Online adaptive firewall allocation in internet data center

The emerging applications service providers, such as e-commerce and search engine, are increasingly hosting their services in Internet Data Centers (IDCs). At the same time, IDCs become the target of malicious attacks over the Internet. Firewalls as a crucial infrastructure are chosen to protect IDCs. However, the current static firewall allocation scheme may lead to low resource utilization or poor user level quality of service (QoS), even worse, may reduce system security level.In this paper, we first derive the relationship among the number of firewalls, the number of packet filtering rules in firewall, and the user level QoS. Based on the relationship, we propose an on-line adaptive firewall allocation algorithm that computes the number of firewalls required at different times to meet the given security and user level QoS requirements while achieving resource savings. The performance of the proposed algorithm is evaluated via trace-driven simulation and compared with the static firewall allocation scheme. Example findings include (1) with the same resource (firewall) and the same number of packet filtering rules, the adaptive algorithm provides better QoS by adaptively allocating firewalls according to the dynamic request load; (2) to achieve the same QoS requirement, with the same number of packet filtering rules, the adaptive algorithm requires less resource than the static method; and (3) the average number of firewalls decreases as the expected delay increases. Moreover, we extend our study to explore the impacts of the key algorithm and system parameters (e.g. control time scale and migration time) on the adaptive firewall allocation scheme. We find that both control time scale and migration time have minor impacts on the performance of the proposed adaptive firewall allocation scheme. The proposed scheme can be applied to the next generation IDCs which are physically wired once but can be rewired programmatically.