• Home

  • Documents

  • Secure Cloud Computing with a Virtualized Network Infrastructure
10
All Rights Reserved © Alcatel-Lucent 2010 Secure Cloud Computing with a Virtualized Network Infrastructure Fang Hao, T.V. Lakshman, Sarit Mukherjee, Haoyu Song Bell Labs

Secure Cloud Computing with a Virtualized Network Infrastructure

  • Upload
    lydiep

  • View
    219

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Secure Cloud Computing with a Virtualized Network Infrastructure

All Rights Reserved © Alcatel-Lucent 2010

Secure Cloud Computing with a Virtualized Network Infrastructure

Fang Hao, T.V. Lakshman, Sarit Mukherjee, Haoyu Song

Bell Labs

Page 2: Secure Cloud Computing with a Virtualized Network Infrastructure

All Rights Reserved © Alcatel-Lucent 2010 2

Cloud Security: All or Nothing?

  Max sharing, low cost   Low security

  No sharing, high cost   Max security

Amazon EC2 Government Cloud

“Good enough” security

with low cost?

Shared computing, storage, & network

Dedicated infrastructure, secured facility

Page 3: Secure Cloud Computing with a Virtualized Network Infrastructure

All Rights Reserved © Alcatel-Lucent 2010 3

Secure Elastic Cloud Computing (SEC2): Design Goals

  Isolation: private IP address space and networks, no trespassing traffic

  Transparency: users don’t see underlying data center infrastructure; they only see their own (logical) network

  Location independence: user’s VMs and networks can be physically allocated anywhere in data center

  Easy policy control: users can change policy settings for cloud resources on the fly

  Scalability: service scale only restricted by total among of resources available, not dependent on customer composition

 A few large enterprises vs. many small business or individual users

  Low cost: use off-the-shelf devices whenever possible

Page 4: Secure Cloud Computing with a Virtualized Network Infrastructure

All Rights Reserved © Alcatel-Lucent 2010 4

Provide Isolation in Traditional Data Center Architecture

  Unique VLAN can be set up for each user   VLAN extended to

hypervisors

  Each VLAN can have its own IP address space

  VLAN extended beyond L3 boundaries via VLAN trunking

VM VM

Access

Aggregation

Core

VM VM VM

L3

L2

Constraints

  VLAN scalability   Maximum 4K VLAN Ids << number of users

  Per-user policy customization is difficult   E.g. port 80 traffic firewall NAT load balancer host

Page 5: Secure Cloud Computing with a Virtualized Network Infrastructure

All Rights Reserved © Alcatel-Lucent 2010 5

Secure Elastic Cloud Computing (SEC2): Main Idea

Partition data center network into smaller domains   Use VLANs to isolate customers within a domain   No “global” VLANs   VLAN ids reused across domains

“Glue” different edge domains together via one central domain   Special forwarding elements (FE) deployed at border of central and edge

domain   Central controller (CC) stores mapping between user and their VLANs in

each edge domain   Traffic between edge domains are tunneled through central domain by FEs

Per-user policy control   Middleboxes attached to FEs   Policy routing enforced by FEs   CC stores per-customer policy, allow on-the-fly user configuration

Page 6: Secure Cloud Computing with a Virtualized Network Infrastructure

All Rights Reserved © Alcatel-Lucent 2010 6

SEC2 Architecture

Customers within an edge domain isolated by VLANs; one VLAN per customer subnet

Core domain transports packets between edge domains; No VLAN in core, flat L2 network

FEs resolve addresses, enforce policies, forward packets; MAC-in-MAC tunnel between FEs across core domain

CC stores address mapping, policy rules, VM locations

Same customer across multiple domains see one logical network

Middleboxes attached to FE

Page 7: Secure Cloud Computing with a Virtualized Network Infrastructure

All Rights Reserved © Alcatel-Lucent 2010 7

Integration with User’s On-Site Network

Customer site is a special edge domain

User in-cloud network can be connected to its on-site network via VPN

Page 8: Secure Cloud Computing with a Virtualized Network Infrastructure

All Rights Reserved © Alcatel-Lucent 2010 8

Data Forwarding

2

4

3

1)   ARP on VLAN x: What’s MAC for IPB ? 2)   Query CC: IPB,x MACB ?

3)   Reply from CC: MACB in y, with MACFE2 as tunnel end

4)   Install rule at FE1: “To MACB: set VLAN y, add tunnel header to MACFE2” 5)   ARP reply: MACB

6)   7) 8) Data packet forwarding (tunnel header added by FE1, stripped off by FE2

1 5

6 7

8

Page 9: Secure Cloud Computing with a Virtualized Network Infrastructure

All Rights Reserved © Alcatel-Lucent 2010 9

Security via Isolation and Access Control

Potential attack on Amazon EC2 outlined by Ristenpart et al. CCS’09

  Key is to determine co-resident VMs by   Determine matching Dom0 IP address via traceroute

  Test for small round-trip time

  Check for numerically close IP addresses

  None of such attack works in SEC2   Traceroute is disabled between different users

– They don’t even know other’s IP address

  All packets across different users are forced to go through FEs round-trip time won’t reveal location

  Private IP addresses: no correlation between different users

Page 10: Secure Cloud Computing with a Virtualized Network Infrastructure

All Rights Reserved © Alcatel-Lucent 2010 10

Concluding Remarks

SEC2: a step towards “good enough”, low cost secure cloud solutions

  Security via isolation and access control

  Scalable: well beyond 4K limit imposed by VLAN

  Low cost  Allow high resource utilization

 Most networking equipments are off-the-shelf, e.g., switches within both edge domains and core domain are regular L2 switches

– FEs can be L2 switches enhanced with Openflow or SoftRouter like functions


Secure Communication (Distributed computing)

Secure Communication (Distributed computing)

Technology
Virtualized high performance computing with mellanox fdr and ro ce

Virtualized high performance computing with mellanox fdr and ro ce

Technology
Horizon 6 – What’s New - Cisco...Hybrid Cloud Computing Virtualized Infrastructure Tablets, Smartphones Desktop Laptop Tablet Phone Machine Mission: Secure Virtual Workspace for

Horizon 6 – What’s New - Cisco...Hybrid Cloud Computing Virtualized Infrastructure Tablets, Smartphones Desktop Laptop Tablet Phone Machine Mission: Secure Virtual Workspace for

Documents
Virtualized Infrastructure Managers for edge computing: OpenVIM … · 2018. 6. 29. · Virtualized Infrastructure Managers for edge computing: OpenVIM and OpenStack comparison

Virtualized Infrastructure Managers for edge computing: OpenVIM … · 2018. 6. 29. · Virtualized Infrastructure Managers for edge computing: OpenVIM and OpenStack comparison

Documents
Cloud Computing: Automating the Virtualized Data …ocw.upj.ac.id/files/Handout-TIF423-Handout-Cloud.pdfCloud Computing: Automating the Virtualized Data Center Venkata Josyula Malcolm

Cloud Computing: Automating the Virtualized Data …ocw.upj.ac.id/files/Handout-TIF423-Handout-Cloud.pdfCloud Computing: Automating the Virtualized Data Center Venkata Josyula Malcolm

Documents
Virtualized SAP Solution using Cisco Unified Computing ... · Virtualized SAP Solution using Cisco Unified Computing System and EMC ... (VMs) and customer instances function

Virtualized SAP Solution using Cisco Unified Computing ... · Virtualized SAP Solution using Cisco Unified Computing System and EMC ... (VMs) and customer instances function

Documents
Virtualized FPGA accelerators in Cloud Computing Systems

Virtualized FPGA accelerators in Cloud Computing Systems

Documents
Secure Computing With Java

Secure Computing With Java

Technology
Evaluation of Container Virtualized MEGADOCK System in Distributed Computing Environment

Evaluation of Container Virtualized MEGADOCK System in Distributed Computing Environment

Technology
vGreen : a system for energy efficient computing in virtualized environments

vGreen : a system for energy efficient computing in virtualized environments

Documents
Secure Computing

Secure Computing

Documents
Dell Cloud Client Computing Virtualized Workstation

Dell Cloud Client Computing Virtualized Workstation

Documents
Locksmith: Secure Android Keystore Based on Virtualized

Locksmith: Secure Android Keystore Based on Virtualized

Documents
VGREEN: A SYSTEM FOR ENERGY EFFICIENT COMPUTING IN VIRTUALIZED ENVIRONMENTS

VGREEN: A SYSTEM FOR ENERGY EFFICIENT COMPUTING IN VIRTUALIZED ENVIRONMENTS

Documents
Next Generation Secure Computing: Biometric in Secure E-transaction

Next Generation Secure Computing: Biometric in Secure E-transaction

Documents
Hyper-Converged Infrastructure: A Guide · Hyper-converged platforms include: • hyper-visor for virtualized computing • software-defined storage • virtualized networking Hyper-converged

Hyper-Converged Infrastructure: A Guide · Hyper-converged platforms include: • hyper-visor for virtualized computing • software-defined storage • virtualized networking Hyper-converged

Documents
User Oriented Provisioning of Secure Virtualized Infrastructure

User Oriented Provisioning of Secure Virtualized Infrastructure

Documents
Best Practices for Building a Virtualized SPARC Computing

Best Practices for Building a Virtualized SPARC Computing

Documents
Best Practices for Building a Virtualized SPARC Computing Environment

Best Practices for Building a Virtualized SPARC Computing Environment

Documents
Designing Secure Multi-Tenancy into Virtualized Data Centers

Designing Secure Multi-Tenancy into Virtualized Data Centers

Documents
Adaptive Control of Virtualized Resources in Utility Computing Environments

Adaptive Control of Virtualized Resources in Utility Computing Environments

Documents
Power and Performance Management of Virtualized Computing Environments via Lookahead Control

Power and Performance Management of Virtualized Computing Environments via Lookahead Control

Documents
Breakthrough Secure Computing Platform

Breakthrough Secure Computing Platform

Technology
From virtualized resources to virtual computing grids: the In-VIGO

From virtualized resources to virtual computing grids: the In-VIGO

Documents
Virtualized Transport for Edge Computing Services

Virtualized Transport for Edge Computing Services

Technology
Cost and risk modeling of virtualized computing labs

Cost and risk modeling of virtualized computing labs

Technology
Trusted Computing and Secure Virtualization in Cloud Computing

Trusted Computing and Secure Virtualization in Cloud Computing

Documents
DEPENDABLE AND SECURE COMPUTING

DEPENDABLE AND SECURE COMPUTING

Technology
FRAMEWORK FOR SECURE CLOUD COMPUTING

FRAMEWORK FOR SECURE CLOUD COMPUTING

Documents
Securing Virtualized Environments and Accelerating Cloud Computing

Securing Virtualized Environments and Accelerating Cloud Computing

Documents