Hybrid security architecture for data center networks

Ho Yu Lam, Song Zhao, Kang Xi, H. Jonathan Chao

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Security is critical to data centers, especially multi-tenant data centers that host a variety of applications in a single facility. Conventional schemes place security devices (middleboxes) at a few choke points (e.g., core routers) and rely on routing policy to guarantee middlebox traversal. Coupling routing and security services together complicates operation and troubleshooting since routing and security are operated by different teams. When a data center scales, the security system needs upgrade accordingly. However, the current approaches are not flexible and incur high cost. Observing that rich computing resources are already available in data centers, we are interested in using a large number of software middleboxes to achieve scalability and cost efficiency. We present Hybrid Security Architecture (HSA), a design to decouple security services from routing and to allow the integration of hardware and software middleboxes in a complementary way. HSA is more cost-effective and flexible compared to the conventional schemes that solely use hardware middleboxes. It allows topology and routing changes with minimal impact to security services, and vice versa. In particular, HSA does not require modification to switches and routers. This paper explains the framework of HSA, describes the key techniques, presents a testbed to validate the design, and discusses future research directions.

Original languageEnglish (US)
Title of host publication2012 IEEE International Conference on Communications, ICC 2012
Pages2939-2944
Number of pages6
DOIs
StatePublished - 2012
Event2012 IEEE International Conference on Communications, ICC 2012 - Ottawa, ON, Canada
Duration: Jun 10 2012Jun 15 2012

Other

Other2012 IEEE International Conference on Communications, ICC 2012
CountryCanada
CityOttawa, ON
Period6/10/126/15/12

Fingerprint

Routers
Hardware
Costs
Electric inductors
Testbeds
Security systems
Scalability
Switches
Topology

ASJC Scopus subject areas

  • Electrical and Electronic Engineering
  • Computer Networks and Communications

Cite this

Lam, H. Y., Zhao, S., Xi, K., & Chao, H. J. (2012). Hybrid security architecture for data center networks. In 2012 IEEE International Conference on Communications, ICC 2012 (pp. 2939-2944). [6364521] https://doi.org/10.1109/ICC.2012.6364521

Hybrid security architecture for data center networks. / Lam, Ho Yu; Zhao, Song; Xi, Kang; Chao, H. Jonathan.

2012 IEEE International Conference on Communications, ICC 2012. 2012. p. 2939-2944 6364521.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Lam, HY, Zhao, S, Xi, K & Chao, HJ 2012, Hybrid security architecture for data center networks. in 2012 IEEE International Conference on Communications, ICC 2012., 6364521, pp. 2939-2944, 2012 IEEE International Conference on Communications, ICC 2012, Ottawa, ON, Canada, 6/10/12. https://doi.org/10.1109/ICC.2012.6364521
Lam HY, Zhao S, Xi K, Chao HJ. Hybrid security architecture for data center networks. In 2012 IEEE International Conference on Communications, ICC 2012. 2012. p. 2939-2944. 6364521 https://doi.org/10.1109/ICC.2012.6364521
Lam, Ho Yu ; Zhao, Song ; Xi, Kang ; Chao, H. Jonathan. / Hybrid security architecture for data center networks. 2012 IEEE International Conference on Communications, ICC 2012. 2012. pp. 2939-2944
@inproceedings{e0939c303e8d400babce481b06e44966,
title = "Hybrid security architecture for data center networks",
abstract = "Security is critical to data centers, especially multi-tenant data centers that host a variety of applications in a single facility. Conventional schemes place security devices (middleboxes) at a few choke points (e.g., core routers) and rely on routing policy to guarantee middlebox traversal. Coupling routing and security services together complicates operation and troubleshooting since routing and security are operated by different teams. When a data center scales, the security system needs upgrade accordingly. However, the current approaches are not flexible and incur high cost. Observing that rich computing resources are already available in data centers, we are interested in using a large number of software middleboxes to achieve scalability and cost efficiency. We present Hybrid Security Architecture (HSA), a design to decouple security services from routing and to allow the integration of hardware and software middleboxes in a complementary way. HSA is more cost-effective and flexible compared to the conventional schemes that solely use hardware middleboxes. It allows topology and routing changes with minimal impact to security services, and vice versa. In particular, HSA does not require modification to switches and routers. This paper explains the framework of HSA, describes the key techniques, presents a testbed to validate the design, and discusses future research directions.",
author = "Lam, {Ho Yu} and Song Zhao and Kang Xi and Chao, {H. Jonathan}",
year = "2012",
doi = "10.1109/ICC.2012.6364521",
language = "English (US)",
isbn = "9781457720529",
pages = "2939--2944",
booktitle = "2012 IEEE International Conference on Communications, ICC 2012",

}

TY - GEN

T1 - Hybrid security architecture for data center networks

AU - Lam, Ho Yu

AU - Zhao, Song

AU - Xi, Kang

AU - Chao, H. Jonathan

PY - 2012

Y1 - 2012

N2 - Security is critical to data centers, especially multi-tenant data centers that host a variety of applications in a single facility. Conventional schemes place security devices (middleboxes) at a few choke points (e.g., core routers) and rely on routing policy to guarantee middlebox traversal. Coupling routing and security services together complicates operation and troubleshooting since routing and security are operated by different teams. When a data center scales, the security system needs upgrade accordingly. However, the current approaches are not flexible and incur high cost. Observing that rich computing resources are already available in data centers, we are interested in using a large number of software middleboxes to achieve scalability and cost efficiency. We present Hybrid Security Architecture (HSA), a design to decouple security services from routing and to allow the integration of hardware and software middleboxes in a complementary way. HSA is more cost-effective and flexible compared to the conventional schemes that solely use hardware middleboxes. It allows topology and routing changes with minimal impact to security services, and vice versa. In particular, HSA does not require modification to switches and routers. This paper explains the framework of HSA, describes the key techniques, presents a testbed to validate the design, and discusses future research directions.

AB - Security is critical to data centers, especially multi-tenant data centers that host a variety of applications in a single facility. Conventional schemes place security devices (middleboxes) at a few choke points (e.g., core routers) and rely on routing policy to guarantee middlebox traversal. Coupling routing and security services together complicates operation and troubleshooting since routing and security are operated by different teams. When a data center scales, the security system needs upgrade accordingly. However, the current approaches are not flexible and incur high cost. Observing that rich computing resources are already available in data centers, we are interested in using a large number of software middleboxes to achieve scalability and cost efficiency. We present Hybrid Security Architecture (HSA), a design to decouple security services from routing and to allow the integration of hardware and software middleboxes in a complementary way. HSA is more cost-effective and flexible compared to the conventional schemes that solely use hardware middleboxes. It allows topology and routing changes with minimal impact to security services, and vice versa. In particular, HSA does not require modification to switches and routers. This paper explains the framework of HSA, describes the key techniques, presents a testbed to validate the design, and discusses future research directions.

UR - http://www.scopus.com/inward/record.url?scp=84871943222&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84871943222&partnerID=8YFLogxK

U2 - 10.1109/ICC.2012.6364521

DO - 10.1109/ICC.2012.6364521

M3 - Conference contribution

SN - 9781457720529

SP - 2939

EP - 2944

BT - 2012 IEEE International Conference on Communications, ICC 2012

ER -