1 / 24

Integrating a Network IDS into an Open Source Cloud Computing Environment

Integrating a Network IDS into an Open Source Cloud Computing Environment. 1st International Workshop on Security and Performance in Emerging Distributed Architectures (SPEDA2010). Claudio Mazzariello Roberto Bifulco Roberto Canonico. “Federico II” University of Napoli. Outline.

temira
Download Presentation

Integrating a Network IDS into an Open Source Cloud Computing Environment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Integrating a Network IDS into an Open Source Cloud Computing Environment 1st International Workshop on Security and Performance in Emerging Distributed Architectures (SPEDA2010) Claudio Mazzariello Roberto Bifulco Roberto Canonico “Federico II” Universityof Napoli

  2. Outline • Cloud computing security issues • Examples of recent security incidents • Securing a Cloud • Implementation of a Cloud • A network Intrusion Detection System • Experimental evaluation

  3. CloudComputingpeculiarities • Shared resources among several customers • Highly dynamic infrastructures • Cheap access to large scale computation/storage/communication facilities • …

  4. Cloud Computing security issues • Shared resources among several customers • New types of attacks (e.g. DoS over colocated VMs) • Privacy infringement • ... • Highly dynamic infrastructures • Users tracking and profiling • Cheap access to large scale computation/storage/communication facilities • Misuse of the CC model aimed at conducting illegal activities

  5. Attack source • External attackers • Malicious users perform attacks targeting Cloud users • Internal attackers • Malicious users rent a share of Cloud resources • Cheap, huge amounts of resources can be exploited to perform attacks against remote victims

  6. ExamplesofCC-related security incidents • “We have several customers being attacked from the same EC2 instance on their network for 2 full days now...” • http://seclists.org/nanog/2010/Apr/811 • “I discovered that several systems on the Amazon EC2 network were preforming brute force attacks, against our VoIP servers.” • http://www.stuartsheldon.org/blog/2010/04/sip-brute-force-attack-originating-from-amazon-ec2-hosts/ • “Complaints of rampant SIP Brute Force Attacks coming from servers with Amazon EC2 IP Addresses cause many admins to simply drop all Amazon EC2 traffic.” • http://www.voiptechchat.com/voip/457/amazon-ec2-sip-brute-force-attacks-on-rise/

  7. Securing a Cloudbymonitoringtraffic • Cloud computing suffers from common network-related security threats • Cloud computing, with its novel usage paradigm, introduces novel threats • We evaluate effectiveness and impact of common, production level traffic monitoring tools • Using different deployment strategies • Centralized vs. Distributed • By measuring • Computational overhead • Detection capability

  8. Implementing A cloud

  9. Amazon EC2 Interface Client-side API Database Cloud Controller Cluster Controller Node Controller Open Source CloudComputing • Eucalyptus is an open source Cloud Computing system that reproduces all Amazon EC2's services • It allows the management of multiple “Availability zones”.

  10. Amazon EC2 Interface Client-side API Cloud Controller Looking at a single cluster • Our focus is on a single cluster managed by Eucalyptus (One geographic location)

  11. Network security tool

  12. User Interface Analyzer Sensor Functionalities of an Intrusion Detection System • Activity monitoring (sensor) • Network traffic packets • Recognize suspicious and inappropriate activities (analyzer) • Generate alerts (user interface)

  13. Snort – an open source Intrusion Detection System • Snortis a signaturebased IDS • Eachdetectableattackisdescribedby a staticrule • Eachrulecontainsparticularbyte-patterns and valuestobesoughtfor in both the packetheader and payload • Snortoperates in real-time • Snortisopen-source • Flexible • Extendable

  14. Experimentalevaluation

  15. Distribution of services in nodes • Asterisk SIP server • RTP user agents • Apache web server

  16. The overallpicture • “Inviteflood” attack tool • D-ITG background traffic generator

  17. Two different IDS deployment scenarios • One IDS closeto the cluster controller • Monitorsinbound/outboundtraffic • Monitorstrafficbetweendifferent security groups • VLAN tags are removed • Trafficrelatedtodifferent security groupsbecomesindistinguishable • Several IDS’s, eachcloseto a physicalmachine • Each IDS monitorstrafficto/fromvirtualresourceshosted on the physicalmachine • In bothscenarios, allattackinstances are correctlydetected

  18. Monitoring at the cluster controller

  19. Cluster Front-end CPU profile 100 % Snort 50 % Packet forwarding

  20. Monitoring at eachphysicalmachine

  21. Attackedworkernode CPU profile 100 % Attacked VM Dom0 50 % Non-attacked VMs

  22. Non-Attackedworkernode CPU profile 100 % 50 %

  23. Conclusions • Monitoringtraffic at the cluster controller • Privilegedobservationpoint • Look at alltraffic • Missesinternalattacks • Monitoringtraffic at eachphysicalmachine • Limited scope • Ligthweight • Increasedcloudresilience

  24. Claudio Mazzariello – claudio.mazzariello@unina.it Thankyou!

More Related