Abeer Ali, Dimitrios Pezaros, Christos Anagnostopoulos 

Slides:



Advertisements
Similar presentations
CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon.
Advertisements

Virtualization of Fixed Network Functions on the Oracle Fabric Krishna Srinivasan Director, Product Management Oracle Networking Savi Venkatachalapathy.
Making Cellular Networks Scalable and Flexible Li Erran Li Bell Labs, Alcatel-Lucent Joint work with collaborators at university of Michigan, Princeton,
Beneficial Caching in Mobile Ad Hoc Networks Bin Tang, Samir Das, Himanshu Gupta Computer Science Department Stony Brook University.
An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.
The Middlebox Manifesto: Enabling Innovation in Middlebox Deployment 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.
Intrusion Detection System Marmagna Desai [ 520 Presentation]
Computer Science 1 Research on Sensor Network Security Peng Ning Cyber Defense Laboratory Department of Computer Science NC State University 2005 TRES.
A Survey on Interfaces to Network Security
Scientific Computing Department Faculty of Computer and Information Sciences Ain Shams University Supervised By: Mohammad F. Tolba Mohammad S. Abdel-Wahab.
1 Integrating a Network IDS into an Open Source Cloud Computing Environment 1st International Workshop on Security and Performance in Emerging Distributed.
Page  1 SaaS – BUSINESS MODEL Debmalya Khan DEBMALYA KHAN.
© 2010 IBM Corporation Cloudy with a chance of security Information security in virtual environments Johan Celis Security Solutions Architect EMEA IBM.
Energy Efficiency in Cloud Data Centers: Energy Efficient VM Placement for Cloud Data Centers Doctoral Student : Chaima Ghribi Advisor : Djamal Zeghlache.
Network Aware Resource Allocation in Distributed Clouds.
Optimal Scheduling of File Transfers with Divisible Sizes on Multiple Disjoint Paths Mugurel Ionut Andreica Polytechnic University of Bucharest Computer.
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Confidential. For Channel Partners only. Do not distribute. C
Software-Defined Networking - Attributes, candidate approaches, and use cases - MK. Shin, ETRI M. Hoffmann, NSN.
Joint Power Optimization Through VM Placement and Flow Scheduling in Data Centers DAWEI LI, JIE WU (TEMPLE UNIVERISTY) ZHIYONG LIU, AND FA ZHANG (CHINESE.
Mobile Agent Migration Problem Yingyue Xu. Energy efficiency requirement of sensor networks Mobile agent computing paradigm Data fusion, distributed processing.
RIVERBED INTRODUCES NEW PLATFORM FOR ADC-AS-A-SERVICE New Stingray Services Controller Delivers Hyper-Elastic ADC Platform EXTREME ELASTICITY INSTANTLY.
Security Vulnerabilities in A Virtual Environment
Blue Lane Technologies Best of Breed IPS April 29, 2008 Interop 2008.
Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.
A Dynamic Query-tree Energy Balancing Protocol for Sensor Networks H. Yang, F. Ye, and B. Sikdar Department of Electrical, Computer and systems Engineering.
Monitoring and Securing New Functions Deployed in a Virtualized Networking Environment Bertrand Mathieu, Guillaume Doyen, Wissam Mallouli, Thomas Silverston,
COSC513 Final Project Firewall in Internet Security Student Name: Jinqi Zhang Student ID: Instructor Name: Dr.Anvari.
Chapter 14.  Upon completion of this chapter, you should be able to:  Identify different types of Intrusion Detection Systems and Prevention Systems.
Deep Packet Inspection as a Service Author : Anat Bremler-Barr, Yotam Harchol, David Hay and Yaron Koral Conference: ACM 10th International Conference.
Cloud Agility with Performance Bridging the Performance Gap for Virtual Network Infrastructure Paul Andersen Sr. Marketing Director.
THE HEBREW UNIVERSITY OF JERUSALEM OpenBox: A Software-Defined Framework for Developing, Deploying, and Managing Network Functions Yotam Harchol The Hebrew.
Clouding with Microsoft Azure
Md Baitul Al Sadi, Isaac J. Cushman, Lei Chen, Rami J. Haddad
Introduction to Cloud Technology
Xin Li, Chen Qian University of Kentucky
Internet Quarantine: Requirements for Containing Self-Propagating Code
Yotam Harchol The Hebrew University of Jerusalem
Mircea Iordache, Simon Jouet, Angelos K. Marnerides, Dimitrios P
About Me Name: Yaokai Feng, from Kyushu University
A Survey of Network Function Placement
Security Virtualization
Bin Packing First fit decreasing algorithm
Hybrid Cloud Architecture for Software-as-a-Service Provider to Achieve Higher Privacy and Decrease Securiity Concerns about Cloud Computing P. Reinhold.
A Study of Group-Tree Matching in Large Scale Group Communications
Location Cloaking for Location Safety Protection of Ad Hoc Networks
Cloud-Assisted VR.
Cloud Computing Dr. Sharad Saxena.
In-Class Activity… Cloud Computing.
Cloud Computing and Cloud Networking
Healthcare Cloud Security Stack for Microsoft Azure
Intrusion Detection & Prevention
20409A 7: Installing and Configuring System Center 2012 R2 Virtual Machine Manager Module 7 Installing and Configuring System Center 2012 R2 Virtual.
Zhen Xiao, Qi Chen, and Haipeng Luo May 2013
ElasticTree: Saving Energy in Data Center Networks
Bin Packing First fit decreasing algorithm
VNIDS: Towards Elastic Security with Safe and Efficient Virtualization of Network Intrusion Detection Systems Hongda Li1, Hongxin Hu1, Guofei Gu2, Gail-Joon.
Healthcare Cloud Security Stack for Microsoft Azure
Healthcare Cloud Security Stack for Microsoft Azure
Healthcare Cloud Security Stack for Microsoft Azure
Bin Packing First fit decreasing algorithm
Bin Packing First fit decreasing algorithm
Lecture 21, Computer Networks (198:552)
Hardware Sizing, Placement, & Capacity Planning
Security in Cloud Computing
Healthcare Cloud Security Stack for Microsoft Azure
Healthcare Cloud Security Stack for Microsoft Azure
NFV and SD-WAN Multi vendor deployment
Towards Predictable Datacenter Networks
Presentation transcript:

On the Optimality of Virtualized Security Function Placement in Multi-Tenant Data Centers Abeer Ali, Dimitrios Pezaros, Christos Anagnostopoulos  School of Computing Science, University of Glasgow  IEEE ICC'18 @ Kansas City, United States

Outline Background Proposed system ILP formalization Evaluation

Network Security Systems Fixed allocation Centralized & Monolithic systems Limited extent of functionality Vendor lock-in Expensive Hardware-based Middleboxes Software-based Middleboxes ​ Rapid and Flexible deployment Scalable resources Allow extension of functionality No Vendor lock-in Inexpensive compared to HW SDN and VNF Security Services in Amazon’s AWS Multitenant virtualized infrastructures (2015) Firewall web application(WAF) Dec 2016 AWS Shield  (DDoS protection services) Nov 2017 GuardDuty   (Intelligent threat detection)

Management of Virtualized security services in Multitenant infrastructure Provided and managed by the infrastructure provider Services allow user access for customizing and tuning Services are allocated, deployed and monitored by the infrastructure provider  Target efficient management of the infrastructure resources to max. profit We propose an allocation strategy for virtualized security services on the network Infrastructure Provide customized security services in multitenant infrastructures against outsider attacks Efficient management of the infrastructure resources Not only apply to security but all services

Proposed system VM Placement, Softwarized middleboxes or VNF placement Proposed approach Designed for Security NF   Special constraints of security functions Deployment locations is collected with the network switches  Minimize the overhead caused by the functions and maintain efficient management of the infrastructure resources Distributed approach (if possible) Many related work maintained the centralized, monolithic deployment of hardware middleboxes

Security Functions Equivalence Classes Stateless Firewalls Signature based (IDS) Deep packet Inspection(DPI) Examples: ZoneAlarm, Snort, Suricata Stateful Anomaly based IDS,IPS Examples: Change_point Detection, Entropy and Classifiers Duplicated instances Single instance Allocation

Implementation Allocation of the two equivalence classes in k=4 fat-tree datacentre careful here: does the optimization funciton really have two objectives, or does the one follow from the other? We implement the Placement as an optimization problem  Two objectives Max Resources Allocation ratio Max Residual Resources

Resource-Aware Static Placement Instance of variable size variable cost bin packing problem No polynomial time solution Modeled as ILP problem Objective is to Max Residual Resources

Greedy algorithm Best Fit Decreasing (BFD) algorithm for security functions  Polynomial time solution Functions requested are sorted in a decreasing order based on resource consumption Allocated to best fit location Location which results in the least increase in resource consumption.

Residual Resources (RS) Evaluation Simulator Placement Ratio (PR) Residual Resources (RS) K=8 p=20

Scalability of BFD Algorithm K=4,6,8,10 and 12 ,p=20 p=5,10,15,20,25,30 and 50 Placement Ratio (PR) Residual Resources (RS)

Thank you. https://netlab.dcs.gla.ac.uk/

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.