Presentation is loading. Please wait.

Presentation is loading. Please wait.

Abeer Ali, Dimitrios Pezaros, Christos Anagnostopoulos 

Published byFranck Boisvert Modified over 6 years ago

Similar presentations

Presentation on theme: "Abeer Ali, Dimitrios Pezaros, Christos Anagnostopoulos "— Presentation transcript:

1 On the Optimality of Virtualized Security Function Placement in Multi-Tenant Data Centers
Abeer Ali, Dimitrios Pezaros, Christos Anagnostopoulos  School of Computing Science, University of Glasgow  IEEE City, United States

2 Outline Background Proposed system ILP formalization Evaluation

3 Network Security Systems
Fixed allocation Centralized & Monolithic systems Limited extent of functionality Vendor lock-in Expensive Hardware-based Middleboxes Software-based Middleboxes ​ Rapid and Flexible deployment Scalable resources Allow extension of functionality No Vendor lock-in Inexpensive compared to HW SDN and VNF Security Services in Amazon’s AWS Multitenant virtualized infrastructures (2015) Firewall web application(WAF) Dec 2016 AWS Shield  (DDoS protection services) Nov 2017 GuardDuty   (Intelligent threat detection)

4 Management of Virtualized security services in Multitenant infrastructure
Provided and managed by the infrastructure provider Services allow user access for customizing and tuning Services are allocated, deployed and monitored by the infrastructure provider  Target efficient management of the infrastructure resources to max. profit We propose an allocation strategy for virtualized security services on the network Infrastructure Provide customized security services in multitenant infrastructures against outsider attacks Efficient management of the infrastructure resources Not only apply to security but all services

5 Proposed system VM Placement, Softwarized middleboxes or VNF placement
Proposed approach Designed for Security NF   Special constraints of security functions Deployment locations is collected with the network switches  Minimize the overhead caused by the functions and maintain efficient management of the infrastructure resources Distributed approach (if possible) Many related work maintained the centralized, monolithic deployment of hardware middleboxes

6 Security Functions Equivalence Classes
Stateless Firewalls Signature based (IDS) Deep packet Inspection(DPI) Examples: ZoneAlarm, Snort, Suricata Stateful Anomaly based IDS,IPS Examples: Change_point Detection, Entropy and Classifiers Duplicated instances Single instance Allocation

7 Implementation Allocation of the two equivalence classes in k=4 fat-tree datacentre careful here: does the optimization funciton really have two objectives, or does the one follow from the other? We implement the Placement as an optimization problem  Two objectives Max Resources Allocation ratio Max Residual Resources

8 Resource-Aware Static Placement
Instance of variable size variable cost bin packing problem No polynomial time solution Modeled as ILP problem Objective is to Max Residual Resources

9 Greedy algorithm Best Fit Decreasing (BFD) algorithm for security functions  Polynomial time solution Functions requested are sorted in a decreasing order based on resource consumption Allocated to best fit location Location which results in the least increase in resource consumption.

10 Residual Resources (RS)
Evaluation Simulator Placement Ratio (PR) Residual Resources (RS) K=8 p=20

11 Scalability of BFD Algorithm
K=4,6,8,10 and 12 ,p=20 p=5,10,15,20,25,30 and 50 Placement Ratio (PR) Residual Resources (RS)

12 Thank you. https://netlab.dcs.gla.ac.uk/

Download ppt "Abeer Ali, Dimitrios Pezaros, Christos Anagnostopoulos "

Similar presentations

CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon.

CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon.
Virtualization of Fixed Network Functions on the Oracle Fabric Krishna Srinivasan Director, Product Management Oracle Networking Savi Venkatachalapathy.

Virtualization of Fixed Network Functions on the Oracle Fabric Krishna Srinivasan Director, Product Management Oracle Networking Savi Venkatachalapathy.
Making Cellular Networks Scalable and Flexible Li Erran Li Bell Labs, Alcatel-Lucent Joint work with collaborators at university of Michigan, Princeton,

Making Cellular Networks Scalable and Flexible Li Erran Li Bell Labs, Alcatel-Lucent Joint work with collaborators at university of Michigan, Princeton,
Beneficial Caching in Mobile Ad Hoc Networks Bin Tang, Samir Das, Himanshu Gupta Computer Science Department Stony Brook University.

Beneficial Caching in Mobile Ad Hoc Networks Bin Tang, Samir Das, Himanshu Gupta Computer Science Department Stony Brook University.
An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.

An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.
The Middlebox Manifesto: Enabling Innovation in Middlebox Deployment 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.

The Middlebox Manifesto: Enabling Innovation in Middlebox Deployment 1 Vyas SekarSylvia RatnasamyMichael ReiterNorbert Egi Guangyu Shi.
Intrusion Detection System Marmagna Desai [ 520 Presentation]

Intrusion Detection System Marmagna Desai [ 520 Presentation]
Computer Science 1 Research on Sensor Network Security Peng Ning Cyber Defense Laboratory Department of Computer Science NC State University 2005 TRES.

Computer Science 1 Research on Sensor Network Security Peng Ning Cyber Defense Laboratory Department of Computer Science NC State University 2005 TRES.
A Survey on Interfaces to Network Security

A Survey on Interfaces to Network Security
Scientific Computing Department Faculty of Computer and Information Sciences Ain Shams University Supervised By: Mohammad F. Tolba Mohammad S. Abdel-Wahab.

Scientific Computing Department Faculty of Computer and Information Sciences Ain Shams University Supervised By: Mohammad F. Tolba Mohammad S. Abdel-Wahab.
1 Integrating a Network IDS into an Open Source Cloud Computing Environment 1st International Workshop on Security and Performance in Emerging Distributed.

1 Integrating a Network IDS into an Open Source Cloud Computing Environment 1st International Workshop on Security and Performance in Emerging Distributed.
Page  1 SaaS – BUSINESS MODEL Debmalya Khan DEBMALYA KHAN.

Page  1 SaaS – BUSINESS MODEL Debmalya Khan DEBMALYA KHAN.
© 2010 IBM Corporation Cloudy with a chance of security Information security in virtual environments Johan Celis Security Solutions Architect EMEA IBM.

© 2010 IBM Corporation Cloudy with a chance of security Information security in virtual environments Johan Celis Security Solutions Architect EMEA IBM.
Energy Efficiency in Cloud Data Centers: Energy Efficient VM Placement for Cloud Data Centers Doctoral Student : Chaima Ghribi Advisor : Djamal Zeghlache.

Energy Efficiency in Cloud Data Centers: Energy Efficient VM Placement for Cloud Data Centers Doctoral Student : Chaima Ghribi Advisor : Djamal Zeghlache.
Network Aware Resource Allocation in Distributed Clouds.

Network Aware Resource Allocation in Distributed Clouds.
Optimal Scheduling of File Transfers with Divisible Sizes on Multiple Disjoint Paths Mugurel Ionut Andreica Polytechnic University of Bucharest Computer.

Optimal Scheduling of File Transfers with Divisible Sizes on Multiple Disjoint Paths Mugurel Ionut Andreica Polytechnic University of Bucharest Computer.
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Confidential. For Channel Partners only. Do not distribute. C97-721796-00.

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Confidential. For Channel Partners only. Do not distribute. C
Software-Defined Networking - Attributes, candidate approaches, and use cases - MK. Shin, mkshin@etri.re.kr, ETRI M. Hoffmann, hoffmann@nsn.com, NSN.

Software-Defined Networking - Attributes, candidate approaches, and use cases - MK. Shin, ETRI M. Hoffmann, NSN.
Joint Power Optimization Through VM Placement and Flow Scheduling in Data Centers DAWEI LI, JIE WU (TEMPLE UNIVERISTY) ZHIYONG LIU, AND FA ZHANG (CHINESE.

Joint Power Optimization Through VM Placement and Flow Scheduling in Data Centers DAWEI LI, JIE WU (TEMPLE UNIVERISTY) ZHIYONG LIU, AND FA ZHANG (CHINESE.
Mobile Agent Migration Problem Yingyue Xu. Energy efficiency requirement of sensor networks Mobile agent computing paradigm Data fusion, distributed processing.

Mobile Agent Migration Problem Yingyue Xu. Energy efficiency requirement of sensor networks Mobile agent computing paradigm Data fusion, distributed processing.

Similar presentations

Ads by Google