Virtual Security Functions and Their Placement in Software Defined Networks: A Survey

Abstract

Software Defined Networking (SDN) and Network Functions Virtualization (NFV) are two important technologies gaining prominence thanks to their benefits for improving the flexibility and cost efficiency in networks. These technologies have been utilized extensively for providing new age security solutions in recent years. Through the use of SDN and NFV, network security functions are virtualized and deployed in a hardware-independent manner, thus reducing costs as well as enabling faster innovations and developments. Functions virtualized with NFV such as firewall, deep packet inspection, intrusion detection systems etc. can reside as applications in the SDN architecture. The issue of where to place these functions in the network is an important problem discussed in the literature. When placing these functions, objectives such as efficient use of network resources, energy consumption, cost, network load, delay etc. must be considered for each function, in addition to ensuring that network security requirements are met. This paper provides a critical survey on the placement of virtualized network security functions in software defined networks and identifies open problems in this field. We briefly describe SDN and NFV technologies, touch upon the relationship between them, exemplify and review the most common virtual security functions in SDN. We also examine and compare the studies on the optimal placement of virtual security functions. Finally, we identify several open research challenges in this area and suggest potential future directions to be considered by researchers.

Keywords

• SDN; software defined networking; NFV; network function virtualization; cyber security

References

1. 1. Kreutz, D., Ramos, F. M., Verissimo, P. E., Rothenberg, C. E., Azodolmolky, S., Uhlig, S. “Software-defined networking: A comprehensive survey”, Proceedings of the IEEE, 103(1):14-76, (2015).
2. 2. Feamster, N., Rexford, J., Zegura, E. T”he road to sdn: an intellectual history of programmable networks”, ACM SIGCOMM Computer Communication Review, 44(2):87-98, (2014).
3. 3. Nunes, B. A. A., Mendonca, M., Nguyen, X.N., Obraczka, K., Turletti, T. “A survey of software-defined networking: Past, present, and future of programmable networks”. IEEE Communication Surveys and Tutorials, 16(3):1617-1634, (2014).
4. 4. Han, B., Gopalakrishnan, V., Ji, L., Lee, S. “Network function virtualization: Challenges and opportunities for innovations”, IEEE Communications Magazine, 53(2):90-97, (2015).
5. 5. Internet: ETSI-NFV. http://www.etsi.org/technologies-clusters/technologies/nfv, [Online, accessed 2-April-2018].
6. 6. Hu, H., Ahn, G.-J. “Virtualizing and utilizing network security functions for securing software defined infrastructure”.
7. 7. Bouet, M., Leguay, J., Combe, T., Conan, V. “Cost-based placement of vdpi functions in nfv infrastructures”, International Journal of Network Management, 25(6):490-506, (2015).
8. 8. Internet: Software-Defined Networking (SDN) Definition. https://www.opennetworking.org/sdn-definition/, [Online, accessed 2-April-2018].

9. 9. Internet: ONF. Openflow-enabled sdn and network functions virtualization. https://www.opennetworking.org/wp-content/uploads/2013/05/sb-sdn-nvf-solution.pdf, [Online, accessed 2-April-2018].
10. 10. Jarraya, Y., Madi, T., Debbabi, M. “A survey and a layered taxonomy of software-defined networking”, IEEE Communications Surveys & Tutorials, 16(4):1955-1980, (2014).
11. 11. Kim, H., Feamster, N., “Improving network management with software defined networking”, IEEE Communications Magazine 51(2):114-119, (2013).
12. 12. McKeown, N., Anderson, T., Balakrishnan, H., Parulkar, G., Peterson, L., Rexford, J., Shenker, S., Turner, J. “Openflow: enabling innovation in campus networks”, ACM SIGCOMM Computer Communication Review, 38(2):69-74, (2008).
13. 13. Sezer, S., Scott-Hayward, S., Chouhan, P.K., Fraser, B., Lake, D., Finnegan, J., Viljoen, N., Miller, M., Rao, N. “Are we ready for SDN? Implementation challenges for software-defined networks”, IEEE Communications Magazine 51(7):36-43, (2013).
14. 14. Hu, F., Hao, Q., Bao, K. “A survey on software-defined network and openflow: from concept to implementation”, IEEE Communications Surveys & Tutorials, 16(4):2181-2206, (2014).
15. 15. Karakus, M., Durresi, A. “A survey: Control plane scalability issues and approaches in Software-Defined Networking (SDN)”. Computer Networks, 112, 279-293, (2017).
16. 16. Raza, S., Lenrow, D. Open networking foundation north bound interface working group charter, 2013.
17. 17. Ahmad, I., Namal, S., Ylianttila, M., Gurtov, A. “Security in software defined networks: A survey”, IEEE Communications Surveys & Tutorials, 17(4):2317-2346, (2015).
18. 18. Chiosi, M., et al. “Network functions virtualization introductory white paper”, sdn and openow world congress. Darmstadt, (2012).
19. 19. Deng, J., Hu, H., Li, H., Pan, Z., Wang, K.-C., Ahn, G.-J., Bi, J., Park, Y. “Vnguard: An nfv/sdn combination framework for provisioning and managing virtual firewalls”, IEEE Conference on Network Function Virtualization and Software Defined Network (NFV-SDN), San Francisco,107-114, (2015).
20. 20. Matias, J., Garay, J., Toledo, N., Unzilla, J., Jacob, E. “Toward an SDN-enabled NFV architecture”, IEEE Communications Magazine, 53(4):187-193, (2015).
21. 21. Internet: Openow-enabled sdn and network functions virtualization. https://www.opennetworking.org/ images/stories/downloads/sdn-resources/ solution-briefs/sb-sdn-nvf-solution.pdf, 2014. [Online, accessed 5-April-2018].
22. 22. Jarraya, Y., Shameli-Sendi, A., Pourzandi, M., Cheriet, M. “Multistage ocdo: Scalable security provisioning optimization in sdn-based cloud”, IEEE 8th International Conference on Cloud Computing, New York, 572-579, (2015).
23. 23. Krishnaswamy, D., Kothari, R., Gabale, V. “Latency and policy aware hierarchical partitioning for nfv systems” IEEE Conference on Network Function Virtualization and Software Defined Network (NFV-SDN), San Francisco, 205-211, (2015).
24. 24. Kazienko, P., Dorosz, P. “Intrusion detection systems (ids) part i-(network intrusions; attack symptoms; ids tasks; and ids architecture”.
25. 25. Xiong, Z. “An SDN-based IPS Development Framework in Cloud Networking Environment” PhD thesis, Arizona State University, 2014.
26. 26. Ballard, J. R., Rae, I., Akella, A. “Extensible and scalable network monitoring using opensafe”, Internet network management conference on Research on enterprise networking, San Jose, 8-8, (2008).
27. 27. Van Adrichem, N. L., Doerr, C., Kuipers, F. A. “Opennetmon: Network monitoring in openow software-defined networks”, IEEE Network Operations and Management Symposium (NOMS), Krakow, 1-8, (2014).
28. 28. Jin, S., Yeung, D. S. “A covariance analysis model for ddos attack detection”, IEEE International Conference on Communications, 4:1882-1886, (2004).
29. 29. Carl, G., Kesidis, G., Brooks, R. R., Rai, S. “Denial-of-service attack-detection techniques”, IEEE Internet Computing, 10(1):82-89, (2006).
30. 30. Braga, R., Mota, E., Passito, A. “Lightweight ddos ooding attack detection using nox/openow”, IEEE 35th Conference on Local Computer Networks (LCN), 408-415, (2010).
31. 31. Bouet, M., Leguay, J., Conan, V. “Cost-based placement of virtualized deep packet inspection functions in sdn”, IEEE Military Communications Conference, 992-997, (2013).
32. 32. Finnie, G. The role of dpi in an sdn world, 2012.
33. 33. Bremler-Barr, A., Harchol, Y., Hay, D., Koral, Y. “Deep packet inspection as a service”, 10th ACM International on Conference on emerging Networking Experiments and Technologies, 271-282, (2014).
34. 34. Hu, H., Han, W., Ahn, G.-J., Zhao, Z. “Flowguard: building robust firewalls for software-defined networks”, Third workshop on Hot topics in software defined networking, 97-102, (2014).
35. 35. François, J., Dolberg, L., Festor, O., Engel, T. “Network security through software defined networking: a survey”, Conference on Principles, Systems and Applications of IP Telecommunications, 6, (2014).
36. 36. Suh, M., Park, S. H., Lee, B., Yang, S. “Building firewall over the software-defined network controller”, 16th International Conference on Advanced Communication Technology, 744-748, (2014).
37. 37. Hu, H., Ahn, G.-J., Han, W., Zhao, Z. “Towards a reliable sdn firewall”, Presented as part of the Open Networking Summit 2014 (ONS 2014), 2014.
38. 38. Zhang, L., Shou, G., Hu, Y., Guo, Z. “Deployment of intrusion prevention system based on software defined networking”, 15th IEEE International Conference on Communication Technology (ICCT), 26-31, (2013).
39. 39. Ali, S. T., Sivaraman, V., Radford, A., Jha, S. “A survey of securing networks using software defined networking”, IEEE transactions on reliability, 64(3):1086-1097, (2015).
40. 40. Shin, S., Porras, P. A., Yegneswaran, V., Fong, M. W., Gu, G., Tyson, M. “Fresco: Modular composable security services for software-defined networks”, e ISOC Network and Distributed System Security Symposium, (2013).
41. 41. Luizelli, M. C., Bays, L. R., Buriol, L. S., Barcellos, M. P., Gaspary, L. P. “Piecing together the nfv provisioning puzzle: Efficient placement and chaining of virtual network functions”, IFIP/IEEE International Symposium on Integrated Network Management (IM), 98-106, (2015).
42. 42. Murukan, P., Jamaluddine, D., Kolhapure, S., Mikhael, F., Nouzari, S. “A cost-based placement algorithm for multiple virtual security appliances in cloud using sdn: Mo-up (multi-ordered uncapacitated facility location problem)”, arXiv preprint arXiv:1602.08155, (2016).
43. 43. Shameli-Sendi, A., Jarraya, Y., Fekih-Ahmed, M., Pourzandi, M., Talhi, C., Cheriet, M. “Optimal placement of sequentially ordered virtual security appliances in the cloud”. IFIP/IEEE International Symposium on Integrated Network Management, 818-821, (2015).