Highlights• We categorize virtual network security functions according to their types.• We classify the studies on the optimal placement of virtual security functions in SDN. • We identify important research challenges in the area of virtual security function placement. • We propose promising future directions for virtual security function placement.
Article Info
AbstractSoftware Defined Networking (SDN) and Network Functions Virtualization (NFV) are two important technologies gaining prominence thanks to their benefits for improving the flexibility and cost efficiency in networks. These technologies have been utilized extensively for providing new age security solutions in recent years. Through the use of SDN and NFV, network security functions are virtualized and deployed in a hardware-independent manner, thus reducing costs as well as enabling faster innovations and developments. Functions virtualized with NFV such as firewall, deep packet inspection, intrusion detection systems etc. can reside as applications in the SDN architecture. The issue of where to place these functions in the network is an important problem discussed in the literature. When placing these functions, objectives such as efficient use of network resources, energy consumption, cost, network load, delay etc. must be considered for each function, in addition to ensuring that network security requirements are met. This paper provides a critical survey on the placement of virtualized network security functions in software defined networks and identifies open problems in this field. We briefly describe SDN and NFV technologies, touch upon the relationship between them, exemplify and review the most common virtual security functions in SDN. We also examine and compare the studies on the optimal placement of virtual security functions. Finally, we identify several open research challenges in this area and suggest potential future directions to be considered by researchers.
Keywords
SDN NFV VNF placement Network securityEven though SDN and NFV are two nascent technologies coming from different sources as explained in Section 2 and can be implemented independently, they complement each other very well and can attain their full potential when they coexist, because both of them follow the basic principles of network agility, cost efficiency and defining network behavior with software. Therefore, when these technologies are used together, network control logic is abstracted from the forwarding mechanism and network functions are implemented as virtualized software [5].Information security is one of the most significant challenges for SDN, as in all areas of technology. In a network structured with SDN and NFV technologies, security can be provided by virtualized security functions such as intrusion detection/prevention systems (IDS/IPS), deep packet inspection (DPI), firewall etc. [6]. The issue of where to place these functions in a network is a new and important problem faced by network operators. When determining the locations of these functions, s...