Container-based design of a Virtual Network Security Function

Abstract

Modern ICT infrastructures are evolving thanks to the advantages offered by virtualisation in terms of flexibility, scalability, and savings on hardware-related costs. More recently, virtualisation has gained momentum in the Internet Service Providers' infrastructures as well, where Software Defined Networking and Network Function Virtualisation paradigms propose programmability of the network and the softwarisation of proprietary hardware appliances. In this scenario, lightweight virtualisation technologies, such as Linux containers, have a significant role, as they address the needs for scalability, availability and fast deployment to support the software-based network infrastructures. In this paper, we focus on defining a reusable design for a container-based Virtual Network Security Function, by highlighting the peculiarities of its architecture compared to a Virtual Machine-based instance. Moreover, we present a prototype application of this architecture to implement an HTTP reverse proxy with application-layer filtering capabilities, tailored for the NFV Security-as-a-Service scenario. We evaluate the performance of this prototype and compare it to the results of alternative deployments, namely the Virtual Machine and bare-metal solutions. Finally, we evaluate the proposed solution in a load-balancing scenario, for increased throughput and availability.