SHIN, WANG AND GU: A FIRST STEP TOWARDS NETWORK SECURITY VIRTUALIZATION: FROM CONCEPT TO PROTOTYPE 1 A First Step Towards Network Security Virtualization: From Concept To Prototype

Network security management is becoming more and more complicated in recent years, considering the need of deploying more and more network security devices/middle-boxes at various locations inside the already complicated networks. A grand challenge in this situation is that current management is inflexible and the security resource utilization is not efficient. The flexible deployment and utilization of proper security devices at reasonable places at needed time with low management cost is extremely difficult. In this paper we present a new concept of Network Security Virtualization (NSV), which virtualizes security resources/functions to network administrators/users, and thus maximally utilizing existing security devices/middle-boxes. In addition, it enables security protection to desirable networks with minimal management cost. To verify this concept, we further design and implement a prototype system, NETSECVISOR, which can utilize existing pre-installed (fixed-location) security devices and leverage software-defined networking (SDN) technology to virtualize network security functions. At its core, NETSECVISOR contains (i) a simple script language to register security services and policies, (ii) a set of routing algorithms to determine optimal routing paths for different security policies based on different needs, and (iii) a set of security response functions/strategies to handle security incidents. We deploy NETSECVISOR in both virtual test networks and a commercial switch environment to evaluate its performance and feasibility. The evaluation results show that our prototype only adds a very small overhead while providing desired network security virtualization to network users/administrators.