Hybrid Security Architecture (HSA)

Security is critical to data centers, especially multi-tenant data centers that host a variety of applications in a single facility. Conventional schemes place security devices (middleboxes) at a few choke points (e.g., core routers) and rely on routing policy to guarantee middlebox traversal. Coupling routing and security services together complicates operation and troubleshooting since routing and security are operated by different teams. When a data center scales, the security system needs upgrade accordingly. However, the current approaches are not flexible and incur high cost.

Figure 1: Intra-data center traffic needs to traverse middleboxes at a chokepoint. Network routing function such as VLAN is used to force traffic through the middleboxes. This approach is neither flexible nor scalable for multi-tenant data centers, especially ones with tenant/traffic-specific policies.


Observing that rich computing resources are already available in data centers, we are interested in using a large number of software middleboxes to achieve scalability and cost efficiency. 

Figure 2: In Hybrid Security Architecture, Internet traffic that naturally passes through a gateway continues to traverse hardware-based middleboxes (1). Using abundant computing resources, software-based middleboxes are deployed as Virtual Machines (VMs). Intra-data center traffic is forwarded to software-based middleboxes in their proximity for policy enforcement.

We present Hybrid Security Architecture (HSA), a design to decouple security services from routing and to allow the integration of hardware and software middleboxes in a complementary way. HSA is more cost-effective and flexible compared to the conventional schemes that solely use hardware middleboxes. It allows topology and routing changes with minimal impact to security services, and vice versa. In particular, HSA does not require modification to switches and routers.

 

Figure 3: Using an overlay labeled forwarding scheme, HSA enforces middlebox traversal policies in a distributed manner without relying on network routing features like VLAN. A host-based packet classifier classify packets according to traversal policies and attaches a label to the packet header. An agent at each middlebox (MA) maintains a simple, exact-matching forwarding table based on the HSA label. The whole process is transparent to the underlying network routing infrastructure

Using a middlebox overlay forwarding framework that decouples security services and routing, we facilitate dynamic and distributed deployment of middleboxes anywhere in the data center network. Observing that data centers are built with rich computing resources, we deploy software middleboxes to achieve dynamic scalability.
This project designs algorithms, protocols and data structures for two crucial components of a dynamic and distributed security services system: (1) Load-balance traffic-specific security service demands to distributed middleboxes to ensure performance and scalability; and (2) Dynamic provisioning of middleboxes according to changing demands for cost-efficiency and scalability.
 

Figure 4: A physical testbed consisting of 6 AMD Hex-core servers as VM-hosts. Ubuntu Linux 10.04 LTS server edition with Kernel-based Virtual Machine (KVM) hypervisor is used. Two additional Intel Core-i7 Quad-core servers are used as traffic generators and monitors to stress-test and benchmark HSA components.

Our overlay forwarding scheme for the data-plane is implemented on Linux using standard Netfilter interfaces. An implementation with OpenFlow is also possible. The control plane is implemented using Python and OpenNebula. A testbed is used to demonstrate the feasibility, flexibility and applicability of our scheme. Our scheme does not require any modifications to switches and routers. A software simulator is used to further show the scalability and efficiency of our scheme. 

Publication

[1] Ho-Yu Lam, Jeonghyeon Hwang, Song Zhao, Kang Xi, H. Jonathan Chao. A Feasibility Study on Providing Network Intensive Services with Virtual Machines. Submitted and under review. 
[2] Ho-Yu Lam, Song Zhao, Kang Xi, H. Jonathan Chao. Hybrid Security Architecture for Data Center Networks. ICC 2012: IEEE International COnference on Communications, Ottawa, Canada, June 2012. (To appear)