Optimal Placement of Network Security Monitoring Functions in NFV-Enabled Data Centers

摘要

While infrastructure as a service (IaaS) provides benefits such as cost reduction, dynamic deployment and high availability for users, it also blurs the boundary between the internal and external networks, causing security threats such as insider attacks which cannot be observed by traditional security devices in the network boundary. Coordination of network function virtualization (NFV) and software-defined networking (SDN) is a promising approach to address this issue, and an optimal placement mechanism is necessary to minimize the computing resources for network security monitoring. In this work, we present a mechanism of placing virtualized network functions (VNFs) for network security monitoring in a data center to watch communications between pairs of virtual machines (VMs) or between VMs and external hosts. The placement issue is modeled as the minimum vertex cover problem and the bin packing problem to optimize the number and positions of VNFs subject to the availability of computing resources and link capacity. We design a greedy algorithm to reduce the time complexity of the problems. A Mininet simulation evaluates this solution for various topology sizes and communication pairs. The experiments demonstrate that the VNF placement planned by this algorithm is close to optimality, but the execution time can be reduced significantly.