A framework for enabling security services collaboration across multiple domains

Network function virtualization opens a new era for security, allowing on-demand instantiation of defense appliances via technologies such as SDN (Software Defined Networking) and Service Function Chaining (SFC). Taking full advantage of such capabilities, however, requires collaboration among Security Service Functions (SSFs) distributed throughout the network. Indeed, collaboration among SSFs is expected to become as essential to SECaaS (SECurity as a Service) as elasticity is to IaaS (Infrastructure as a Service), enabling the efficient allocation of resources for handling large scale attacks. In this paper, we propose a framework leveraging SDN and SFC to improve collaboration among SSFs, allowing SSFs from different domains to negotiate and dynamically control the amount of resources dedicated to collaboration (called a “best-effort” mode). The feasibility, efficiency and scalability of the solution is experimentally assessed, showing that it incurs low overhead, increases the amount of traffic treated by SSFs before packets start being dropped.