Secure cloud computing with virtualized network infrastructure
This presentation is the property of its rightful owner.
Sponsored Links
1 / 14

Secure Cloud Computing with Virtualized Network Infrastructure PowerPoint PPT Presentation


  • 86 Views
  • Uploaded on
  • Presentation posted in: General

Secure Cloud Computing with Virtualized Network Infrastructure. HotCloud 10 By Xuanran Zong. Cloud Security. Two end of the spectrum Amazon EC2 Shared, public cloud Resource multiplexing, low cost Low security Government cloud Dedicated infrastructure High cost High security.

Download Presentation

Secure Cloud Computing with Virtualized Network Infrastructure

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Secure cloud computing with virtualized network infrastructure

Secure Cloud Computing with Virtualized Network Infrastructure

HotCloud 10

By XuanranZong


Cloud security

Cloud Security

  • Two end of the spectrum

    • Amazon EC2

      • Shared, public cloud

      • Resource multiplexing, low cost

      • Low security

    • Government cloud

      • Dedicated infrastructure

      • High cost

      • High security


Design goal

Design Goal

  • Isolation

  • Transparency

  • Location independence

  • Easy policy control

  • Scalability (?)

  • Low cost


Conventional data center architecture

Conventional data center architecture

  • VLAN to ensure security

    • Scalability issue: can take up to 4K id

    • Management and control overhead

  • Per-user security policy control

    • But, how to enforce?

      • End-host? Not secure enough

      • Middlebox? Unnecessary traffic


Secure elastic cloud computing

Secure Elastic Cloud Computing

Reference: http://www.usenix.org/events/hotcloud10/tech/slides/hao.pdf


Numbering and addressing

Numbering and addressing

  • Each customer has a unique cnet id

  • VM can be identified by (cnet id, IP)

  • Each domain has a unique eid

  • Use VLAN to separate different customer in the same domain

  • VLAN id can be reused in different domain


Customer network integration

Customer network integration

  • Private network can be treated as a special domain where VPN is used to connect it to core domain


Central controller

Central controller

  • Address mapping

    • VM MAC <-> (cnet id, IP)

    • VM MAC <-> eid

    • eid <-> FE MAC list

    • (cnet id, eid) <-> VLAN id

  • Policy databas

    • E.g. packet from customer A are first forwarded to firewall F.


Forwarding elements

Forwarding elements

  • Address lookup and mapping

    • FE MAC of the destination domain

    • VLAN ID

  • Policy enforcement

    • By default, packets designated to a different customer are dropped

  • Tunneling between FEs

    • Encapsulate another MAC header


Data forwarding

Data forwarding

Reference: http://www.usenix.org/events/hotcloud10/tech/slides/hao.pdf


How does it solve the limitation

How does it solve the limitation?

  • VLAN scalability

    • Partition network into smaller edge domain, each maintains its own VLAN

    • VLAN id can be reused

  • Per-user security

    • Security policy enforced by FE

    • CC stores security policies for all customers


Discussion

Discussion

  • Security via isolation and access control

    • Consider the co-residence problem proposed by “Get off my cloud” paper

    • Matching Dom0 IP address

      • Disable traceroute

    • Small round-trip time

      • Every packet needs to go through FE

    • Numerically close IP address

      • Each customer has private IP address


Discussion1

Discussion

  • Cached vs installed forwarding table

  • VM migration

    • Update CC (eid, VLAN id)


Discussion2

Discussion

  • Pros

    • Security enforcement via isolation and access control

    • Scalable in terms of number of customers supported by VLAN

    • Most networking equipments are off-the-shelf

  • Cons?

    • Scalability? Centralized CC?

    • Larger round trip time within the same edge domain

    • Tunneling?


  • Login