Şeref SAĞIROĞLU, Mehmet DEMİRCİ, Sedef DEMİRCİ

17119

Virtual Security Functions and Their Placement in Software Defined Networks: A Survey

Virtual Security Functions and Their Placement in Software Defined Networks: A Survey

Software Defined Networking (SDN) and Network Functions Virtualization (NFV) are twoimportant technologies gaining prominence thanks to their benefits for improving the flexibilityand cost efficiency in networks. These technologies have been utilized extensively for providingnew age security solutions in recent years. Through the use of SDN and NFV, network securityfunctions are virtualized and deployed in a hardware-independent manner, thus reducing costs aswell as enabling faster innovations and developments. Functions virtualized with NFV such asfirewall, deep packet inspection, intrusion detection systems etc. can reside as applications in theSDN architecture. The issue of where to place these functions in the network is an importantproblem discussed in the literature. When placing these functions, objectives such as efficient useof network resources, energy consumption, cost, network load, delay etc. must be considered foreach function, in addition to ensuring that network security requirements are met. This paperprovides a critical survey on the placement of virtualized network security functions in softwaredefined networks and identifies open problems in this field. We briefly describe SDN and NFVtechnologies, touch upon the relationship between them, exemplify and review the most commonvirtual security functions in SDN. We also examine and compare the studies on the optimalplacement of virtual security functions. Finally, we identify several open research challenges inthis area and suggest potential future directions to be considered by researchers.
PDF

___

  • Kreutz, D., Ramos, F.M.V., Verissimo, P.E., Rothenberg, C.E., Azodolmolky, S., Uhlig, S. "Software-defined networking: A comprehensive survey", Proceedings of the IEEE, 103: 14–76, (2015).
  • Feamster, N., Rexford, J., Zegura, E. "The Road to SDN: An Intellectual History of Programmable Networks", ACM SIGCOMM Computer Communication Review, 44:87–98, (2014).
  • Nunes, B.A.A., Mendonca, M., Nguyen, X.N., Obraczka, K. , Turletti, T." A survey of softwaredefined networking: Past, present, and future of programmable networks", IEEE Communications Surveys & Tutorials, 16 :1617–1634, (2014).
  • Han, B., Gopalakrishnan, V., Ji, L., Lee, S. "Network function virtualization: Challenges and opportunities for innovations", IEEE Communications Magazine, 53:90–97, (2015).
  • Internet: ETSI - NFV, https://www.etsi.org/technologies-clusters/technologies/nfv (accessed January 18, 2019).
  • Hu, H., Ahn, G.-J. "Virtualizing and Utilizing Network Security Functions for Securing Software Defined Infrastructure", NSF Workshop on Software Defined Infrastructures and Software Defined Exchanges, Washington, D.C., USA, 70, (2016).
  • Bouet, M., Leguay, J., Combe, T., Conan, V. "Cost-based placement of vDPI functions in NFV infrastructures", International Journal of Network Management, 25:490–506, (2015).
  • Internet: Software-Defined Networking (SDN) Definition - Open Networking Foundation, https://www.opennetworking.org/sdn-definition/ (accessed January 18, 2019).
  • Open Networking Foundation "SDN Architecture", ONF TR-502, June, (2014).
  • Jarraya, Y., Madi, T., Debbabi, M. "A survey and a layered taxonomy of software-defined networking", IEEE Communications Surveys & Tutorials, 16:1955–1980, (2014).
  • Kim, H., Feamster, N. "Improving network management with software defined networking", IEEE Communications Magazine, 51:114–119, (2013).
  • Mckeown, N., Anderson, T., Peterson, L., Rexford, J., Shenker, S., Louis, S. " OpenFlow: enabling innovation in campus networks", ACM SIGCOMM Computer Communication Review, 38(2): 69- 74, (2008).
  • Sezer, S., Scott-Hayward, S., Chouhan, P., Fraser, B., Lake, D., Finnegan, J., Viljoen, N., Miller, M., Rao, N. "Are we ready for SDN? Implementation challenges for software-defined networks", IEEE Communications Magazine, 51:36–43, (2013).
  • Hu, F., Hao, Q., Bao, K. "A survey on software-defined network and OpenFlow: From concept to implementation", IEEE Communications Surveys & Tutorials, 16:2181–2206, (2014).
  • Raza, S., Lenrow, D., "Northbound Interfaces" Open Networking Foundation North Bound Interface Working Group (NBI-WG) Charter White Paper, 1-8, (2013).
  • Ahmad, I., Namal, S., Ylianttila, M., Gurtov, A. "Security in Software Defined Networks: A Survey", IEEE Communications Surveys & Tutorials, 17:2317–2346, (2015).
  • Chiosi, M., Clarke, D., Willis, P., Reid, A., Feger, J., Bugenhagen, M., Khan, W., Fargano, M., Cui, C., Deng, H., Telekom, D., Michel, U. "NFV", White-Paper 2, Citeseer., (2012).
  • NFV/SDN combination framework for provisioning and managing virtual firewalls", IEEE Conference on Network Function Virtualization and Software Defined Network, San Francisco, CA, USA, 107–114, (2016).
  • Mijumbi, R., Serrat, J., Gorricho, J.L., Bouten, N., De Turck, F., Boutaba, R. "Network function virtualization: State-of-the-art and research challenges", IEEE Communications Surveys & Tutorials, 18:236–262, (2016).
  • Matias, J., Garay, J., Toledo, N., Unzilla, J., Jacob, E. "Toward an SDN-enabled NFV architecture", IEEE Communications Magazine, 53:187–193, (2015).
  • Jarraya, Y., Shameli-Sendi, A., Pourzandi, M., Cheriet, M. "Multistage OCDO: Scalable Security Provisioning Optimization in SDN-Based Cloud", IEEE 8th International Conference on Cloud Computing, New York City, NY, USA 572–579, (2015).
  • Krishnaswamy, D., Kothari, R., Gabale, V. "Latency and policy aware hierarchical partitioning for NFV systems",IEEE Conference on Network Function Virtualization and Software Defined Network, San Francisco, CA, USA, 205–211, (2016).
  • Internet: "What is an Intrusion Detection System?", http://techgenix.com/intrusion_detection_systems_ids_part_i__network_intrusions_attack_sympt oms_ids_tasks_and_ids_architecture/ (accessed January 18, 2019).
  • Xiong, Z. "An SDN-based IPS Development Framework in Cloud Networking Environment", (2014).
  • Ballard, J.R., Rae, I., Akella, A. "Extensible and scalable network monitoring using opensafe", Internet Network. Management Workshop/Workshop on Research and Enterprise Networking, San Jose, CA, USA, (2008).
  • Van Adrichem, N.L.M., Doerr, C., Kuipers, F.A., "OpenNetMon: Network monitoring in OpenFlow software-defined networks", IEEE Network Operations and Management Symposium, Krakow, Poland, 1–8, (2014).
  • Tang, T.A., Mhamdi, L., McLernon, D., Zaidi, S.A.R., Ghogho, M. "Deep Recurrent Neural Network for Intrusion Detection in SDN-based Networks", 4th IEEE Conference on Network Softwarization and Workshops, Montreal, QC, Canada, 202-206, (2018).
  • Ceron, J.M., Margi, C.B., Granville, L.Z., "MARS: "An SDN-based malware analysis solution", IEEE Symposium on Computers and Communication, Messina, Italy, 525–530, (2016).
  • Carl, G., Kesidis, G., Brooks, R.R., Rai, S. "Denial-of-service attack-detection techniques", IEEE Internet Computing, 10:82–89, (2006).
  • Braga, R., Mota, E., Passito, A. "Lightweight DDoS flooding attack detection using NOX/OpenFlow", IEEE 35th Conference on Local Computer Networks, Denver, CO, USA 408– 415, (2010).
  • Bouet, M., Leguay, J., Conan, V. "Cost-based placement of virtualized deep packet inspection functions in SDN", IEEE Military Communications Conference, San Diego, California, USA, 992– 997, (2013).
  • Internet: "The Role of DPI in an SDN World",http://niwiit.org/wp-content/uploads/lteasia13/6841- Heavy_Reading-Qosmos_DPI-SDN-WP_Dec-2012.pdf (accessed January 18, 2019).
  • Bremler-barr, A., Hay, D., Koral, Y. "Deep Packet Inspection as a Service", 10th ACM International on Conference on emerging Networking Experiments and Technologies, Sydney, Australia, 271–282, (2014).
  • Hu, H., Han, W., Ahn, G.-J., Zhao, Z. "FlowGuard: Building Robust Firewalls for SoftwareDefined Networks", Third workshop on Hot topics in software defined networking, Chicago, Illinois, USA, 97–102. (2014).
  • Suh, M., Park, S.H., Lee, B., Yang, S. "Building firewall over the software-defined network controller", IEEE International Conference on Advanced Communication Technology, Pyeongchang, South Korea, 744–748, (2014).
  • François, J., Dolberg, L., Festor, O., Engel, T. "Network Security through Software Defined Networking : a Survey" (2014).
  • Hu, H., Ahn, G., Han, W., Zhao, Z. "Towards a Reliable SDN Firewall", 2-4, (2014).
  • Zhang , L., Shou, G., Hu, Y., Guo, Z. "Deployment of Intrusion Prevention System based on Software Defined Networking", IEEE International Conference on Communication Technology, Guilin, China, 26–31, (2013).
  • Kwon, J., Seo, D., Kwon, M., Lee, H., Perrig, A., Kim, H. "An incrementally deployable antispoofing mechanism for software-defined networks", Computer Communications, 64:1–20, (2015).
  • Yao, G., Bi, J., Feng, T., Xiao, P., Zhou, D. "Performing software defined route-based IP spoofing filtering with SEFA", 23th International Conference on Computer Communication and Networks, Shanghai, China, 1–8, (2014).
  • Cox, J.H., Clark, R.J., Owen, H.L., "Leveraging SDN for ARP security", IEEE SOUTHEASTCON, Norfolk VA, 1–8, (2016).
  • Alharbi, T., Durando, D., Pakzad, F., Portmann, M. "Securing ARP in Software Defined Networks", IEEE 41th Conference on Local Computer Networks, Dubai, UAE, 523–526, (2016).
  • Ali, S.T., Sivaraman, V., Radford, A., Jha, S. "A Survey of Securing Networks Using Software Defined Networking", IEEE Transctions on Reliability, 64:1086–1097, (2015).
  • Shin, S., Porras, P., Yegneswaran, V., Fong, M., Gu, G., Tyson, M., Texas, A., Station, C., Park, M. "Fresco: Modular composable security services for software-defined networks", 20th Annual Network & Distributed System Security Symposium, San Diego, CA, USA, 1-16, (2013).
  • Han, W., Zhao, Z., Doupé, A., Ahn, G.-J., "HoneyMix: Toward SDN-based Intelligent Honeynet", ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization, New Orleans, Louisiana, USA, 1–6, (2016).
  • Jafarian, J., Al-Shaer, E., Duan, Q., "OpenFlow Random Host Mutation: Transparent Moving Target Defense using Software Defined Networking" ACM Workshop on Hot topics in software defined networks, Helsinki, Finland, 127–132, (2012)
  • Jafarian, J.H., Al-Shaer, E., Duan, Q. "An Effective Address Mutation Approach for Disrupting Reconnaissance Attacks", IEEE Transactions on Information Forensics and Security, 10:2562– 2577, (2015).
  • Achleitner, S., La Porta, T., McDaniel, P., Sugrim, S., Krishnamurthy, S. V., Chadha, R. "Cyber Deception: Virtual Networks to Defend Insider Reconnaissance", 8th ACM CCS international workshop on managing insider security threats, Hofburg Palace, Vienna, Austria, 57–68, (2016).
  • Chiang, C.Y.J., Gottlieb, Y.M., Sugrim, S.J., Chadha, R., Serban, C., Poylisher, A., Marvel, L.M., Santos, J. "ACyDS: An adaptive cyber deception system", IEEE Military Communications Conference, Baltimore Maryland, USA, 800–805, (2016).
  • Robertson, S., Alexander, S., Micallef, J., Pucci, J., Tanis, J., Macera, A. "CINDAM: Customized information networks for deception and attack mitigation", IEEE International Conference on SelfAdaptive and Self-Organizing Systems Workshops 114–119, Cambridge, MA, USA, (2015).
  • Wang, J., Wen, R., Li, J., Yan, F., Zhao, B., Yu, F. "Detecting and Mitigating Target Link-Flooding Attacks Using SDN", IEEE Transactions on Dependable and Secure Computing, 5971:1–13, (2018).
  • Kang, M.S., Lee, S.B, Gligor, V.D. "The crossfire attack", IEEE Symposium on Security and Privacy, San Francisco, CA, 127–141, (2013).
  • Aydeger, A., Saputro, N., Akkaya, K., Rahman, M. "Mitigating Crossfire Attacks Using SDNBased Moving Target Defense", IEEE 41st Conference on Local Computer Networks, 627– 630,Dubai, UAE, (2016).
  • Ma, W., Jonathan, B., Pan, Z., Pan, D., Pissinou, N. "SDN-Based Traffic Aware Placement of NFV Middleboxes", IEEE Transactions on Network and Service Management, 14:528–542, (2017).
  • Li, X., Qian, C. "The virtual network function placement problem", IEEE International Conference on Computer Communications Workshops, Hong Kong, China, 69–70, (2015).
  • Li, X., Qian, C. "A survey of network function placement", 13th IEEE Annual Consumer Communications & Networking Conference, Las Vegas, NV, USA, 948–953, (2016).
  • Bari, M.F., Chowdhury, S.R., Ahmed, R., Boutaba, R. "On orchestrating virtual network functions", 11th International Conference on Network and Service Management, Barcelona, Spain, 50–56, (2015).
  • Addis, B., Belabed, D., Bouet, M., Secci, S. "Virtual network functions placement and routing optimization", IEEE 4th International Conference on Cloud Networking, Niagara Falls, Canada, 171–177, (2015).
  • Luizelli, M.C., Bays, L.R., Buriol, L.S., Barcellos, M.P., Gaspary, L.P. "Piecing together the NFV provisioning puzzle: Efficient placement and chaining of virtual network functions", IFIP/IEEE International Symposium on Integrated Network Management, Ottawa, ON, Canada, 98–106, (2015).
  • Rawat, D.B., Reddy, S.R. "Software Defined Networking Architecture, Security and Energy Efficiency: A Survey", IEEE Communications Surveys & Tutorials, 19:325–346, (2017).
  • Machuca, C.M. "Expenditures study for network operators", International Conference on Transparent Optical Networks, Nottingham, UK, 18–22, (2006).
  • Murukan, P., Jamaluddine, D. "A Cost-based Placement Algorithm for Multiple Virtual Security Appliances in Cloud using SDN: MO-UFLP (Multi-Ordered Uncapacitated Facility Location Problem)", http://arxiv.org/abs/1602.08155, 1–14, (2016).
  • Demirci, S., Demirci, M., Sagiroglu, S. "Optimal Placement of Virtual Security Functions to Minimize Energy Consumption", International Symposium on Networks, Computers, and Communications, Rome, Italy, 1–6, (2018).
  • Shameli-Sendi, A., Jarraya, Y., Fekih-Ahmed, M., Pourzandi, M., Talhi, C., Cheriet, M. "Optimal placement of sequentially ordered virtual security appliances in the cloud", IFIP/IEEE International Symposium on Integrated Network Management, Ottawa, ON, Canada, 818–821, (2015).
  • Doriguzzi-Corin, R., Scott-Hayward, S., Siracusa, D., Savi, M., Salvadori, E. "Dynamic and Application-Aware Provisioning of Chained Virtual Security Network Functions", https://arxiv.org/pdf/1901.01704.pdf, (2019).
  • Shameli Sendi, A., Jarraya, Y., Pourzandi, M., Cheriet, M. "Efficient Provisioning of Security Service Function Chaining Using Network Security Defense Patterns", IEEE Transactions on Services Computing, 1–1, (2016).
  • Internet: GLPK - GNU Project - Free Software Foundation (FSF), https://www.gnu.org/software/glpk/ (accessed January 18, 2019). [68] Internet: JUNG -Java Universal Network/Graph Framework, http://jung.sourceforge.net/ (accessed January 31, 2019).
  • Internet: GÉANT Network, https://geant3.archive.geant.org/Network/pages/home.aspx (accessed January 18, 2019).
  • Internet: Build the future of Open Infrastructure., https://www.openstack.org/ (accessed January 18, 2019).
  • Internet: OpenDaylight, https://www.opendaylight.org/ (accessed January 31, 2019).
  • Internet: JGAP download | SourceForge.net, https://sourceforge.net/projects/jgap/ (accessed January 31, 2019).
  • Internet: CPLEX Optimizer | IBM, https://www.ibm.com/analytics/cplex-optimizer (accessed January 18, 2019).
  • Internet: Internet2, https://www.internet2.edu/ (accessed January 18, 2019).
  • Internet: Gurobi Optimization - The State-of-the-Art Mathematical Programming Solver, http://www.gurobi.com/ (accessed January 18, 2019).
  • Internet: Welcome to Python.org, https://www.python.org/ (accessed January 31, 2019).
  • Internet: The GARR Network, https://www.thegarrnetwork.org/ (accessed January 31, 2019).
  • Internet: Interface to Network Security Functions (i2nsf), https://datatracker.ietf.org/wg/i2nsf/about/ (accessed January 31, 2019).
  • Farrel, A. "Recent Developments in Service Function Chaining (SFC) and Network Slicing in Backhaul and Metro Networks in Support of 5G", I 20th International Conference on Transparent Optical Networks, Bucharest, Romania, 1–4, (2018).
  • Lee, W., Choi, Y., Kim, N., "Study on Virtual Service Chain for Secure Software-Defined Networking", Advanced Science and Technology Letters, 29:177–180, (2013).
  • Chantre, H.D., da Fonseca, N.L.S. "Multi-Objective Optimization for Edge Device Placement and Reliable Broadcasting in 5G NFV-Based Small Cell Networks", IEEE Journal on Selected Areas in Communications, 36:2304–2317, (2018).
  • Wang, X., Wu, C., Le, F., Liu, A., Li, Z., Lau, F. "Online VNF scaling in datacenters", IEEE 9th International Conference on Cloud Computing, San Francisco, CA, USA, 140–147, (2017).
  • Alleg, A., Kouah, R., Moussaoui, S., Ahmed, T. "Virtual Network Functions Placement and Chaining for real-time applications," IEEE 22th International Workshop on Computer Aided Modeling and Design of Communication Links and Networks, Lund, Sweden, 1-6, (2017).
  • Cho, D., Taheri, J., Zomaya, A.Y., Bouvry, P. "Real-Time Virtual Network Function (VNF) Migration toward Low Network Latency in Cloud Environments", IEEE 10th International Conference on Cloud Computing, Honolulu, CA, USA, 798–801, (2017).
  • Kim, S., Han, Y., Park, S. "An energy-Aware service function chaining & reconfiguration algorithm in NFV", IEEE International Workshop on Foundations and Applications of Self Systems, Augsburg, Germany, 54–59, (2016).
Gazi University Journal of Science-Cover
  • Yayın Aralığı: Yılda 4 Sayı
  • Başlangıç: 1988
  • Yayıncı: Gazi Üniversitesi, Fen Bilimleri Enstitüsü
Arşiv
Sayıdaki Diğer Makaleler

Mohammed ELGARHY

Nihat Cagil CINAR, Ebru Vesile OCALIR

Optimization Of Multi Responses Using Data Envelopment Analysis: The Application in Food Industry

Başak APAYDIN AVŞAR, Berrin ÖZKAYA, Duygu KILIÇ, Meral EBEGİL, Hülya BAYRAK

Nursel KOYUNCU, Iram SALEEM, Aamir SANAULLAH, Muhammad HANIF

Wind Speed Clustering Using Linkage-Ward Method: A Case Study of Khaaf, Iran

Elnaz AZIZI, Behnam MOHAMMADI IVATLOO, Hamed KHARRATI SHISHAVAN, Amin MOHAMMADPOUR SHOTORBANI

Generalized Regression-Cum-Exponential Estimators Using Two Auxiliary Variables for Population Variance in Simple Random Sampling

Naureen RIAZ, Muhammad HANIF, Muhammad NOUMAN QURESHI

Sedef DEMIRCI, Mehmet DEMIRCI, Seref SAGIROGLU

Deepa DEVI

Aliye ALTUNDAS

Antioxidant, Antimicrobial and Anticancer Activities of the Aspergillin PZ and Terphenyllin Secondary Metabolites: An in vitro Study

Kevser Betül CEYLAN, Çiğdem TEKİN, Sevda KIRBAĞ, Yavuz ERDEN, Suat TEKİN