Network functions virtualization-based security proposals for cloud computing environments
| Ano de defesa: | 2019 |
|---|---|
| Autor(a) principal: | |
| Orientador(a): | |
| Banca de defesa: | |
| Tipo de documento: | Tese |
| Tipo de acesso: | Acesso aberto |
| Idioma: | eng |
| Instituição de defesa: |
Universidade Federal do Rio de Janeiro
Brasil Instituto Alberto Luiz Coimbra de Pós-Graduação e Pesquisa de Engenharia Programa de Pós-Graduação em Engenharia Elétrica UFRJ |
| Programa de Pós-Graduação: |
Não Informado pela instituição
|
| Departamento: |
Não Informado pela instituição
|
| País: |
Não Informado pela instituição
|
| Palavras-chave em Português: | |
| Link de acesso: | http://hdl.handle.net/11422/20420 |
Resumo: | This thesis implements and evaluates Network Functions Virtualization-based security proposals for cloud computing environments. The following are the main contributions of this work: (i) We move a large number of security rules implemented in Top-of-Rack routers of a studied virtualized data center to virtual firewalls created in commodity hardware. Thus, we can reduce costs and release TCAM resources for accelerating routing operations. We evaluate an Iptables FireWall Virtual Se- curity Function (FW-VSF) performance against the demands encountered in the production data center studied. (ii) We propose and implement the ACLFLOW framework that is an NFV/SDN security framework that creates and manages dis- tributed OpenFlow FW-VSFs as an alternative to using router TCAMs or special- ized security middleboxes to control traffic from virtual machines in a cloud comput- ing environment. ACLFLOW translates regular security rules (source/destination IP, source/destination port, and protocol) into OpenFlow filtering rules. Besides, it creates and manages large amounts of OpenFlow rules on distributed firewall VSFs and implements mechanisms that orchestrate and accelerate the deployment of OpenFlow FW-VSF in production clouds. We also propose an algorithm that timely adapts FW-VSF rules to changes in the traffic conditions by dynamically prioritizing the most popular rules to improve performance. (iii) We propose and implement an NFV security architecture that provides automatic and efficient pro- tection against attacks, by chaining a Virtual Security Function to the data stream to dynamically block malicious traffic without stopping the benign one. We proto- type our security proposals into the Open Platform for NFV (OPNFV) and evaluate their performances. |