Modern ICT infrastructures are evolving thanks to the advantages offered by virtualisation in terms of flexibility, scalability, and savings on hardware-related costs. More recently, virtualisation has gained momentum in the Internet Service Providers' infrastructures as well, where Software Defined Networking and Network Function Virtualisation paradigms propose programmability of the network and the softwarisation of proprietary hardware appliances. In this scenario, lightweight virtualisation technologies, such as Linux containers, have a significant role, as they address the needs for scalability, availability and fast deployment to support the software-based network infrastructures. In this paper, we focus on defining a reusable design for a container-based Virtual Network Security Function, by highlighting the peculiarities of its architecture compared to a Virtual Machine-based instance. Moreover, we present a prototype application of this architecture to implement an HTTP reverse proxy with application-layer filtering capabilities, tailored for the NFV Security-as-a-Service scenario. We evaluate the performance of this prototype and compare it to the results of alternative deployments, namely the Virtual Machine and bare-metal solutions. Finally, we evaluate the proposed solution in a load-balancing scenario, for increased throughput and availability.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.