Advanced Science and Technology Letters Vol.29 (CA 2013), pp.177-180 http://dx.doi.org/10.14257/astl.2013.29.36
Study on Virtual Service Chain for Secure SoftwareDefined Networking Woosik Lee1, Yoon-Ho Choi2, Namgi Kim1∗ 1Department
of Computer Science, Kyonggi University, Korea {wslee, ngkim}@kyonggi.ac.kr, 2Department of Convergence Security, Kyonggi University, Korea
[email protected],
Abstract. Compared to legacy network topology, software-defined networking (SDN)/network functions virtualization (NFV) topology migrates control in hardware such as switch into a software application, which is called a controller. In SDN/NFV topology, a network administrator can customize switching policies across multi-vendor hardware in a centralized manner and thus, the organizations can respond to their various business requirements to reduce capital expenditures (CAPEX) and operating expenses (OPEX). In this paper, we overview a methodology, which is called a security service chain (SSC), for providing security functions into SDN/NFV topology by chaining virtual security services, such as virtual load balancers and virtual firewalls. Keywords: Software-Defined Networking, Network Functions Virtualization, OpenFlow, Service Chaining
1
Introduction
Nowadays, legacy network topology is limited to accommodate diverse requirements, such as hardware-based computer appliances, the complexity of integrating, and limited space and high costs. Compared to legacy network topology, software-defined networking (SDN)/network functions virtualization (NFV) [1-3] topology migrates control in hardware such as switch into a software application, which is called a controller. Then, a network administrator can easily customize switching policies across multi-vendor hardware. It is enable to reduce capital expenditures (CAPEX) and operating expenses (OPEX). In SDN/NFV topology, there are virtual security services, such as virtual load balancers and virtual firewalls. These security services can be dynamically chained according to a type of attack flows. In this paper, we overview this methodology, which is called a security service chain (SSC), to provide security functions by chaining various virtual security services. In order to do that, we look into SDN, NFV, and SSC by analyzing advantages and disadvantages. Also, we define a relationship between SDN/NFV and SSC to improve security services.
∗
Corresponding author: Namgi Kim
ISSN: 2287-1233 ASTL Copyright © 2013 SERSC
Advanced Science and Technology Letters Vol.29 (CA 2013)
2
SDN (Service-Defined Networking)
SDN consists of data plane and control plane from network architecture [4]. Then, SDN allow administrators to manage diverse services through abstraction of lower level of networks. Openflow technology [5] is required to enable SDN that the control plan communicates with the data plane. Fig. 1 shows system architecture of SDN. As shown in Fig. 1, diverse services of applications can control switches through a controller. Through this system, SDN produces a lot of benefits as follows; central control of multi-vendor environments, reduced complexity through automation, higher rate of innovation, increased network reliability and security, more granular network control, and better user experience.
Application
Application
Application SDN Layer
Control Plane Controller
Data Plane
Switch
Switch
Switch
PHY Layer
Fig. 1. System architecture of software defined network
3
NFV (Network Functions Virtualization)
NFV [6] is a primitive solution of today network problems such as various hardware appliances, increasing costs of area, and integrating and operating complex hardwarebased appliances. Moreover, hardware-based appliances have limit life time and rapidly approach their end of life. NFV solutes these problems using IT virtualization technology in data center or an end point. Therefore, administrators get many benefits using NFV such as reducing equipment costs and power consumption, increasing speed of time to market, running production, tasking test and reference facilities with the same infrastructure, enabling a wide variety of eco-systems, optimizing network configurations, and supporting multi-tenancy. Fig. 2 shows the legacy and a NFV structure. In this figure, we see that the legacy structure is operated with separated network appliances for each function, but the NFV structure runs virtual routers, firewalls, load balancers and other network devices on the commodity hardware.
178
Copyright © 2013 SERSC
Advanced Science and Technology Letters Vol.29 (CA 2013)
Router Router
Firewall Load Balancer Distribution Switch
Firewall
Load Balancer
Distribution Switch
Web Server
Web Server
Web Server
Web Server Web Server Web Server
NFV Structure
Legacy Structure
Fig. 2. Previous structure and NFV structure
4
SDN/NFV based on Security Service Chaining (SSC)
SSC [7] technology means that a SDN/NFV controller efficiently manages the network traffics which go through virtual IPSs, firewalls, and IDSs. Then, if there is DDoS or Flood attack in SDN/NFV with SSC technology, SSC properly processes these packets by chaining various service functions. Therefore, if controller has the SSC pool, it gets many benefits as follows; customized design each service user, safety dynamic network environment, and low operation costs. Fig. 3 shows a SSC architecture. In detail, first of all, the SSC gets a service flow table from a security platform and it observes the types of packet such as DDoS, Flood, SYN, Normal, and other packets. Then, the SSC uses their functions to properly process attack packets. For example, if an openflow switch suddenly gets Flood packet which goes over a capacity of switch, the SSC distributes packets using the load balance function. Application
Application
Application
Controller Service Chaining Pool
Security Platform DDoS Packet
Service Chaining Pool
Flood Packet
Loadbalance
SYN Packet
Firewall
Normal Packet
Switch
Switch
Switch
Service Chaining Functions
Other Packets
IPS Router
Fig. 3. Security Service chaining architecture
5
Relationship between SDN, NFV, and SSC
In Fig. 4, we show the relationship between SDN, NFV, and SSC. Although SDN/NFV can operate itself, SDN compensates the lack of NFV such as the management of control plane. Then, SSC properly manages various threat traffics.
Copyright © 2013 SERSC
179
Advanced Science and Technology Letters Vol.29 (CA 2013)
Security Service Chaining
LB
SDN
FW
RR
IPS
NFV
Control Plane
VM 1
VM 2
Data Plane
VM 3
VM 4
Fig. 4. Relationship between SDN/NFV, and SSC
6
Conclusion
In this paper, we showed a methodology called a security service chain (SSC) for providing security functions by chaining virtual security services such as virtual load balancers and virtual firewalls. Therefore, we know that SSC make a network administrator efficiently manage a network topology compared to legacy topology.
Acknowledgment. This work was supported by the Industrial Strategic Technology Development Program (10047541, Development of Self-Defending and Auto-Scaling SDN Smart Security Networking System) funded by the Ministry of Knowledge Economy(MKE, Korea)".
References 1. D. Kreutz and et al.: Towards Secure and Dependable Software-Defined Networks, HotSDN, pp. 55--60 (2013) 2. A. Dixit and at al.: Towards an Elastic Distributed SDN Controller, HotSDN, pp. 7--12 (2013) 3. D. Erickson: The Beacon OpenFlow Controller, HotSDN, pp. 13--18 (2013) 4. Open Networking Foundation: Software-Defined Networking - The New Norm for Networks, ONF White Paper (2013) 5. N. McKeown and et al.: OpenFlow: Enabling Innovation in Campus Networks, ACM SIGCOMM, vol. 38, pp. 69--74 (2008) 6. AT&T and et al.: Network Functions Virtualization – Introductory White Paper, pp. 1--16 (2013) 7. Cisco: Enabling Service Chaining on Cisco Nexus 1000V Series, White paper, pp. 1--25 (2013)
180
Copyright © 2013 SERSC