Study on Virtual Service Chain for Secure Software- Defined Networking

Advanced Science and Technology Letters Vol.29 (CA 2013), pp.177-180 http://dx.doi.org/10.14257/astl.2013.29.36

Study on Virtual Service Chain for Secure SoftwareDefined Networking Woosik Lee1, Yoon-Ho Choi2, Namgi Kim1∗ 1Department

of Computer Science, Kyonggi University, Korea {wslee, ngkim}@kyonggi.ac.kr, 2Department of Convergence Security, Kyonggi University, Korea [email protected],

Abstract. Compared to legacy network topology, software-defined networking (SDN)/network functions virtualization (NFV) topology migrates control in hardware such as switch into a software application, which is called a controller. In SDN/NFV topology, a network administrator can customize switching policies across multi-vendor hardware in a centralized manner and thus, the organizations can respond to their various business requirements to reduce capital expenditures (CAPEX) and operating expenses (OPEX). In this paper, we overview a methodology, which is called a security service chain (SSC), for providing security functions into SDN/NFV topology by chaining virtual security services, such as virtual load balancers and virtual firewalls. Keywords: Software-Defined Networking, Network Functions Virtualization, OpenFlow, Service Chaining

1

Introduction

Nowadays, legacy network topology is limited to accommodate diverse requirements, such as hardware-based computer appliances, the complexity of integrating, and limited space and high costs. Compared to legacy network topology, software-defined networking (SDN)/network functions virtualization (NFV) [1-3] topology migrates control in hardware such as switch into a software application, which is called a controller. Then, a network administrator can easily customize switching policies across multi-vendor hardware. It is enable to reduce capital expenditures (CAPEX) and operating expenses (OPEX). In SDN/NFV topology, there are virtual security services, such as virtual load balancers and virtual firewalls. These security services can be dynamically chained according to a type of attack flows. In this paper, we overview this methodology, which is called a security service chain (SSC), to provide security functions by chaining various virtual security services. In order to do that, we look into SDN, NFV, and SSC by analyzing advantages and disadvantages. Also, we define a relationship between SDN/NFV and SSC to improve security services.

∗

Corresponding author: Namgi Kim

ISSN: 2287-1233 ASTL Copyright © 2013 SERSC

Advanced Science and Technology Letters Vol.29 (CA 2013)

2

SDN (Service-Defined Networking)

SDN consists of data plane and control plane from network architecture [4]. Then, SDN allow administrators to manage diverse services through abstraction of lower level of networks. Openflow technology [5] is required to enable SDN that the control plan communicates with the data plane. Fig. 1 shows system architecture of SDN. As shown in Fig. 1, diverse services of applications can control switches through a controller. Through this system, SDN produces a lot of benefits as follows; central control of multi-vendor environments, reduced complexity through automation, higher rate of innovation, increased network reliability and security, more granular network control, and better user experience.

Application

Application

Application SDN Layer

Control Plane Controller

Data Plane

Switch

Switch

Switch

PHY Layer

Fig. 1. System architecture of software defined network

3

NFV (Network Functions Virtualization)

NFV [6] is a primitive solution of today network problems such as various hardware appliances, increasing costs of area, and integrating and operating complex hardwarebased appliances. Moreover, hardware-based appliances have limit life time and rapidly approach their end of life. NFV solutes these problems using IT virtualization technology in data center or an end point. Therefore, administrators get many benefits using NFV such as reducing equipment costs and power consumption, increasing speed of time to market, running production, tasking test and reference facilities with the same infrastructure, enabling a wide variety of eco-systems, optimizing network configurations, and supporting multi-tenancy. Fig. 2 shows the legacy and a NFV structure. In this figure, we see that the legacy structure is operated with separated network appliances for each function, but the NFV structure runs virtual routers, firewalls, load balancers and other network devices on the commodity hardware.

178

Copyright © 2013 SERSC

Advanced Science and Technology Letters Vol.29 (CA 2013)

Router Router

Firewall Load Balancer Distribution Switch

Firewall

Load Balancer

Distribution Switch

Web Server

Web Server

Web Server

Web Server Web Server Web Server

NFV Structure

Legacy Structure

Fig. 2. Previous structure and NFV structure

4

SDN/NFV based on Security Service Chaining (SSC)

SSC [7] technology means that a SDN/NFV controller efficiently manages the network traffics which go through virtual IPSs, firewalls, and IDSs. Then, if there is DDoS or Flood attack in SDN/NFV with SSC technology, SSC properly processes these packets by chaining various service functions. Therefore, if controller has the SSC pool, it gets many benefits as follows; customized design each service user, safety dynamic network environment, and low operation costs. Fig. 3 shows a SSC architecture. In detail, first of all, the SSC gets a service flow table from a security platform and it observes the types of packet such as DDoS, Flood, SYN, Normal, and other packets. Then, the SSC uses their functions to properly process attack packets. For example, if an openflow switch suddenly gets Flood packet which goes over a capacity of switch, the SSC distributes packets using the load balance function. Application

Application

Application

Controller Service Chaining Pool

Security Platform DDoS Packet

Service Chaining Pool

Flood Packet

Loadbalance

SYN Packet

Firewall

Normal Packet

Switch

Switch

Switch

Service Chaining Functions

Other Packets

IPS Router

Fig. 3. Security Service chaining architecture

5

Relationship between SDN, NFV, and SSC

In Fig. 4, we show the relationship between SDN, NFV, and SSC. Although SDN/NFV can operate itself, SDN compensates the lack of NFV such as the management of control plane. Then, SSC properly manages various threat traffics.

Copyright © 2013 SERSC

179

Advanced Science and Technology Letters Vol.29 (CA 2013)

Security Service Chaining

LB

SDN

FW

RR

IPS

NFV

Control Plane

VM 1

VM 2

Data Plane

VM 3

VM 4

Fig. 4. Relationship between SDN/NFV, and SSC

6

Conclusion

In this paper, we showed a methodology called a security service chain (SSC) for providing security functions by chaining virtual security services such as virtual load balancers and virtual firewalls. Therefore, we know that SSC make a network administrator efficiently manage a network topology compared to legacy topology.

Acknowledgment. This work was supported by the Industrial Strategic Technology Development Program (10047541, Development of Self-Defending and Auto-Scaling SDN Smart Security Networking System) funded by the Ministry of Knowledge Economy(MKE, Korea)".

References 1. D. Kreutz and et al.: Towards Secure and Dependable Software-Defined Networks, HotSDN, pp. 55--60 (2013) 2. A. Dixit and at al.: Towards an Elastic Distributed SDN Controller, HotSDN, pp. 7--12 (2013) 3. D. Erickson: The Beacon OpenFlow Controller, HotSDN, pp. 13--18 (2013) 4. Open Networking Foundation: Software-Defined Networking - The New Norm for Networks, ONF White Paper (2013) 5. N. McKeown and et al.: OpenFlow: Enabling Innovation in Campus Networks, ACM SIGCOMM, vol. 38, pp. 69--74 (2008) 6. AT&T and et al.: Network Functions Virtualization – Introductory White Paper, pp. 1--16 (2013) 7. Cisco: Enabling Service Chaining on Cisco Nexus 1000V Series, White paper, pp. 1--25 (2013)

180

Copyright © 2013 SERSC