| Περίληψη: | With the steady increase in the size and complexity of computer
networks it is necessary to move into more efficient solutions. Software Defined
Network (SDN) technology is an approach for creating and managing networks,
which enables the separation of the network's control plane from the data plane.
Network Function Virtualization (NFV) turns common network functions into
virtualized network functions. This is achieved by splitting each functionality to
a single item with minimum vital resources. Virtual networks require components
that will cloak not only existing features like routing or switching but will also be
able to scale for future problems. Both SDN and NFV are technologies that can
work independently because they perform two separate tasks; however, they
complement each other. In this paper, we focus on a virtual network function
(VNF) that does deep packet inspection inside a virtual network. This VNF is a
routing application that inspects packets during the handshake session that takes
place in Transport Layer Security (TLS). Handshake Protocol is responsible for
the authentication and key exchange necessary to establish or resume secure
connections. The primary target of the VNF is to disallow users from entering
forbidden websites. To achieve that the firewall parses the Client Hello message
during the handshake, extracts the server name, checking it against a blacklist and
it either grants or denies access to the user depending on the name. This VNF was
developed with Data Plane Development Kit, a set of data plane libraries and
network interface controller drivers for fast packet processing. This application
was placed inside a virtual network as a virtual machine (VM) associated with
two other VMs. These components were created in a Linux-host environment and
were connected via a virtual switch, specifically Open vSwitch. Open vSwitch
rules delineates packet flows specifically to go through the security routing
application. As discussed above, this firewall either forwards or drops traffic
determined by the situation. The remaining two VMs were a client that is trying
to connect through OpenSSL to support secure socket layer and an apache2 server
that acts as the banned site. So, this security block TLS application is obligated
to check the transparency of the server when an applicant is requesting to
establish a secure connection with it. This deployment presents one of the many
use-cases of VNFs in the field of security and the scalability of an SDN network
environment.
|
|---|
