With the rise of cloud computing, computer networks have become quite complex. Many networks are distributed across numerous sites and geographies, and often involve thousands of network nodes, including various end-user devices, switches, routers, servers, gateways, and firewalls. These networks are often relied upon to reliably and securely transport myriad flows of data traffic from source nodes to destination nodes within the network simultaneously. Many of these flows can involve the transmission of highly sensitive data between network nodes for which security is rigorously enforced. For example, it is not uncommon for financial institutions transacting millions of dollars between accounts to exchange private account data via one or more highly-encrypted traffic flows.
Society's increasing reliance on networks of computers to exchange and process sensitive data has also resulted in an increasing number of malfeasants looking to break into network nodes, or intercept traffic flows, in an attempt to disrupt business operations, or steal private information, for example. The resulting increase in disruptive activity by malfeasants has made network security a paramount concern for network administrators. One approach to network security involves deploying security appliances (e.g., firewalls, Intrusion Detection Systems (IDSs), Intrusion Prevention Systems (IPSs)) within the network. The security appliances typically include a physical network node with sufficient computing resources to support a monolithic, general-purpose, security software solution. A traffic control node, such as a Software Defined Network (SDN) controller, can then configure network nodes to steer flows through these security appliances in order to detect and/or block unwanted traffic.
Although this approach provides security for the network's flows, this approach also creates chokepoints in the network, as flows requiring security will have to be steered to wherever these security appliances are physically located within the network. These chokepoints create single points of failure that can make the network vulnerable to attack or disruption. While these chokepoints can be alleviated by deploying additional security appliances at additional locations throughout the network, this solution does not scale well, as each security appliance requires some minimum computing resources in order to execute a full instance of the security software solution. Thus, network administrators often have to sacrifice substantial amounts of the network's computing resources in order to support the additional deployments. In addition, because reducing the chokepoints also reduces the load per security appliance, each security appliance is often over-protected and under-utilized.