Size-based flow management prototype for dynamic DMZ

摘要

The dynamic demilitarized zone (DMZ) model considers both network performance and security, and dynamically responds to traffic demands in real-time. We realize this dynamic DMZ model based on an OpenFlow-enabled switch and controller. In our approach, the controller detects flows with bit rate greater than a given threshold (elephant flows) and controls the switch in order to reroute elephant flows bypassing the security device. Extensive experiments are performed to verify the feasibility of this approach and test how the threshold value influences network performance. Results indicate that our approach effectively increases network performance but does not significantly influence flow security. Finally, we perform theoretical calculation on the deep packet inspection (DPI) input data rate in order to guide selection of the threshold value with a given traffic flow distribution and maximum DPI processing rate.