An analytical model to achieve elasticity for cloud-based firewalls

Elasticity for cloud-based services and applications has been studied in the literature to some extent. However, the literature is lacking thorough study on elasticity for cloud-based firewalls. This paper proposes an architectural framework for an elastic virtual firewall service to be deployed at cloud datacenters. The paper presents an analytical model based on Markov chain and queueing theory that can be used to achieve elasticity for cloud-based firewalls. In particular, the model captures the behavior of a cloud-based firewall service comprising a load balancer and a variable number of virtual firewalls. From the analytical model, we then derive closed-form formulas to estimate the minimal number of virtual firewalls required to satisfy a given SLA response time. The model takes as input key system input parameters that include workload, processing capacity of load balancer and virtual machines, as well as firewall rulebase interrogation.

[1]  Song Guo,et al.  A general cloud firewall framework with dynamic resource allocation , 2013, 2013 IEEE International Conference on Communications (ICC).

[2]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[3]  Averill M. Law,et al.  Simulation Modeling and Analysis , 1982 .

[4]  Alex X. Liu,et al.  First Step toward Cloud-Based Firewalling , 2012, 2012 IEEE 31st Symposium on Reliable Distributed Systems.

[5]  Leonard Kleinrock,et al.  Queueing Systems - Vol. 1: Theory , 1975 .

[6]  Khaled Salah,et al.  Assessing the security of the cloud environment , 2013, 2013 7th IEEE GCC Conference and Exhibition (GCC).

[7]  Raouf Boutaba,et al.  Performance Modeling and Analysis of Network Firewalls , 2012, IEEE Transactions on Network and Service Management.

[8]  Khaled Salah To coalesce or not to coalesce , 2007 .

[9]  Wanchun Dou,et al.  A clusterized firewall framework for cloud computing , 2014, 2014 IEEE International Conference on Communications (ICC).

[10]  Khaled Salah,et al.  Enhanced EDoS-Shield for Mitigating EDoS Attacks Originating from Spoofed IP Addresses , 2012, 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications.

[11]  Khaled Salah,et al.  Comparative packet-forwarding measurement of three popular operating systems , 2009, J. Netw. Comput. Appl..

[12]  S. Wittevrongel,et al.  Queueing Systems , 2019, Introduction to Stochastic Processes and Simulation.