Rodrigo Ruas Oliveira

Virtual network security: threats, countermeasures, and challenges

Network virtualization has become increasingly prominent in recent years. It enables the creation of network infrastructures that are specifically tailored to the needs of distinct network applications and supports the instantiation of favorable environments for the development and evaluation of new architectures and protocols. Despite the wide applicability of network virtualization, the shared use of routing devices and communication channels leads to a series of security-related concerns. It is necessary to provide protection to virtual network infrastructures in order to enable their use in real, large scale environments. In this paper, we present an overview of the state of the art concerning virtual network security. We discuss the main challenges related to this kind of environment, some of the major threats, as well as solutions proposed in the literature that aim to deal with different security aspects.

Survivor: An enhanced controller placement strategy for improving SDN survivability

In SDN, forwarding devices can only operate correctly while connected to a logically centralized controller. To avoid single-point-of-failure, controller architectures are usually implemented as distributed systems. In this context, recent literature identified fundamental issues, such as device isolation and controller overload, and proposed controller placement strategies to tackle them. However, current proposals have crucial limitations: (i) device-controller connectivity is modeled using single paths, yet in practice multiple concurrent connections may occur; (ii) peaks in the arrival of new flows are only handled on-demand, assuming that the network itself can sustain high request rates; and (iii) failover mechanisms require predefined information, which, in turn, has been overlooked. This paper proposes Survivor, a controller placement strategy that addresses these challenges. The strategy explicitly considers path diversity, capacity, and failover mechanisms at network design. Comparisons to the state-of-the-art on survivable controller placement show that Survivor is superior because (a) path diversity increases the survivability significantly; and (b) capacity-awareness is essential to handle overload during both normal and failover states.

DoS-resilient virtual networks through multipath embedding and opportunistic recovery

Network virtualization can potentially limit the impact of attacks by isolating traffic from different networks. However, routers and links are still vulnerable to attacks on the underlying network. Specifically, should a physical link be compromised, all embedded virtual links will be affected. Previous work protects virtual networks by setting aside backup resources. Although effective, this solution tends to be expensive as backup resources usually remain idle. In this paper, we present a novel virtual network allocation approach which explores the trade-off between resilience to attacks and efficiency in resource utilization. Our approach is composed of two complementary strategies, one preventive and the other reactive. The former embeds virtual links into multiple substrate paths, while the latter attempts to reallocate any capacity affected by an underlying DoS attack. Both strategies are modeled as optimization problems. Numerical results show the level of resilience to attacks and the low cost demanded by our approach.

A heuristic-based algorithm for privacy-oriented virtual network embedding

Network virtualization has become increasingly popular in recent years. It has the potential to allow timely handling of network infrastructure requests and, after instantiated, their lifecycle. In addition, it enables improved physical resource utilization. However, the use of network virtualization in large-scale, real environments depends on the ability to adequately map virtual routers and links to physical resources, as well as to protect virtual networks against security threats. With respect to security, confidentiality and privacy mechanisms have become essential in light of recent discoveries related to pervasive electronic surveillance. In this paper we propose a heuristic method for virtual network embedding with security support. The method features precise modeling of overhead costs of security mechanisms and handles incoming requests in an online manner. Additionally, we present a detailed performance comparison between the proposed heuristic and an optimization model based on the same problem. The obtained results demonstrate that the heuristic method is able to find feasible mappings in the order of seconds even when dealing with large network infrastructures, while the optimization model is limited to smaller networks.

No more backups: Toward efficient embedding of survivable virtual networks

Although network virtualization can improve security by isolating traffic from different networks, routers and links are still vulnerable to attacks on the underlying network. High capacity physical links, in particular, constitute good targets since they may be important for a large number of virtual networks. Previous work protects virtual networks by setting aside backup resources. Although effective, this solution increases the cost to infrastructure providers. In this paper, we present a virtual network embedding approach which enables resilience to attacks and efficiency in resource utilization. Our approach is two-folded: while a preventive strategy embeds virtual links into multiple substrate paths, a reactive strategy attempts to reallocate any capacity affected by an underlying DoS attack. Since the embedding problem is NP-Hard, we devise a Simulated Annealing meta-heuristic to solve it efficiently. Results show our solution can provide resilience to attacks at a lower cost.

An immersive and collaborative visualization system for digital manufacturing

In this paper, an approach on immersive multiprojection visualization of manufacturing processes is proposed. It admits scenarios with dynamic components and allows virtual reality collaborative visualization among geographically distributed users through multi-CAVE devices. A set of modules for modeling, converting, visualizing, and interacting are also proposed. The method can be applied to CAD projects, models, and simulations used in industry. The ideas discussed are then validated through the study of a real case related to the shipbuilding and offshore industries.

A General Purpose Cave-Like System for Visualization of Animated and 4D CAD Modeling

In the last decade, virtual reality (VR) systems have been used to enhance the visualization of CAD projects. The immersive VR techniques allow to the designer interacting and modeling in a more intuitive and efficient way. Current 4D and animated simulation CAD tools are a new challenge for immersive visualization. In this paper we propose a general purpose cave-like system that enables interactive visualization of 4D and animated CAD models. In an automated way, the system is able to treat static and dynamic 3D environments, allowing to share the experience of navigation in the scene among the users, even geographically distributed. The system proposed is validated through a case-study using dynamic 3D models created on digital manufacturing softwares of Shipbuilding and Offshore Industries.

Opportunistic resilience embedding (ORE)

Network Virtualization promotes the development of new architectures and protocols by enabling the creation of multiple virtual networks on top of the same physical substrate. One of its main advantages is the use of isolation to limit the scope of attacks - that is, avoiding traffic from one virtual network to interfere with the others. However, virtual networks are still vulnerable to disruptions on the underlying network. Particularly, high capacity physical links constitute good targets since they may be important for a large number of virtual networks.Previous work protects virtual networks by setting aside backup resources. Although effective, this kind of solution tends to be expensive, as backup resources increase the cost to infrastructure providers and usually remain idle. This paper presents ORE (opportunistic resilience embedding), a novel embedding approach for protecting virtual links against substrate network disruptions. OREs design is two-fold: while a proactive strategy embeds each virtual link into multiple substrate paths in order to mitigate the initial impact of a disruption, a reactive one attempts to recover any capacity affected by an underlying disruption. Both strategies are modeled as optimization problems. Additionally, since the embedding problem is NP -Hard, ORE uses a simulated annealing-based meta-heuristic to solve it efficiently. Numerical results show that ORE can provide resilience to disruptions at a lower cost.

PredCloud: Providing predictable network performance in large-scale OpenFlow-enabled cloud platforms through trust-based allocation of resources

Cloud computing allows tenants to run a wide range of applications without any upfront capital investment. However, providers lack mechanisms to provide fair and predictable bandwidth sharing among allocated applications, enabling selfish and malicious tenants to cause performance interference in the network (and denial of service in an extreme case). Such interference results in poor and unpredictable network performance for well-behaved applications. Recent research has proposed techniques that (i) cannot protect tenants against interference; (ii) result in under utilization of resources; or (iii) add substantial management overhead. In this paper, we describe a resource allocation strategy that aims at providing predictable network performance (i.e., minimizing performance interference) with bandwidth guarantees for tenant applications, while maintaining high network utilization and low management overhead. These benefits are achieved by grouping applications from mutually trusting users into logically isolated domains (virtual infrastructures - VIs) with bandwidth guarantees, while also considering the amount of traffic generated by applications. Despite the benefits, grouping may lead to fragmentation (i.e., available resources are dispersed among VIs and some requests may be unnecessarily declined). Therefore, we also study the associated trade-off (grouping to increase isolation versus resource fragmentation). To illustrate the feasibility of grouping applications inside VIs, we develop PredCloud, a system that implements the proposed strategy on SDN/OpenFlow-enabled networks. Through an extensive evaluation, we show that PredCloud significantly reduces performance interference and application exposure to attacks, while maintaining low resource fragmentation. Furthermore, provider revenue can be increased by efficiently managing and charging network resources.

A toolset for efficient privacy-oriented virtual network embedding and its instantiation on SDN/OpenFlow-based substrates

Abstract Network virtualization has become increasingly popular in recent years. It has the potential to allow timely handling of network infrastructure requests and, after instantiated, their lifecycle. In addition, it enables improved physical resource utilization. However, the use of network virtualization in large-scale, real environments depends on the ability to adequately map virtual routers and links to physical resources, as well as to protect virtual networks against security threats. With respect to security, mechanisms supporting confidentiality and privacy have become essential in light of recent discoveries related to pervasive electronic surveillance. In this paper we propose a set of tools to efficiently embed virtual networks with privacy support and to allow their real instantiation on top of SDN/OpenFlow-based substrates. This toolset unfolds into three main contributions: (a) an exact VNE model suitable for smaller networks, which also serves the purpose of determining an optimality baseline; (b) a heuristic VNE algorithm, which features precise modeling of overhead costs of security mechanisms and handles incoming requests in an online manner; and (c) a VNE to SDN/OpenFlow translation mechanism, which takes as input the outcome of the heuristic VNE algorithm and produces a set of coherent OpenFlow rules to guide the real instantiation of the mapped virtual networks. We present a detailed performance comparison between the proposed heuristic and the optimization model. The obtained results demonstrate that the heuristic algorithm is able to find feasible mappings in the order of seconds even when dealing with large network infrastructures. Finally, we demonstrate how mappings generated by our heuristic VNE algorithm may be implemented in practice as well as assess the technical feasibility of this process.