TO: Prof. Ellis
FROM: Tarin Sultana
DATE: 03/03/2021
SUBJECT: 500-Word Summary of Article About Network Security
The following is a 500-word summary of a peer-reviewed article about how to secure virtualized network using Network Security Virtualization (NSV). The authors introduce a new method of network security virtualization using NETSECVISOR with the least management cost. According to the authors, “The main goal of this work is to propose a new idea, network security virtualization (NSV), and design a prototype system (with the name of NETSECVISOR) that can enable NSV in cloud-like networks to help all tenants easily use security services.” (Shin et al., 2015). To demonstrate the usefulness of Network Security Virtualization (NSV), network security follows two strategies: (i) transparently monitoring flows to preferred network security providers and (ii) allowing network security response functions on a network computer. As an example of NSV setup, some essential elements are necessary, such as six routers (R1 – R6), three hosts (H1 – H3), 2 VMs (VM1 and VM2), and a Network Intrusion Detection System. By blocking network packets from each infected host, NETSECVISOR protects corrupted VMs from a network. Network security virtualization has two main functions: (i) transparently transmit network flows to desired security devices, and (ii) allow security formulas in network devices when required. Software-Defined Networking (SDN) is an evolving network technique that allows management network flows and tracks for overall network status efficiently. Five main functions of NETSECVISOR. (i) System and policy manager, (ii) Routing rule generator, (iii) Flow rule enforcer, (iv) Response manager, and (v) Data manager. A cloud administrator must use a simple script language that requires (i) system ID, (ii) device form, (iii) device position, (iv) device mode, and (v) supported functions to register existing security devices with NETSECVISOR to use them. After registering security devices for a cloud network with NETSECVISOR, it will show the security devices’ details to users using the cloud network. For security requirements, NETSECVISOR should consider the following two factors: (i) network packets should pass through specific security devices, and (ii) The network packet routing paths have to be developed and optimized. NETSECVISOR allows for introducing five security response techniques that do not necessitate installing physical security equipment or improvements to network configurations for packet handling. There are two modes of operation for these methods: passive mode and in-line mode. To check the adequacy and effectiveness of NETSECVISOR, there are three different network topologies, but two are for a virtual network environment, and another is a commercial switch environment. NETSECVISOR can construct a routing path in 1 millisecond, which translates to 1,000 network flows per second. Each topology’s CPU and memory consumption overhead are also assessing. When NETSECVISOR creates routing routes, it adds overhead. A comprehensive cloud network has millions of clients and virtual machines, and each routing path can be generated independently and asynchronously. NETSECVISOR prototype is easy to use, and clients can quickly build their own security rules; users have more choices for system types, traffic types, and response activities. Also, NVS can virtualize security resources and functions and provide security response functions from network devices as needed.
Reference
Shin, S., Wang, H., and Gu, G. (2015). A first step toward network security virtualization: From concept to prototype. IEEE Transactions on Information Forensics and Security, 10(10), 2236-2249. https://doi.org/10.1109/TIFS.2015.2453936