Dynamic and Application-Aware Provisioning of Chained Virtual Security Network Functions
A promising area of application for Network Function Virtualization is in network security, where chains of Virtual Security Network Functions (VSNFs), i.e., security-specific virtual functions such as firewalls or Intrusion Prevention Systems, can be dynamically created and configured to inspect, filter or monitor the network traffic. However, the traffic handled by VSNFs could be sensitive to specific network requirements, such as minimum bandwidth or maximum end-to-end latency. Therefore, the decision on which VSNFs should apply for a given application, where to place them and how to connect them, should take such requirements into consideration. Otherwise, security services could affect quality of service experienced by customers. In this paper, we propose PESS (Progressive Embedding of Security Services), a solution to dynamically provision security services by selecting the most appropriate combination and placement of VSNFs that cater to the needs of each application, while optimizing resource utilization. We provide PESS mathematical model and heuristic solution. Simulation results show that, compared to state-of-the-art application-agnostic models, PESS reduces computational resource utilization by up to 50 higher number of provisioned security services and to up to a three-fold reduction in end-to-end latency of application traffic.
READ FULL TEXT