On the placement of security-related Virtualised Network Functions over data center networks

Ali, Abeer Farouk Tawfeek (2020) On the placement of security-related Virtualised Network Functions over data center networks. PhD thesis, University of Glasgow.

Full text available as:
Download (1MB) | Preview


Middleboxes are typically hardware-accelerated appliances such as firewalls, proxies, WAN optimizers, and NATs that play an important role in service provisioning over today's data centers. Reports show that the number of middleboxes is on par with the number of routers, and consequently represent a significant commitment from an operator's capital and operational expenditure budgets. Over the past few years, software middleboxes known as Virtual Network Functions (VNFs) are replacing the hardware appliances to reduce cost, improve the flexibility of deployment, and allow for extending network functionality in short timescales.

This dissertation aims at identifying the unique characteristics of security modules implementation as VNFs in virtualised environments. We focus on the placement of the security VNFs to minimise resource usage without violating the security imposed constraints as a challenge faced by operators today who want to increase the usable capacity of their infrastructures. The work presented here, focuses on the multi-tenant environment where customised security services are provided to tenants. The services are implemented as a software module deployed as a VNF collocated with network switches to reduce overhead. Furthermore, the thesis presents a formalisation for the resource-aware placement of security VNFs and provides a constraint programming solution along with examining heuristic, meta-heuristic and near-optimal/subset-sum solutions to solve larger size problems in reduced time.

The results of this work identify the unique and vital constraints of the placement of security functions. They demonstrate that the granularity of the traffic required by the security functions imposes traffic constraints that increase the resource overhead of the deployment. The work identifies the north-south traffic in data centers as the traffic designed for processing for security functions rather than east-west traffic. It asserts that the non-sharing strategy of security modules will reduce the complexity in case of the multi-tenant environment. Furthermore, the work adopts on-path deployment of security VNF traffic strategy, which is shown to reduce resources overhead compared to previous approaches.

Item Type: Thesis (PhD)
Qualification Level: Doctoral
Keywords: Data Centers security, resource management, security network functions, VNF orchestration.
Subjects: T Technology > T Technology (General)
Colleges/Schools: College of Science and Engineering > School of Computing Science
Funder's Name: Engineering and Physical Sciences Research Council (EPSRC)
Supervisor's Name: Pezaros, Professor Dimitrios and Anagnostopoulos, Dr. Christos
Date of Award: 2020
Depositing User: Miss Abeer Ali
Unique ID: glathesis:2020-81595
Copyright: Copyright of this thesis is held by the author.
Date Deposited: 21 Aug 2020 15:07
Last Modified: 29 Aug 2022 10:13
Thesis DOI: 10.5525/gla.thesis.81595
URI: http://theses.gla.ac.uk/id/eprint/81595

Actions (login required)

View Item View Item


Downloads per month over past year