IaaS Cloud security based on the OpenFlow architecture

Source: Internet
Author: User


Editor's note: Cloud Computing Technology's service infrastructure as a service (IaaS), with its scalability, efficiency and resiliency, is becoming the dominant way of resource utilization. security vulnerabilities and pitfalls need to be noticed as they get easier from cloud-based IaaS applications. In this work, we have proposed a framework and have formed the paper "an openflow-based Architecture for IaaS security" in order to solve the cloud safety issues and demonstrate the first batch of results of our experimental activities.

Brief introduction

The IaaS service model allows you to configure and run heterogeneous applications without paying attention to the underlying physical infrastructure. Cloud computing technology creates a virtualized test bed that can reproduce the real operating environment, with the following benefits:

An opportunity to recreate real-world scenarios for testing activities internally;

Automates the feasibility of backup and recovery of the entire platform;

Automatic configuration and management of the components and versioning of the pilot platform;

Based on the analysis of academic research , cloud computing security issues involve many different areas. The way authentication, authorization, and billing is handled will also be greatly impacted: security threats often originate from internal users, so it is often a clear global policy to allow only authenticated users to access the specified resources. User behavior related to platform resources should be supervised for further analysis of the behavior that violates the policy. Another important task is to manage security policies to ensure the availability, integrity, and confidentiality of the entire cloud data store. In this case, an advanced encryption scheme can be used to ensure that only the specified authenticated user can access, modify, and delete information in the cloud data store.

Virtualization technology is at the heart of the IaaS model, which is rapidly changing the needs of network security. Traditional security measures, such as internal security devices and access control lists, are not sustainable because of the need for updates when dealing with virtual servers and resources, because of the rapid changes to the topology, and only authorized hosts and devices can communicate in the virtual network, and malicious access is limited in some way. Virtual tiers also pose new security challenges because virtual clients can easily be compromised and corrupt other virtual machines. So one of the possible remedies is to check the behavior of the virtual machine while checking the virtual machine's image to verify their integrity.

To effectively handle cloud security events, we propose a recognition attack pattern based on the OpenFlow architecture, and implement mitigation and recovery strategies to respond to security events, which have been designed in the IaaS Cloud Platform Opennebula Deployment Implementation, which represents a real regional control center (ACC). Applications running on the pilot platform emphasize security solutions that automatically handle disaster and attack recovery needs. The first experimental activity for the design of the structure is presented here:

performance comparisons between different open-source OpenFlow controllers;

The characteristics of three different open source IaaS platforms based on the supply time measurement;

To provide L2 VLAN encapsulation / unpacking, perform new functions on the selected controller.

OpenFlow and SDN modes

Based on a software-defined network (SDNThe way to realize the network processing and configuration of the virtual experiment platform is a new cognitive way to the network. The control plane of the data plane and the centralized external logic related to the network equipment is obviously different from the traditional network equipment. AdoptSDNThe greatest benefit of harvesting is the complete isolation and global view of the application layer. In the first case, researchers can create their own applications on top of the control layer, completely isolating them from the network devices. Therefore, you can write a new protocol or application without affecting the internal structure of the device. The second advantage relates to the global view availability of the network itself, so it is easy to react to events and change the topology. OpenFlowis an implementation of this approach, contains the interface between the control layer and the data layer, defines all the security channel information that is established between the network switch and the external controller, thus determining the logical order according to the information flow. NowSDNis attractive for cloud computing network services because it represents a flexible way to dynamically create virtual networks and ensures two-tier isolation of multi-tenancy. In addition, the results obtained from previous analyses and experiments can be confirmedOpenFlowThe network can be greatly flexible to ensure the implementation of dynamic security policies, without the need to change the internal structure of network components. That's whyOpenFlowis considered an effective means of dealing with vulnerabilities, even in a cloud-likeIaaSin this dynamic environment, disaster mitigation and recovery strategies can be implemented automatically in the face of security problems.

Appropriate architecture

The architecture is analyzed from three different tiers, and clouds show two data centers, connected by a private enterprise backbone, to further improve the security level of the data center, using aMPLS(Multiprotocol Label Exchange Protocol), splitting the packets into parts and redirecting them to separate paths so that the intercepted malicious user cannot reconstruct the message. Each data center has its ownIaaSThe cluster also has a master node that is responsible for managing all infrastructure. In the virtualization layer, the view is independent of a specific platform deployed in the data center, about the organization architecture, each physical machine, or "compute" node, to create a virtual switch to mount all the client network interfaces. In the virtual switching layer, use theOpenvswitchtechnology that provides a set of features, where theOpenFlowprotocol can be implemented. The switch's flow table passesOpenFlowcontroller programming: When a packet that is generated by a virtual client arrives at a switch and there is no matching rule available, it is sent to the controller, which can decide to send a new rule on the switch to process the packet in a forward or discard manner. Traffic generated by all virtual machines is controlled and checked against a number of well-known malicious attack patterns to identify possible attacks. When abnormal network activity is detected, theSnortgenerate alerts and passTLSThe (Transport Layer Security) plug-in arrives at the alarm association to perform the following actions:

Event Store

Notify when the severity level information that needs to be determined for an attack is extracted

The mitigation policy implementation is identified on the basis of the above severity level.

The policy will be triggered by interaction with the IaaS 's manager and OpenFlow Controller. When an attack on a virtual test platform is detected, the strategy we intend to implement is to migrate the attacked VMs to the same infrastructure but to different data centers, and after the migration is complete, The linker can instruct the controller to change the information flow of the virtual switch in the physical node previously hosted by the customer to ensure the transparency of the location.

Experimental activities

The first experimental work started with the goal of Selecting an open source solution from several OpenFlow controllers. oflops(OpenFlow Operations Per Second) has completed a comparison of the performance of the controller, which is comprised of two software packages.

oflops, a specific controller that allows many functions of the reference switch;

cbench(controllerbenchmarker), through the connection of the analog switch for the controller to generate packet incoming;

This can be used to calculate the maximum data packet incoming rate, packet arrival and incoming delay, and processing delay.

Displays the number of messages per second of Flow-mod, through which the controller can install, modify, or delete flow rules for the switch list. Other parameters, such as extensibility and ease of modification, availability of RESTful APIs , and support behind project development will also be considered in the comparison. Our choice falls on Floodlight, a Java Event- based controller released under the Apache license , Developed by an open community.

In order to provideL2isolation function, usingVLANtechnology to communicate between virtual machines, modifyFloodlight"Forwarding" module, using theOpenFlowtechnology to achieveVLANPackaging of Labels/solution Encapsulation. VLANThe tag can only be retrieved directly by the cloud platform itself, and the virtual machine belonging to the virtual network is identified with a specialVLANtags. Other modifications are combined with the controller andOpenvswitchprotective measures between the channels. The latter itself supportsSSLsignal Exchange, so we use the private key or the public key (byJAVAKey tool generation) processing implementationFloodlightcommunication Security in the connection module.

As a final step in this experiment, we evaluated the "Provisioning Time" for three different IaaS platforms: This metric refers to starting with a request to generate a new virtual machine (via the API) until the platform gets " ready"state in the middle of this period. We think this will produce a combination of the 4 parameters, which are:

Service delivery: The demand preference of the new virtual machine, that is, the number of virtual CPUs and the size of RAM;

Data storage (binary): Two-level disk storage for virtual machines;

Physical node Pressure: The number of virtual machines that have been hosted on the node (0-5);

Auto Dispatch (binary): The facility that is responsible for selecting the new virtual machine to assign the hosting location.

We calculated the creation of 10 1 1 a virtual , 2gb ram 2 3 ) The virtual machines ( 4 ) dispatch module activation.


In this work we first discussed the background of the challenges related to the security of the cloud computing environment. Then, by describing all of the architectural components we need, we present an SDN -based approach to secure the network and respond to the attack. Our goal in the future is to use more sophisticated intrusion detection mechanisms to detect unknown and unusual traffic patterns. In addition, we intend to expand our experimental activities by more accurate comparisons between the IaaS platforms for cloud computing, mainly based on other parameters such as elasticity, agility, network pressure, and cpu/ Memory utilization.

IaaS Cloud security based on the OpenFlow architecture

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

Tags Index: