TY - GEN
T1 - Hybrid security architecture for data center networks
AU - Lam, Ho Yu
AU - Zhao, Song
AU - Xi, Kang
AU - Chao, H. Jonathan
PY - 2012
Y1 - 2012
N2 - Security is critical to data centers, especially multi-tenant data centers that host a variety of applications in a single facility. Conventional schemes place security devices (middleboxes) at a few choke points (e.g., core routers) and rely on routing policy to guarantee middlebox traversal. Coupling routing and security services together complicates operation and troubleshooting since routing and security are operated by different teams. When a data center scales, the security system needs upgrade accordingly. However, the current approaches are not flexible and incur high cost. Observing that rich computing resources are already available in data centers, we are interested in using a large number of software middleboxes to achieve scalability and cost efficiency. We present Hybrid Security Architecture (HSA), a design to decouple security services from routing and to allow the integration of hardware and software middleboxes in a complementary way. HSA is more cost-effective and flexible compared to the conventional schemes that solely use hardware middleboxes. It allows topology and routing changes with minimal impact to security services, and vice versa. In particular, HSA does not require modification to switches and routers. This paper explains the framework of HSA, describes the key techniques, presents a testbed to validate the design, and discusses future research directions.
AB - Security is critical to data centers, especially multi-tenant data centers that host a variety of applications in a single facility. Conventional schemes place security devices (middleboxes) at a few choke points (e.g., core routers) and rely on routing policy to guarantee middlebox traversal. Coupling routing and security services together complicates operation and troubleshooting since routing and security are operated by different teams. When a data center scales, the security system needs upgrade accordingly. However, the current approaches are not flexible and incur high cost. Observing that rich computing resources are already available in data centers, we are interested in using a large number of software middleboxes to achieve scalability and cost efficiency. We present Hybrid Security Architecture (HSA), a design to decouple security services from routing and to allow the integration of hardware and software middleboxes in a complementary way. HSA is more cost-effective and flexible compared to the conventional schemes that solely use hardware middleboxes. It allows topology and routing changes with minimal impact to security services, and vice versa. In particular, HSA does not require modification to switches and routers. This paper explains the framework of HSA, describes the key techniques, presents a testbed to validate the design, and discusses future research directions.
UR - http://www.scopus.com/inward/record.url?scp=84871943222&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84871943222&partnerID=8YFLogxK
U2 - 10.1109/ICC.2012.6364521
DO - 10.1109/ICC.2012.6364521
M3 - Conference contribution
AN - SCOPUS:84871943222
SN - 9781457720529
T3 - IEEE International Conference on Communications
SP - 2939
EP - 2944
BT - 2012 IEEE International Conference on Communications, ICC 2012
T2 - 2012 IEEE International Conference on Communications, ICC 2012
Y2 - 10 June 2012 through 15 June 2012
ER -