Poster: On the Safety and Efficiency of Virtual Firewall Elasticity Control

Firewalls have been typically used to enforce network access control. Network Functions Virtualization (NFV) envisions to implement firewall function as software instance (a.k.a virtual firewall). Virtual firewall provides great flexibility and elasticity, which are necessary to protect virtualized environments. In this poster, we propose an innovative virtual firewall controller, VFW Controller, which enables safe, efficient and cost-effective virtual firewall elasticity control. In addition, we implement the core components of VFW Controller on top of NFV and SDN environments. Our experimental results demonstrate that VFW Controller is efficient to provide safe elasticity control of virtual firewalls.

[1]  Eddie Kohler,et al.  The Click modular router , 1999, SOSP.

[2]  Vyas Sekar,et al.  Bohatei: Flexible and Elastic DDoS Defense , 2015, USENIX Security Symposium.

[3]  Eric Torng,et al.  Firewall Compressor: An Algorithm for Minimizing Firewall Policies , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[4]  Andrew Warfield,et al.  Split/Merge: System Support for Elastic Execution in Virtual Middleboxes , 2013, NSDI.

[5]  Chen-Nee Chuah,et al.  A general framework for benchmarking firewall optimization techniques , 2008, IEEE Transactions on Network and Service Management.

[6]  Chen-Nee Chuah,et al.  FIREMAN: a toolkit for firewall modeling and analysis , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[7]  Thierry Turletti,et al.  A Survey of Software-Defined Networking: Past, Present, and Future of Programmable Networks , 2014, IEEE Communications Surveys & Tutorials.

[8]  Sujata Banerjee,et al.  DevoFlow: scaling flow management for high-performance networks , 2011, SIGCOMM.

[9]  David A. Maltz,et al.  Network traffic characteristics of data centers in the wild , 2010, IMC '10.

[10]  Gail-Joon Ahn,et al.  FLOWGUARD: building robust firewalls for software-defined networks , 2014, HotSDN.

[11]  Ehab Al-Shaer,et al.  Traffic-aware dynamic firewall policy management: techniques and applications , 2013, IEEE Communications Magazine.

[12]  Gail-Joon Ahn,et al.  Detecting and Resolving Firewall Policy Anomalies , 2012, IEEE Transactions on Dependable and Secure Computing.

[13]  Fernando M. V. Ramos,et al.  Software-Defined Networking: A Comprehensive Survey , 2014, Proceedings of the IEEE.

[14]  Marianne Winslett,et al.  On the Safety and Efficiency of Firewall Policy Deployment , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[15]  Roberto Bifulco,et al.  ClickOS and the Art of Network Function Virtualization , 2014, NSDI.

[16]  Sylvia Ratnasamy,et al.  A Survey of Enterprise Middlebox Deployments , 2012 .

[17]  Brighten Godfrey,et al.  VeriFlow: verifying network-wide invariants in real time , 2012, HotSDN '12.

[18]  Ming Zhang,et al.  Understanding data center traffic characteristics , 2010, CCRV.

[19]  Aditya Akella,et al.  Improving the Safety, Scalability, and Efficiency of Network Function State Transfers , 2015, HotMiddlebox@SIGCOMM.

[20]  Xavier Rins Lozano Deploying and testing of central office re-architected as a datacenter (CORD) , 2018 .

[21]  Mohamed G. Gouda,et al.  Complete Redundancy Removal for Packet Classifiers in TCAMs , 2010, IEEE Trans. Parallel Distributed Syst..

[22]  Aditya Akella,et al.  OpenNF , 2014, SIGCOMM.

[23]  George Varghese,et al.  Header Space Analysis: Static Checking for Networks , 2012, NSDI.

[24]  Vyas Sekar,et al.  Making middleboxes someone else's problem: network processing as a cloud service , 2012, SIGCOMM '12.

[25]  Somesh Jha,et al.  Beyond Pattern Matching: A Concurrency Model for Stateful Deep Packet Inspection , 2014, CCS.

[26]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[27]  Hani Jamjoom,et al.  Pico replication: a high availability framework for middleboxes , 2013, SoCC.

[28]  Sridhar K. Rao SDN AND ITS USE-CASES-NV AND NFV A State-ofthe-Art Survey , 2014 .