Modern ICT infrastructures are evolving thanks to the advantages offered by virtualisation in terms of flexibility, scalability, and savings on hardware-related costs. More recently, virtualisation has gained momentum in the Internet Service Providers' infrastructures as well, where the Software-Defined Networking and Network Function Virtualisation paradigms propose programmability of the network and the softwarisation of proprietary hardware appliances. In this scenario, lightweight virtualisation technologies, such as Linux containers, have a significant role, as they address the needs for scalability, availability and fast deployment to support the software-based network infrastructures. In this paper, we focus on defining a reusable design for a container-based Virtual Network Security Function, by highlighting the peculiarities of its architecture compared to a Virtual Machine-based instance. Moreover, we present a prototype application of this architecture to implement an HTTP reverse proxy with application-layer filtering capabilities, tailored for the NFV Security-as-a-Service scenario. We evaluate the performance of this prototype and compare it to the results of alternative deployments, namely the Virtual Machine and bare-metal solutions. Finally, we evaluate the proposed solution in a load-balancing scenario, for increased throughput and availability.
Container-based design of a Virtual Network Security Function / DE BENEDICTIS, Marco; Lioy, Antonio; Smiraglia, Paolo. - STAMPA. - (2018), pp. 55-63. (Intervento presentato al convegno NETSOFT-2018: IEEE Conference on Network Softwarization tenutosi a Montreal (QC, Canada) nel 25-29 June 2018) [10.1109/NETSOFT.2018.8459903].
Container-based design of a Virtual Network Security Function
DE BENEDICTIS, MARCO;Antonio Lioy;Paolo Smiraglia
2018
Abstract
Modern ICT infrastructures are evolving thanks to the advantages offered by virtualisation in terms of flexibility, scalability, and savings on hardware-related costs. More recently, virtualisation has gained momentum in the Internet Service Providers' infrastructures as well, where the Software-Defined Networking and Network Function Virtualisation paradigms propose programmability of the network and the softwarisation of proprietary hardware appliances. In this scenario, lightweight virtualisation technologies, such as Linux containers, have a significant role, as they address the needs for scalability, availability and fast deployment to support the software-based network infrastructures. In this paper, we focus on defining a reusable design for a container-based Virtual Network Security Function, by highlighting the peculiarities of its architecture compared to a Virtual Machine-based instance. Moreover, we present a prototype application of this architecture to implement an HTTP reverse proxy with application-layer filtering capabilities, tailored for the NFV Security-as-a-Service scenario. We evaluate the performance of this prototype and compare it to the results of alternative deployments, namely the Virtual Machine and bare-metal solutions. Finally, we evaluate the proposed solution in a load-balancing scenario, for increased throughput and availability.Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
https://hdl.handle.net/11583/2712443
Attenzione
Attenzione! I dati visualizzati non sono stati sottoposti a validazione da parte dell'ateneo