Design and implementation of the data plane for provisioning high-performance security services in a dynamic network environment

Abstract

Modern network environments are constantly changing due to various reasons such as migration of virtualized hosts, movements of mobile devices, and changes in application / service lifecycle. In order to provide appropriate network security for these environments, security services must also be able to accommodate such changes in the network. To achieve this, security services typically adopt software-defined networking (SDN) and network function virtualization (NFV) techniques. Unfortunately, these approaches result in significant performance losses as follows. First, network bandwidth is greatly wasted due to redundant traffic routing. Second, since security services are processed in software, their performance is insufficient for handling advanced features such as DPI. Third, traffic is concentrated on specific nodes or links where security services are located, resulting in performance loss due to processing overhead and resource imbalance. This dissertation focuses on such performance issues found in the provision of security services in a dynamic network environment. As a solution to each problem, we propose 1) an architecture that integrates security services into a data plane (DPX), 2) a real-time programmable hardware regular expression processor (Reinhardt), and 3) a system for network resource and traffic distribution by traffic engineering (QoSE), and present their implementation and design. We expect this dissertation to contribute to the establishment of more secure and improved network infrastructure by presenting practical solutions for high-performance security services with modern network characteristics and increasing network traffic in mind.