Joint Traffic Routing and Distribution of Security Services in High Speed Networks

The continued explosion of new virus/worm and other security attacks in the Internet and the tremendous propagation speed of self-propagating attacks has led to network security being considered as a design criterion rather than an afterthought. Attack prevention, detection, and mitigation mechanisms can be broadly classified as network based or host based. Network based security mechanisms have been shown to be much more effective than host based mechanisms, primarily because of the former´s ability in identifying attack traffic that is further upstream from the victim and closer to the attack source. In the context of network based mechanisms, we consider a flexible overlay network of security systems running on top of programmable (active) routers. In such an architecture, security services can be dynamically distributed across the network, which provides flexibility for load-balancing of services across nodes and addition of new services over time. Such network based mechanisms inevitably decrease network performance as all packets are analyzed for malicious content before being forwarded. In this paper, we consider traffic routing, placement of active router nodes, and distribution of security services across such nodes so as to optimize certain objectives, including (i) minimize the total number of active router deployed nodes, and (ii) minimize the maximum utilization of any router node in the network. Based on an emulation in the Deter testbed we show the benefit of the presented approach.