On the Optimality of Virtualized Security Function Placement in Multi-Tenant Data Centers

Abstract: Security and service protection against cyber attacks remain among the primary challenges for virtualized, multitenant Data Centres (DCs), for reasons that vary from lack of resource isolation to the monolithic nature of legacy middleboxes. Although security is currently considered a property of the underlying infrastructure, diverse services require protection against different threats and at timescales which are on par with those of service deployment and elastic resource provisioning. We address the resourc… Show more

“…We have adopted a modified version of BFD to allocate virtual machines (VM) to locations that result in the least increase in power consumption [19]. We previously proposed a computing resources version of that algorithm to solve the stateless function allocation problem [9] . In the resource-aware BFD algorithm, Q is a set of initial requests, each represent a tenant's request to certain module, L is a set of locations available for allocating requests and the set A refers to the set of allocated requests in certain locations, the function sort(Q) sorts the requests from Q by a decreasing order of baseline resources required; capacity(A, r, l) ensures the resources required in location l in allocation A is enough to accommodate a give request r; validation(r, l) constrains the location to those who satisfy the traffic constraints such as for a stateful class request r, only locations that associated with communication links are valid, while total cost(r, l) calculates the total cost of allocating the request r to location l which represented of computing cost plus communication cost if any in the contrary to the work in [9] which only consider computing resources cost, as illustrated by the following algorithm Input: Set of requests Q, set of locations L Output: Set of requests allocated to locations A 1: A ← ∅ // initialisation 2: Q * ← sort(Q) // sort request w.r.t.…”

“…However, the distinct constraints related to security functions such as, the granularity of the processed traffic are neglected by most studies of the automatic management of VNFs [9]. We explicitly address the requirements and constraints of security services which distinguish our work from previous research in the management of virtualised services, e.g., our work addresses the traffic constraints of security functions which impose a restriction on allocation.…”

“…Security functions can be classified into two classes based on how traffic is processed to detect threats and subsequently the level of aggregation of traffic packets required for each. This classification will specify the traffic constraints of the modules and guide the placement algorithm to select the location where a security function can accurately capture the required level of traffic aggregation [9].…”

“…The second objective is to minimise the communication overhead of the allocation which represents the communication bandwidth overhead due to the allocation and targeting minimise bandwidth usage for the placement. We represent the placement problem of security functions in virtualised DCs as an instance of a variable cost -variable size bin packing problem (VSBPP) [9], [19]. Therefore, every request will be associated with a tenant and a security function requested by that tenant.…”

In-Network Placement of Security VNFs in Multi-Tenant Data Centers

“…We have adopted a modified version of BFD to allocate virtual machines (VM) to locations that result in the least increase in power consumption [19]. We previously proposed a computing resources version of that algorithm to solve the stateless function allocation problem [9] . In the resource-aware BFD algorithm, Q is a set of initial requests, each represent a tenant's request to certain module, L is a set of locations available for allocating requests and the set A refers to the set of allocated requests in certain locations, the function sort(Q) sorts the requests from Q by a decreasing order of baseline resources required; capacity(A, r, l) ensures the resources required in location l in allocation A is enough to accommodate a give request r; validation(r, l) constrains the location to those who satisfy the traffic constraints such as for a stateful class request r, only locations that associated with communication links are valid, while total cost(r, l) calculates the total cost of allocating the request r to location l which represented of computing cost plus communication cost if any in the contrary to the work in [9] which only consider computing resources cost, as illustrated by the following algorithm Input: Set of requests Q, set of locations L Output: Set of requests allocated to locations A 1: A ← ∅ // initialisation 2: Q * ← sort(Q) // sort request w.r.t.…”

“…However, the distinct constraints related to security functions such as, the granularity of the processed traffic are neglected by most studies of the automatic management of VNFs [9]. We explicitly address the requirements and constraints of security services which distinguish our work from previous research in the management of virtualised services, e.g., our work addresses the traffic constraints of security functions which impose a restriction on allocation.…”

“…Security functions can be classified into two classes based on how traffic is processed to detect threats and subsequently the level of aggregation of traffic packets required for each. This classification will specify the traffic constraints of the modules and guide the placement algorithm to select the location where a security function can accurately capture the required level of traffic aggregation [9].…”

“…The second objective is to minimise the communication overhead of the allocation which represents the communication bandwidth overhead due to the allocation and targeting minimise bandwidth usage for the placement. We represent the placement problem of security functions in virtualised DCs as an instance of a variable cost -variable size bin packing problem (VSBPP) [9], [19]. Therefore, every request will be associated with a tenant and a security function requested by that tenant.…”

In-Network Placement of Security VNFs in Multi-Tenant Data Centers

“…To achieve scalability, heuristics of varying flavours are often presented. The authors in [18], [19], [23], [24], [27] present greedy algorithms, Bari et al [16] presents a dynamic programming based heuristic, Addis et al [7] present a math-heuristic, Ghaznavi et al [21] and Luizelli et al [28] present a local and binary search based heuristic and Carpio et al [15] use genetic algorithms. While computationally more efficient, such approaches do not offer guarantees on solution quality.…”

2023 13th International Workshop on Resilient Networks Design and Modeling (RNDM)