VNGuard: An NFV/SDN Combination Framework for Provisioning and Managing Virtual Firewalls

Network Function Virtualization (NFV) together with cloud technology enables users to request creating flexible virtual networks (VNs). Users also have specific security requirements to protect their VNs. Especially, due to changeable network perimeters, constant VM migrations, and usercentric security needs, VNs require new security features that traditional firewalls fail to provide, because traditional firewalls rely greatly on restricted network topology and entry points to provide effective security protection. To address this challenge, we propose VNGuard, a framework for effective provision and management of virtual firewalls to safeguard VNs, leveraging features provided by NFV and Software Defined Networking (SDN). VNGuard defines a high-level firewall policy language, finds optimal virtual firewall placement, and adapts virtual firewalls to VN changes. To demonstrate the feasibility of our approach, we have implemented core components of VNGuard on top of ClickOS. Our experimental results demonstrate the effectiveness and efficiency of virtual firewalls built on VNGuard.