Download Secure Cloud Computing with a Virtualized Network Infrastructure Bell Labs

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
Document related concepts
no text concepts found
Transcript 
Secure Cloud Computing with a
Virtualized Network Infrastructure
Fang Hao, T.V. Lakshman, Sarit Mukherjee, Haoyu Song
Bell Labs
All Rights Reserved © Alcatel-Lucent 2010
Cloud Security: All or Nothing?
Amazon EC2
Government Cloud
Dedicated infrastructure,
secured facility
Shared computing,
storage, & network
  Max sharing, low cost
  Low security
2
“Good enough”
security
with low cost?
All Rights Reserved © Alcatel-Lucent 2010
  No sharing, high cost
  Max security
Secure Elastic Cloud Computing (SEC2): Design Goals
  Isolation: private IP address space and networks, no trespassing
traffic
  Transparency: users don’t see underlying data center infrastructure;
they only see their own (logical) network
  Location independence: user’s VMs and networks can be physically
allocated anywhere in data center
  Easy policy control: users can change policy settings for cloud
resources on the fly
  Scalability: service scale only restricted by total among of resources
available, not dependent on customer composition
  A few large enterprises vs. many small business or individual users
  Low cost: use off-the-shelf devices whenever possible
3
All Rights Reserved © Alcatel-Lucent 2010
Provide Isolation in Traditional Data Center Architecture
Core
  Unique VLAN can be set
up for each user
…
Aggregation
L3
  VLAN extended to
hypervisors
L2
  Each VLAN can have its
own IP address space
  VLAN extended beyond
L3 boundaries via VLAN
trunking
Access
VM
VM
VM
VM
VM
Constraints
  VLAN scalability
  Maximum 4K VLAN Ids << number of users
  Per-user policy customization is difficult
  E.g. port 80 traffic  firewall  NAT  load balancer host
4
All Rights Reserved © Alcatel-Lucent 2010
Secure Elastic Cloud Computing (SEC2): Main Idea
Partition data center network into smaller domains
  Use VLANs to isolate customers within a domain
  No “global” VLANs
  VLAN ids reused across domains
“Glue” different edge domains together via one central domain
  Special forwarding elements (FE) deployed at border of central and edge
domain
  Central controller (CC) stores mapping between user and their VLANs in
each edge domain
  Traffic between edge domains are tunneled through central domain by FEs
Per-user policy control
  Middleboxes attached to FEs
  Policy routing enforced by FEs
  CC stores per-customer policy, allow on-the-fly user configuration
5
All Rights Reserved © Alcatel-Lucent 2010
SEC2 Architecture
Customers within an edge
domain isolated by VLANs; one
VLAN per customer subnet
CC stores address mapping,
policy rules, VM locations
Same customer across
multiple domains see one
logical network
FEs resolve addresses, enforce
policies, forward packets;
MAC-in-MAC tunnel between FEs
across core domain
Middleboxes attached to FE
Core domain transports packets
between edge domains; No VLAN
in core, flat L2 network
6
All Rights Reserved © Alcatel-Lucent 2010
Integration with User’s On-Site Network
User in-cloud network can
be connected to its on-site
network via VPN
Customer site is a
special edge domain
7
All Rights Reserved © Alcatel-Lucent 2010
Data Forwarding
6
5
1
2
3
4
8
7
1)  ARP on VLAN x: What’s MAC for IPB ?
2)  Query CC: IPB,x MACB ?
3)  Reply from CC: MACB in y, with MACFE2 as tunnel end
4)  Install rule at FE1: “To MACB: set VLAN y, add tunnel header to MACFE2”
5)  ARP reply: MACB
6)  7) 8) Data packet forwarding (tunnel header added by FE1, stripped off by FE2
8
All Rights Reserved © Alcatel-Lucent 2010
Security via Isolation and Access Control
Potential attack on Amazon EC2 outlined by Ristenpart et al. CCS’09
  Key is to determine co-resident VMs by
  Determine matching Dom0 IP address via traceroute
  Test for small round-trip time
  Check for numerically close IP addresses
  None of such attack works in SEC2
  Traceroute is disabled between different users
–  They don’t even know other’s IP address
  All packets across different users are forced to go through FEs round-trip time
won’t reveal location
  Private IP addresses: no correlation between different users
9
All Rights Reserved © Alcatel-Lucent 2010
Concluding Remarks
SEC2: a step towards “good enough”, low cost secure cloud solutions
  Security via isolation and access control
  Scalable: well beyond 4K limit imposed by VLAN
  Low cost
  Allow high resource utilization
  Most networking equipments are off-the-shelf, e.g., switches within both
edge domains and core domain are regular L2 switches
– FEs can be L2 switches enhanced with Openflow or SoftRouter
like functions
10
All Rights Reserved © Alcatel-Lucent 2010
Related documents
Towards Scalable Traffic Management in Cloud Data Centers
Towards Scalable Traffic Management in Cloud Data Centers
Review Questions of Switching Networks
Review Questions of Switching Networks
Document 8758227
Document 8758227
Harnessing new technologies for Smart Society Guillaume Mascot August 22 , 2015
Harnessing new technologies for Smart Society Guillaume Mascot August 22 , 2015
Securing Network
Securing Network
Release notes_1.3
Release notes_1.3
NTC 242 LEARNING TEAM ACME MANUFACTURING Problem
NTC 242 LEARNING TEAM ACME MANUFACTURING Problem
Title of Presentation Second Line of Title Subheadings (if needed
Title of Presentation Second Line of Title Subheadings (if needed
Basic Configuration of WAP4410N
Basic Configuration of WAP4410N
ppt
ppt
PPT-2 - Convergence Technology Center
PPT-2 - Convergence Technology Center
[2016-NEW!] 200-120 New Questions and Answers -
[2016-NEW!] 200-120 New Questions and Answers -
On the Capacity of Wireless CSMA/CA Multihop Networks
On the Capacity of Wireless CSMA/CA Multihop Networks
autoMAC: A Tool for Automating Network Moves, Adds, and Changes
autoMAC: A Tool for Automating Network Moves, Adds, and Changes
3 1 (3)
3 1 (3)
Designing Protection System of LAN Security Bachelor’s Thesis (UAS)
Designing Protection System of LAN Security Bachelor’s Thesis (UAS)
Configuring Q-in-Q VLAN Tunnels
Configuring Q-in-Q VLAN Tunnels