Securing federated cloud networks using Service Function Chaining

Sébastien Dupont - CETIC

Software defined networks networks (SDN), network function virtualization (NFV) and network function chaining (SFC) technologies enable more advanced and flexible cloud federation mechanisms. In this blog post, we will show how to use those technologies in federated clouds to improve security.

Protecting network overlays using Service Function Chaining

Cloud networks security can be significantly improved by composing network functions such as firewalls, intrusion detection, deep packet inspection, etc. The image below illustrates how data flows through different paths depending on network security policies.

What about protecting federated networks?

SFC and NFV provide a way to secure each individual network inside a cloud federation. The following figure shows two federated networks belonging to different clouds that are protected using SFC/NFV. Each cloud administrator manages its own network security policy, and an additional global federated network security policy is applied on top. For each cloud, the intra-cloud inbound and outbound traffics go through a series of NFV.


Protecting an OpenStack federation with SFC/NFV

The OpenStack Heat project provides a template-based orchestration mechanism, formalised in YAML (YAML Ain’t Markup Language) that can be extended to support SFC network security policies. The TOSCA project proposes a service manifest specification for NFV, which can be translated in Heat.


We are currently investigating two Openstack components to protect an OpenStack cloud federation: Tacker for the NFV management and networking SFC for the NFV orchestration.

Case studies

SFC/NFV Encryption

In this scenario we consider three clouds, the connection with one of those clouds is untrusted. To secure the communications, we can add encryption and decryption at the network level using dedicated SFC/NFV.

Here is an extract of the service manifest that describes the global security policy:

SFC/NFV Encryption and Deep Packet Inspection

Some network functions should be done asynchronously to avoid slowing down the traffic. In this scenario, the encryption and firewalling operations are done synchronously because the security system needs to respond directly when traffic goes through those NFV, whereas DPI could be applied after the traffic has already gone through.


Philippe Massonet, Anna Levin, Massimo Villari, Sébastien Dupont and Arnaud Michot: Enforcement of Global Security Policies in Federated Cloud Networks with Virtual Network Functions. NCA 2016.

Philippe Massonet, Sébastien Dupont, Arnaud Michot, Anna Levin, Massimo Villari: An architecture for securing federated cloud networks with Service Function Chaining. ISCC 2016: 38-43

Philippe Massonet, Anna Levin, Antonio Celesti, Massimo Villari: Security Requirements in a Federated Cloud Networking Architecture. ESOCC Workshops 2015: 79-88