Anat Bremler-Barr
ABSTRACT
Middleboxes play a major role in contemporary networks, as forwarding packets is often not enough to meet operator demands, and other functionalities (such as security, QoS/QoE provisioning, and load balancing) are required. Traffic is usually routed through a sequence of such middleboxes, which either reside across the network or in a single, consolidated location. Although middleboxes provide a vast range of different capabilities, there are components that are shared among many of them.
A task common to almost all middleboxes that deal with L7 protocols is Deep Packet Inspection (DPI). Today, traffic is inspected from scratch by all the middleboxes on its route. In this paper, we propose to treat DPI as a service to the middleboxes, implying that traffic should be scanned only once, but against the data of all middleboxes that use the service. The DPI service then passes the scan results to the appropriate middleboxes. Having DPI as a service has significant advantages in performance, scalability, robustness, and as a catalyst for innovation in the middlebox domain. Moreover, technologies and solutions for current Software Defined Networks (SDN) (e.g., SIMPLE [41]) make it feasible to implement such a service and route traffic to and from its instances.
- Yehuda Afek, Anat Bremler-Barr, Yotam Harchol, David Hay, and Yaron Koral. MCA$^\mbox2$: multi-core architecture for mitigating complexity attacks. In ANCS, pages 235--246, 2012. Google Scholar
Digital Library
- Alfred V. Aho and Margaret J. Corasick. Efficient string matching: An aid to bibliographic search. Commun. of the ACM, 18(6):333--340, 1975. Google ScholarDigital Library
- Alexa: The web information company, 2013. http://www.alexa.com/topsites.Google Scholar
- James W. Anderson, Ryan Braud, Rishi Kapoor, George Porter, and Amin Vahdat. xOMB: extensible open middleboxes with commodity servers. In ANCS, pages 49--60, 2012. Google ScholarDigital Library
- Zachary K. Baker and Viktor K. Prasanna. Time and area efficient pattern matching on FPGAs. In FPGA, pages 223--232, 2004. Google ScholarDigital Library
- Michela Becchi and Patrick Crowley. A hybrid finite automaton for practical deep packet inspection. In CoNEXT, page 1, 2007. Google ScholarDigital Library
- Michela Becchi and Patrick Crowley. An improved algorithm to accelerate regular expression evaluation. In ANCS, pages 145--154, 2007. Google ScholarDigital Library
- Blue coat packet shapper. http://www.bluecoat.com/products/packetshaper.Google Scholar
- Anat Bremler-Barr, Yotam Harchol, and David Hay. Space-time tradeoffs in software-based deep packet inspection. In HPSR, pages 1--8, 2011.Google ScholarCross Ref
- The Bro Network Security Monitor. http://bro-ids.org.Google Scholar
- CheckPoint. Check Point DLP software blade.\http://www.checkpoint.com/products/dlp-software-blade/.Google Scholar
- Clam AntiVirus. http://www.clamav.net.Google Scholar
- Intel Corp. Service-aware network architecture based on SDN, NFV, and network intelligence, 2014. http://www.qosmos.com/wp-content/uploads/2014/01/Intel_Qosmos_SDN_NFV_329290-002US-secured.pdf.Google Scholar
- Crossbeam. Virtualized security: The next generation of consolidation, 2012. http://www.computerlinks.ch/FMS/14322.virtualized_security_en_.pdf.Google Scholar
- Sarang Dharmapurikar, John Lockwood, and Member Ieee. Fast and scalable pattern matching for network intrusion detection systems. IEEE Journal on Selected Areas in Communications, 24:2006, 2006. Google ScholarDigital Library
- ETSI. Network functions virtualisation - introductory white paper, 2012. http://portal.etsi.org/NFV/NFV_White_Paper.pdf.Google Scholar
- Seyed Kaveh Fayazbakhsh, Michael K Reiter, and Vyas Sekar. Verifiable network function outsourcing: requirements, challenges, and roadmap. In HotMiddlebox, pages 25--30, 2013. Google ScholarDigital Library
- Seyed Kaveh Fayazbakhsh, Vyas Sekar, Minlan Yu, and Jeffrey C. Mogul. FlowTags: enforcing network-wide policies in the presence of dynamic middlebox actions. In HotSDN, pages 19--24, 2013. Google ScholarDigital Library
- Domenico Ficara, Stefano Giordano, Gregorio Procissi, Fabio Vitucci, Gianni Antichi, and Andrea Di Pietro. An improved DFA for fast regular expression matching. Computer Communication Review, 38(5):29--40, 2008. Google ScholarDigital Library
- Open Networking Foundation. Openflow switch specification version 1.4.0, October 2013. https://www.opennetworking.org/images/stories/downloads/sdn-resources/onf-specifications/openflow/openflow-spec-v1.4.0.pdf.Google Scholar
- Jing Fu and Jennifer Rexford. Efficient IP-address lookup with a shared forwarding table for multiple virtual routers. In CoNEXT, page 21, 2008. Google ScholarDigital Library
- Aaron Gember, Anand Krishnamurthy, Saul St. John, Robert Grandl, Xiaoyang Gao, Ashok Anand, Theophilus Benson, Aditya Akella, and Vyas Sekar. Stratos: A network-aware orchestration layer for middleboxes in the cloud. CoRR, abs/1305.0209, 2013.Google Scholar
- Aaron Gember, Prathmesh Prabhu, Zainab Ghadiyali, and Aditya Akella. Toward software-defined middlebox networking. In HotNets, pages 7--12, 2012. Google ScholarDigital Library
- Glen Gibb, Hongyi Zeng, and Nick Mckeown. Outsourcing network functionality. In HotSDN, pages 73--78, 2012. Google ScholarDigital Library
- Lukas Kekely, Viktor Pus, and Jan Korenek. Software defined monitoring of application protocols. In INFOCOM, pages 1725--1733, 2014.Google ScholarCross Ref
- Junaid Khalid and Josh Slauson. Fault tolerant middleboxes. Technical report, University of Wisconsin - Madison, 2012.Google Scholar
- Pritesh Kothari. Network Service Header support for OVS. OVS Code Patch, September 2013. http://openvswitch.org/pipermail/dev/2013-September/032036.html.Google Scholar
- Sailesh Kumar, Sarang Dharmapurikar, Fang Yu, Patrick Crowley, and Jonathan Turner. Algorithms to accelerate multiple regular expressions matching for deep packet inspection. In SIGCOMM, pages 339--350, 2006. Google ScholarDigital Library
- Sailesh Kumar, Jonathan Turner, and John Williams. Advanced algorithms for fast and scalable deep packet inspection. In ANCS, pages 81--92, 2006. Google ScholarDigital Library
- Bob Lantz, Brandon Heller, and Nick McKeown. A network in a laptop: Rapid prototyping for software-defined networks. In Hotnets-IX, pages 19:1--19:6, 2010. Google ScholarDigital Library
- Hoang Le, Thilan Ganegedara, and Viktor K Prasanna. Memory-efficient and scalable virtual routers using FPGA. In FPGA, pages 257--266, 2011. Google ScholarDigital Library
- Wenke Lee, Jo\ ao B. D. Cabrera, Ashley Thomas, Niranjan Balwalli, Sunmeet Saluja, and Yi Zhang. Performance adaptation in real-time intrusion detection systems. In RAID, pages 252--273, 2002. Google ScholarDigital Library
- Chad R. Meiners, Jignesh Patel, Eric Norige, Eric Torng, and Alex X. Liu. Fast regular expression matching using small TCAMs for network intrusion detection and prevention systems. In USENIX Security, pages 8--8, 2010. Google ScholarDigital Library
- ModSecurity. http://www.modsecurity.org.Google Scholar
- A10 Networks. aFleX advanced scripting for layer 4--7 traffic management. http://www.a10networks.com/products/axseries-aflex_advanced_scripting.php.Google Scholar
- Big Switch Networks. Big tap monitoring fabric, 2014. http://www.bigswitch.com/products/big-tap-monitoring-fabric.Google Scholar
- F5 Networks. Local traffic manager. https://f5.com/products/modules/local-traffic-manager.Google Scholar
- PCRE - Perl Compatible Regular Expressions. http://www.pcre.org/.Google Scholar
- Personal communication with several networking and security companies.Google Scholar
- Pox controller, 2013. http://www.noxrepo.org/pox/about-pox.Google Scholar
- Zafar Ayyub Qazi, Cheng-Chun Tu, Luis Chiang, Rui Miao, Vyas Sekar, and Minlan Yu. SIMPLE-fying middlebox policy enforcement using SDN. In SIGCOMM, pages 27--38, 2013. Google ScholarDigital Library
- Paul Quinn, Puneet Agarwal, Rajeev Manur, Rex Fernando, Jim Guichard, Surendra Kumar, Abhishek Chauhan, Michael Smith, Navindra Yadav, and Brad McConnell. Network service header. IETF Internet-Draft, February 2014. https://datatracker.ietf.org/doc/draft-quinn-sfc-nsh.Google Scholar
- Shriram Rajagopalan, Dan Williams, and Hani Jamjoom. Pico replication: a high availability framework for middleboxes. In SoCC, pages 1:1--1:15, 2013. Google ScholarDigital Library
- Shriram Rajagopalan, Dan Williams, Hani Jamjoom, and Andrew Warfield. Split/merge: System support for elastic execution in virtual middleboxes. In NSDI, pages 227--240, 2013. Google ScholarDigital Library
- Vyas Sekar, Norbert Egi, Sylvia Ratnasamy, Michael K Reiter, and Guangyu Shi. Design and implementation of a consolidated middlebox architecture. In NSDI, pages 24--38, 2012. Google ScholarDigital Library
- Nisarg Shah. Cisco vPath technology enabling best-in-class cloud network services, August 2013.\http://blogs.cisco.com/datacenter/cisco-vpath-technology-enabling-best-in-class-cloud-network-services/.Google Scholar
- Justine Sherry, Shaddi Hasan, Colin Scott, Arvind Krishnamurthy, Sylvia Ratnasamy, and Vyas Sekar. Making middleboxes someone else's problem: network processing as a cloud service. In SIGCOMM, pages 13--24, 2012. Google ScholarDigital Library
- Snort. http://www.snort.org.Google Scholar
- Haoyu Song, Murali Kodialam, Fang Hao, and TV Lakshman. Building scalable virtual routers with trie braiding. In INFOCOM, pages 1--9, 2010. Google ScholarDigital Library
- Sony Ericsson Latest Victim of SQL Injection Attack, 2011. http://www.eweek.com/c/a/Security/Sony-Data-Breach-Was-Camouflaged-by-Anonymous-DDoS-Attack-807651.Google Scholar
- Sun Wu and Udi Manber. A fast algorithm for multi-pattern searching. Technical report, Chung-Cheng University, University of Arizona, 1994.Google Scholar
- Fang Yu, Zhifeng Chen, Yanlei Diao, T. V. Lakshman, and Randy H. Katz. Fast and memory-efficient regular expression matching for deep packet inspection. In ANCS, pages 93--102, 2006. Google ScholarDigital Library
Index Terms
- Deep Packet Inspection as a Service
Recommendations
Enabling Secure and Dynamic Deep Packet Inspection in Outsourced Middleboxes
SCC '18: Proceedings of the 6th International Workshop on Security in Cloud ComputingOutsourced middlebox services have been a natural trend in modern enterprise networks to handle advanced traffic processing such as deep packet inspection, traffic classification, and load balancing. However, traffic redirection to outsourced ...
Deep packet inspection tools and techniques in commodity platforms: Challenges and trends
Deep packet inspection (DPI) helps Internet service providers in efforts to profile networked applications. By relying on DPI systems, Internet service providers may apply different charging policies, traffic shaping, or offer quality of service (QoS) ...
Comments