and Service Management.

[21]  Khaled Salah,et al.  Implementation and experimental evaluation of a simple packet rate estimator , 2009 .

[22]  S. Wittevrongel,et al.  Queueing Systems , 2019, Introduction to Stochastic Processes and Simulation.

[23]  Walter Willinger,et al.  On the self-similar nature of Ethernet traffic , 1993, SIGCOMM '93.

[24]  Shinji Kikuchi,et al.  Performance Modeling of Concurrent Live Migration Operations in Cloud Computing Systems Using PRISM Probabilistic Model Checker , 2011, 2011 IEEE 4th International Conference on Cloud Computing.

[25]  Steve Gold The future of the firewall , 2011, Netw. Secur..

[26]  Khaled Salah,et al.  An analytical model to achieve elasticity for cloud-based firewalls , 2015, 2015 IEEE 40th Conference on Local Computer Networks (LCN).

[27]  Walter Willinger,et al.  Self-similarity through high-variability: statistical analysis of Ethernet LAN traffic at the source level , 1997, TNET.

[28]  Guy Pujolle,et al.  Autonomous architecture for managing firewalling Cloud-based service , 2014, International Conference on Network of the Future.

[29]  Alex X. Liu,et al.  First Step toward Cloud-Based Firewalling , 2012, 2012 IEEE 31st Symposium on Reliable Distributed Systems.

[30]  MisicJelena,et al.  Performance Analysis of Cloud Computing Centers Using M/G/m/m+r Queuing Systems , 2012 .

[31]  James Harris,et al.  Performance analysis of the Linux firewall in a host , 2002 .

[32]  R. Deal Simulation Modeling and Analysis (2nd Ed.) , 1994 .

[33]  Song Guo,et al.  A general cloud firewall framework with dynamic resource allocation , 2013, 2013 IEEE International Conference on Communications (ICC).

[34]  Eyal de Lara,et al.  SnowFlock: rapid virtual machine cloning for cloud computing , 2009, EuroSys '09.

[35]  Adrian N. Cockcroft Utilization is virtually useless as a metric! , 2006, Int. CMG Conference.

[36]  Sherali Zeadally,et al.  Using Cloud Computing to Implement a Security Overlay Network , 2013, IEEE Security & Privacy.

[37]  Andrew Warfield,et al.  Split/Merge: System Support for Elastic Execution in Virtual Middleboxes , 2013, NSDI.