A Survey of Enterprise Middlebox Deployments



Similar documents
Data Center Middleboxes

Making Middleboxes Someone Else s Problem: Network Processing as a Cloud Service

CS 91: Cloud Systems & Datacenter Networks Misc. Topics

This document describes how the Meraki Cloud Controller system enables the construction of large-scale, cost-effective wireless networks.

Load Balancing ContentKeeper With RadWare

White Paper: Virtual Leased Line

Internet Traffic Measurement

How To Load balance traffic of Mail server hosted in the Internal network and redirect traffic over preferred Interface

axsguard Gatekeeper Internet Redundancy How To v1.2

Cisco Application Networking for IBM WebSphere

Application Notes for Configuring Dorado Software Redcell Enterprise Bundle using SNMP with Avaya Communication Manager - Issue 1.

Load Balancing 101: Firewall Sandwiches

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

How To Build A Policy Aware Switching Layer For Data Center Data Center Servers

Network Management System (NMS) FAQ

SOLUTION GUIDE. Radware & CyberGuard Complete Security Solutions offering Load Balancing, High Availability and Bandwidth Management.

QRadar Security Intelligence Platform Appliances

Cisco Application Networking for BEA WebLogic

Oracle Net Services for Oracle10g. An Oracle White Paper May 2005

OKTOBER 2010 CONSOLIDATING MULTIPLE NETWORK APPLIANCES

Prepare your IP network for HD video conferencing

Hosting more than one FortiOS instance on. VLANs. 1. Network topology

Staying Alive Understanding Array Clustering Technology

Enterprise Phone Systems. The Complete Buyer s Guide

Whitepaper. A Practical Guide to ISP Redundancy and Uninterrupted Internet Connectivity

WAN Optimization Integrated with Cisco Branch Office Routers Improves Application Performance and Lowers TCO

Scalability in Log Management

GHEM Secure Access Control

Consolidating Multiple Network Appliances

Firewall Security. Presented by: Daminda Perera

Best Effort gets Better with MPLS. Superior network flexibility and resiliency at a lower cost with support for voice, video and future applications

Container-based Network Function Virtualization for Software-Defined Networks

Top 10 Reasons Enterprises are Moving Security to the Cloud

MERAKI WHITE PAPER Cloud + Wireless LAN = Easier + Affordable

Blue Coat Security First Steps Transparent Proxy Deployments

Gaining Operational Efficiencies with the Enterasys S-Series

Fundamentals of Windows Server 2008 Network and Applications Infrastructure

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

Canadian Securities Exchange enhances Trading Network by adding a FIX Protocol Router Appliance

Virtual Leased Line (VLL) for Enterprise to Branch Office Communications

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

Cisco NetFlow TM Briefing Paper. Release 2.2 Monday, 02 August 2004

Introduction to Network Management

Network-Wide Class of Service (CoS) Management with Route Analytics. Integrated Traffic and Routing Visibility for Effective CoS Delivery

Application Delivery Networking

Radware s Smart IDS Management. FireProof and Intrusion Detection Systems. Deployment and ROI. North America. International.

Considerations In Developing Firewall Selection Criteria. Adeptech Systems, Inc.

Deploying Apple ios in Education

Voice over IP is Transforming Business Communications

This presentation covers virtual application shared services supplied with IBM Workload Deployer version 3.1.

Avaya P330 Load Balancing Manager User Guide

Mobile Device Management Version 8. Last updated:

Improving Network Efficiency for SMB Through Intelligent Load Balancing

How to Configure BGP Tech Note

How To Understand and Configure Your Network for IntraVUE

CloudLink - The On-Ramp to the Cloud Security, Management and Performance Optimization for Multi-Tenant Private and Public Clouds

CCNP SWITCH: Implementing High Availability and Redundancy in a Campus Network

understanding total cost of

Quick Start for Network Agent. 5-Step Quick Start. What is Network Agent?

NEWT Managed PBX A Secure VoIP Architecture Providing Carrier Grade Service

Networking and High Availability

FatPipe Networks

SDN. What's Software Defined Networking? Angelo Capossele

Ranch Networks for Hosted Data Centers

Configuring Celerra for Security Information Management with Network Intelligence s envision

Web Application Hosting Cloud Architecture

8. Firewall Design & Implementation

HP ATA Networks certification

IP Telephony Deployment Models

Copyright 2013, 3CX Ltd.

COUNTERSNIPE

How To Configure A Vyatta As A Ds Internet Connection Router/Gateway With A Web Server On A Dspv.Net (Dspv) On A Network With A D

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Deploying in a Distributed Environment

Radware s AppDirector and Microsoft Windows Terminal Services 2008 Integration Guide

SaaS or On-Premise Monitoring: 9 Reasons SaaS Makes More Sense

IPv6 Transport Support and Market Segmentations

NOS for Network Support (903)

Enterprise Edge Communications Manager. Data Capabilities

SECURE WEB GATEWAY DEPLOYMENT METHODOLOGIES

Serro Solutions Enables Managed Security Service Providers to Optimize Networking Performance and Cost

A Web Broker Architecture for Remote Access A simple and cost-effective way to remotely maintain and service industrial machinery worldwide

Improving the Microsoft enterprise. network for public cloud connectivity

Introduction. The Inherent Unpredictability of IP Networks # $# #

Truffle Broadband Bonding Network Appliance

Routing Security Server failure detection and recovery Protocol support Redundancy

Accelerating Your Distributed Environment with LANDesk Systems Management

Use of (Central) Load Balancers Code of Practice

A Link Load Balancing Solution for Multi-Homed Networks

1776 Yorktown, 7th Floor, Houston, TX (toll free) (main) (fax)

HyperQ DR Replication White Paper. The Easy Way to Protect Your Data

DOMINO Broadband Bonding Network

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

Cisco Change Management: Best Practices White Paper

WHITE PAPER: Broadband Bonding for VoIP & UC Applications. In Brief. mushroomnetworks.com. Applications. Challenge. Solution. Benefits.

IP Telephony Management

Optimizing Large Arrays with StoneFly Storage Concentrators

Reliable high throughput data connections with low-cost & diverse transport technologies

Senior Network Administrator Page 2

The Advantages of Security as a Service versus On-Premise Security

Transcription:

A Survey of Enterprise Middlebox Deployments Justine Sherry Sylvia Ratnasamy Electrical Engineering and Computer Sciences University of California at Berkeley Technical Report No. UCB/EECS-202-24 http://www.eecs.berkeley.edu/pubs/techrpts/202/eecs-202-24.html February 9, 202

Copyright 202, by the author(s). All rights reserved. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission.

A Survey of Enterprise Middlebox Deployments Background In November 20, we surveyed 57 enterprise network administrators, primarily from the NANOG network operators group, regarding network appliances or so-called middleboxes. We designed our survey with the goal of bridging the gap between research and practice, by allowing the experiences and concerns of network administrators to inform the direction of our research. We asked operators about the number of middleboxes they deployed, what the challenges are in managing middleboxes, how much middleboxes cost, and what causes middleboxes to fail. Not only has the survey data driven some of our own research, but we hope that once published some of our conclusions will be able to guide others in the research community. With this report, we aim to give back to the operator community by reporting on our findings and conclusions. We hope that you find our data useful. Any comments or feedback to us would be greatly appreciated; you can contact Justine Sherry at: justine@eecs.berkeley.edu. THE SURVEY A wide body of work in the networking research community focuses on challenges with middleboxes. Middlebox is an academic term, typically defined as any intermediary box performing functions apart from normal, standard functions of an IP router on the data path between a source host and destination host [4]; in industry most of these devices are instead termed network appliances. Researchers have focused on a diverse set of issues related to middleboxes: making middlebox-laden networks easier to manage [3], designing new middleboxes, e.g. for intrusion detection [6], building general-purpose middleboxes from off-theshelf hardware [7], removing middleboxes from networks entirely [5], etc. However, we found that concrete, academic data on typical middlebox deployments and their challenges was unavailable. When descriptions of middlebox deployments were available, they typically only reflected the experiences of a single enterprise. To fill this gap, we conducted a survey of 57 enterprise network administrators regarding their networks, including the number of middleboxes deployed and challenges faced in administering them. To the best of our knowledge, this is the first large-scale survey of middlebox deployments in the research community. Our dataset includes 9 small (fewer than k hosts) networks, 8 medium (k-0k hosts) networks, large (0k-00k hosts) networks, and 7 very large (more than 00k hosts) networks. Our respondents were drawn primarily from the NANOG network operator s group and university networks; 62.9% described their role as an engineers, 27.7% described their role as technical management, and the rest described their role as other. Our analysis led us to four major conclusions to inform future research: Middlebox deployments are large on par with the number of L3 infrastructure and incur high capital expenses ( 2). Middleboxes have complex management requirements, leading to high operational expenses and administrative headaches ( 3) Overloads and failures lead to a need to overprovision middleboxes for scalability and fault-tolerance ( 4). Upgrading to new features is often bound to purchasing new hardware, limiting the ability to quickly deploy new features ( 5). We discuss each of these challenges as follows. 2. MIDDLEBOX DEPLOYMENTS Our data illustrates that typical enterprise networks are a complex ecosystem of firewalls, IDSes, web proxies, and other devices. Figure shows a box plot of the number of middleboxes deployed in networks of all sizes, as well as the number of routers and switches for comparison. Across all network sizes, the number of middleboxes is on par with the number of routers in a network! The average very large network in our data set hosts 2850 L3 routers, and 946 total middleboxes; the average small network in our data set hosts 7.3 L3 routers and 0.2 total middleboxes. We also observe trends between different types of middleboxes Security appliances (IP and Application Firewalls, IDS/IPS) tend to be more common than performance-improving appliances (WAN Optimizers, Proxies, and Application gateways) except in very large networks, where performance improving appliances are more common, although with high variance in deployment. These deployments are not only large, but are also costly, requiring high up-front investment in hardware: thousands to millions of dollars in physical equipment. Figure 2 displays five year expenditures on middlebox hardware against Even 7.3 routers and 0.2 middleboxes represents a network of a substantial size. Our data was primarily surveyed from the NANOG network operators group, and thus does not include many of the very smallest networks (e.g. homes and very small businesses with only tens of hosts).

00000 0000 000 Very Large Large Medium Small 00 0 Proxies VPNs IDS/IPS Wan Opt. App. Firewalls IP Firewalls L2 Switches L3 Routers All Middleboxes App. Gateways Load Balancers Figure : Box plot of middlebox deployments for small (fewer than k hosts), medium (k-0k hosts), large (0k-00k hosts), and very large (more than 00k hosts) enterprise networks. Y-axis is in log scale. 5 Year Expenditure $M-50M $500K-M $50K-500K $5K-50K <$5K 0 00 000 0000 Number of Middleboxes Figure 2: Administrator-estimated spending on middlebox hardware per network. Number of Personnel 500+ 00-500 26-00 6-25 2-5 0 00 000 0000 Number of Middleboxes Figure 3: Administrator-estimated number of personnel per network. the number of actively deployed middleboxes in the network. All of our surveyed very large networks had spent over a million dollars on middlebox hardware in the last five years; the median small network spent between $5,000-50,000 dollars, and the top third of the small networks spent over $50,000. 3. MIDDLEBOX MANAGEMENT Figure also shows that middleboxes deployments are diverse. Of the eight middlebox categories we present in Figure, the median very large network deployed seven categories of middleboxes, and the median small network deployed four categories of middleboxes. Our categories are coarse-grained (e.g. Application Gateways include smartphone proxies and VoIP gateways), so these figures represent a lower bound on the number of distinct device types in the network. Managing many heterogeneous devices requires broad expertise and consequently a large management team. Figure 3 correlates the number of middleboxes against the number of networking personnel. Even small networks with only tens of middleboxes typically required a management team of 6-25 personnel. Thus, middlebox deployments incur substantial operational expenses on top of hardware costs. Understanding the administrative tasks required to manage middleboxes further illuminates why large administrative staffs are needed. Monitoring and Diagnostics. To make managing tens or hundreds of devices feasible, enterprises deploy network management tools (e.g., [2, ]) to aggregate exported monitoring data, e.g. SNMP. Configuration. Configuring middleboxes breaks in to three classes of tasks. Appliance configuration is installing new rulesets and upgrades, configuring cache sizes, and allocating IP addresses. Traffic configuration is ensuring that the right traffic traverses the right middlebox, configuring routing policies such that, e.g. port 80 traffic traverses an HTTP proxy. Finally, policy configuration is tuning middleboxes to enforce specific policies, e.g. that social networking sites are banned by the application firewall. Training. New appliances require new training for administrators to manage them. One administrator even stated that existing training and expertise was a key question in purchasing decisions: Do we have the expertise necessary to use the product, or would we have to invest significant resources to use it? Another administrator reports that a lack of training limits the benefits from use of middleboxes: They [middleboxes] could provide more benefit if there was better management, and allocation of training and lab resources for network devices. 4. OVERLOAD AND FAILURES Most administrators who described their role as engineering estimated spending between one and five hours per week 2

Misconfig. Overload Physical/Electric Firewalls 67.3% 6.3% 6.3% Proxies 63.2% 5.7% 2.% IDS 54.5%.4% 34% Table : Fraction of network administrators who estimated misconfiguration, overload, or physical/electrical failure as the most common cause of middlebox failure. Ease of Management Vendor Support Policy Compliance Flexibility and Configurability Ease of Deployment Scalability Cost Not Important Nice to Have Somewhat Important Critical Figure 4: Importance of various factors in comparing middleboxes for purchase. dealing with middlebox failures; 9% spent between six and ten hours per week. Table shows the fraction of network administrators who labeled misconfiguration, overload, and physical/electrical failures the most common cause of failures in their deployments of three types of middleboxes. Note that this table is not the fraction of failures caused by these issues; it is the fraction of administrators who estimate each issue to be the most common cause of failure. A majority of administrators stated misconfiguration as the most common cause of failure; in the previous subsection we highlight management complexity which likely contributes to this figure. On the other hand, many administrators saw overload and physical/electrical problems as the most common causes of errors. For example, roughly 6% of administrators said that overload was the most common cause of IDS and proxy failure, and 20% said that physical failures were the most common cause for proxies. These classes of failures are traditionally resolved by deploying redundant devices for better scalability and fault-tolerance. 5. UPGRADEABILITY Deploying new features in the network entails deploying new hardware infrastructure. Each time operators negotiate a new deployment, they must select between several offerings, weighing the capabilities of devices offered by numerous vendors an average network in our dataset contracted with 4.9 vendors. In Figure 4, we show various factors that operators weigh when considering a new appliance. 35 30 25 20 5 0 5 0 We asked administrators to rank each feature as Not Important, Nice to Have, Somewhat Important, or Critical ; Scalability and Vendor Support were the two features most commonly considered critical. In the median case, enterprises update their middlebox hardware every four years. The four-year upgrade cycle is at the same time both too frequent and too infrequent. Upgrades are too frequent in that every four years, administrators must evaluate, select, purchase, install, and train to maintain new appliances. Upgrades are too infrequent in that administrators are locked in to hardware upgrades to obtain new features. Quoting one administrator: Upgradability is very important to me. I do not like it when vendors force me to buy new equipment when a software upgrade could give me additional features. 6. CONCLUSION We presented data on middlebox deployments from 57 enterprise networks surveyed from the NANOG network operators group. Our data revealed several challenges for the research community to consider: large and costly deployments, complex management requirements, overloads and failures, and limited upgradeability. If you have any comments, questions, or feedback, please don t hesitate to contact us (justine@eecs.berkeley. edu). Finally, we thank you for your help and support for our study! References [] Network monitoring tools. http://tinyurl.com/nmtools. [2] Tivoli Monitoring Software. http://tinyurl.com/7ycs5xv. [3] H. Ballani and P. Francis. Conman: a step towards network manageability. In SIGCOMM, 2007. [4] B. Carpenter and S. Brim. Middleboxes: Taxonomy and issues. RFC 2334. [5] C. Dixon, H. Uppal, V. Brajkovic, D. Brandon, T. Anderson, and A. Krishnamurthy. ETTM: a scalable fault tolerant network manager. In NSDI, 20. [6] V. Paxson. Bro: A system for detecting network intruders in real-time. In Computer Networks, pages 2435 2463, 999. [7] V. Sekar, S. Ratnasamy, M. K. Reiter, N. Egi, and G. Shi. The middlebox manifesto: enabling innovation in middlebox deployment. In HotNets, 20. 3

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information