论文信息 - Optimal placement of sequentially ordered virtual security appliances in the cloud

Optimal placement of sequentially ordered virtual security appliances in the cloud

Traditional enterprise network security is based on the deployment of security appliances placed on some specific locations filtering, monitoring the traffic going through them. In this perspective, security appliances are chained in specific order to perform different security functions on the traffic. In the cloud, the same approach is often adopted using virtual security appliances to protect traffic for different virtual applications with the challenge of dealing with the flexible and elastic nature of the cloud. In this paper, we investigate the problem of placing virtual security appliances within the data center in order to minimize network latency and computing costs for security functions while maintaining the required sequential order of traversing virtual security appliances. We propose a new algorithm computing the best place to deploy these virtual security appliances in the data center. We further integrated our placement algorithm in an open source cloud framework, i.e. Openstack, in our test laboratory. The preliminary results show that we are placing the virtual security appliances in the required sequential order while improving the efficiency compared to the current default placement algorithm in Openstack.

[1] Vyas Sekar,et al. Design and Implementation of a Consolidated Middlebox Architecture , 2012, NSDI.

[2] Sang-Heon Lee,et al. The multiple traveling purchaser problem , 2010, The 40th International Conference on Computers & Indutrial Engineering.

[3] Vinod Yegneswaran,et al. AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks , 2013, CCS.

[4] Andrew Warfield,et al. Split/Merge: System Support for Elastic Execution in Virtual Middleboxes , 2013, NSDI.

[5] Mathieu Bouet,et al. Cost-Based Placement of Virtualized Deep Packet Inspection Functions in SDN , 2013, MILCOM 2013 - 2013 IEEE Military Communications Conference.

[6] Minlan Yu,et al. SIMPLE-fying middlebox policy enforcement using SDN , 2013, SIGCOMM.

[7] Minlan Yu,et al. FlowTags: enforcing network-wide policies in the presence of dynamic middlebox actions , 2013, HotSDN '13.

[8] Ion Stoica,et al. A policy-aware switching layer for data centers , 2008, SIGCOMM '08.

[9] Ana Paias,et al. Models for a traveling purchaser problem with additional side-constraints , 2011, Comput. Oper. Res..