AI Chat Paper
Note: Please note that the following content is generated by AMiner AI. SciOpen does not take any responsibility related to this content.
{{lang === 'zh_CN' ? '文章概述' : 'Summary'}}
{{lang === 'en_US' ? '中' : 'Eng'}}
Chat more with AI
PDF (2.5 MB)
Collect
Submit Manuscript AI Chat Paper
Show Outline
Outline
Show full outline
Hide outline
Outline
Show full outline
Hide outline
Open Access

Collaborative Network Security in Multi-Tenant Data Center for Cloud Computing

Zhen Chen( )Wenyu DongHang LiPeng ZhangXinming ChenJunwei Cao( )
Research Institute of Information Technology and Tsinghua National Lab for Information Science and Technology, Tsinghua University, Beijing 100084, China
Department of Computer Science and Technology, Tsinghua University, Beijing 100084, China
Department of Computer Science and Technology, PLA Univ. of Info. & Eng., Zhengzhou 450001, China
Department of Electronic and Information Engineering, Xi’an Jiaotong University, Xi’an 710049, China
Department of Electrical and Computer Engineering, University of Massachusetts, MA 01003, USA
Show Author Information

Abstract

A data center is an infrastructure that supports Internet service. Cloud computing is rapidly changing the face of the Internet service infrastructure, enabling even small organizations to quickly build Web and mobile applications for millions of users by taking advantage of the scale and flexibility of shared physical infrastructures provided by cloud computing. In this scenario, multiple tenants save their data and applications in shared data centers, blurring the network boundaries between each tenant in the cloud. In addition, different tenants have different security requirements, while different security policies are necessary for different tenants. Network virtualization is used to meet a diverse set of tenant-specific requirements with the underlying physical network, enabling multi-tenant datacenters to automatically address a large and diverse set of tenants requirements. In this paper, we propose the system implementation of vCNSMS, a collaborative network security prototype system used in a multi-tenant data center. We demonstrate vCNSMS with a centralized collaborative scheme and deep packet inspection with an open source UTM system. A security level based protection policy is proposed for simplifying the security rule management for vCNSMS. Different security levels have different packet inspection schemes and are enforced with different security plugins. A smart packet verdict scheme is also integrated into vCNSMS for intelligence flow processing to protect from possible network attacks inside a data center network.

References

[1]
NIST definition of cloud computing, http:// csrc.nist.gov/publications/PubsNISTIRs.html, 2007.
[2]
S. Jain, A. Kumar, S. Mandal, J. Ong, L. Poutievski, A. Singh, S. Venkata, J. Wanderer, J. Zhou, M. Zhu, J. Zolla, U. Hozle, S. Stuart, and A. Vahdat, B4: Experience with a globally-deployed software defined WAN, in Proc. ACM SIGCOMM 2013 Conference on SIGCOMM, Hong Kong, China, 2013, pp. 3-14.
[3]
J.D. Liu, A. Panda, A. Singla, B. Godfrey, M. Schapira, and S. Shenker, Ensuring connectivity via data plane mechanisms, presented at 10th USENIX Symposium on Networked Systems Design and Implementation, Lombard, IL, USA, 2013.
[4]
J. D. Liu, B. H. Yan, S. Shenker, and M. Schapira, Data-driven network connectivity, in Proc.10th ACM Workshop on Hot Topics in Networks, New York, USA, 2011, p. 8.
[5]
Qihoo 360 Internet Security Center, Development trend of enterprise security in the internet ages, http:// www.gartner.com/technology/mediaproducts/pdfindex.jsp?g=Qihoo issue1, 2013.
[6]
X. M. Chen, B. P. Mu, and C. Zhen, NetSecu: A collaborative network security platform for in-network security, in Proc. 3rd International Conference on Communications and Mobile Computing, Qingdao, China, 2011, pp. 59-64.
[7]
D. H. Ruan, C. Lin, Z. Chen, and J. Ni, Handling high speed traffic measurement using network processors, presented at International Conference on Communication Technology, Guilin, China, 2006.
[8]
J. Ni, C. Lin, and Z. Chen, A fast multi-pattern matching algorithm for deep packet inspection on a network processor, presented at the IEEE International Conference on Parallel Processing, Xi’an, China, 2007.
[9]
Z. Chen, C. Lin, J. Ni, D.H. Ruan, B. Zheng, Y. X. Jiang, X. H. Peng, Y. Wang, A. A. Luo, B. Zhu, Y. Yue, and F. Y. Ren, AntiWorm NPU-based parallel bloom filters for TCP/IP content processing in giga-Ethernet LAN, in Proc. the IEEE International Conference on Communications, 2006, pp. 2118-2123.
[10]
Z. Chen, C. Lin, J. Ni, D. H. Ruan, B. Zheng, Y. X. Jiang, and F. Y. Ren, AntiWorm NPU-based parallel bloom filters for TCP/IP content processing in Giga-Ethernet LAN, in Proc. the IEEE International Conference on Local Computer Networks, Sydney, Australia, 2005, pp. 748-755.
[11]
S. Shin, P. Porras, V. Yegneswaran, M. Fong, G. F. Gu, and M. Tyson, FRESCO: Modular composable security services for software-defined networks, presented at Network and Distributed Security Symposium, 2013.
[12]
[13]
V. Sekar, M. K. Reiter, W. Willinger, H. Zhang, R. R. Kompella, and D. G. Andersen, cSamp: A system for network-wide flow monitoring, in Proc. 5th USENIX Symposium on Networked Systems Design and Implementation, San Francisco, USA, 2008, pp. 233-246.
[14]
B. Anwer, T. Benson, N. Feamster, D. Levin, and J. Rexford, A slick control plane for network middleboxes, in Proc. Association for Computing Machinery, Hong Kong, China, 2013, pp. 147-148.
[15]
Z. A. Qazi, C. C. Tu, L. Chiang, R. Miao, V. Sekar, and M. Yu, SIMPLE-fying middlebox policy enforcement using SDN, in Proc. Association for Computing Machinery, Hong Kong, China, 2013, pp. 27-38.
[16]
K. Wang, Y. Qi, B. Yang, Y. Xue, and J. Li, LiveSec: Towards effective security management in large-scale production networks, in Proc. IEEE 32nd International Conference on Distributed Computing Systems Workshops, Macau, China, 2012, pp. 451-460.
[17]
X. Wang, Z. Liu, Y. Qi, and J. Li, LiveCloud: A lucid orchestrator for cloud datacenters, in Proc. IEEE 4th International Conference on Cloud Computing Technology and Science, Taipei, China, 2012, pp. 341-348.
[18]
VMWare Network security, http://www.vmware.com/ products/nsx/resources.html, 2013.
[19]
VMware NSX network virtualization platform, http://www.vmware.com/products/nsx, 2013.
[20]
Y. Zhang, F. Deng, Z. Chen, Y. B. Xue, and C. Lin, UTM-CM: A practical control mechanism solution for UTM system, in Proc. IEEE International Conference on Communications and Mobile Computing, Shenzhen, China, 2010, pp. 86-90.
[21]
[22]
F. Han, Z. Chen, H. Xu, H. Wang, and Y. Liang, A collaborative botnets suppression system based on overlay network, International Journal of Security and Networks, vol. 7, no. 4, pp. 211-219, 2012.
[23]
Z. Chen, F. Han, J. Cao, X. Jiang, and S. Chen, Cloud computing-based forensic analysis for collaborative network security management system, Tsinghua Science and Technology, vol. 18, no. 1, pp. 40-50, 2013.
[24]
X. Chen, K. Ge, Z. Chen, and J. Li, AC-Suffix-Tree: Buffer free string matching on out-of-sequence packets, in Proc. 2011 ACM/IEEE Seventh Symposium on Architectures for Networking and Communications Systems, IEEE Computer Society, Brooklyn, NY, USA, 2011, pp. 36-44.
[25]
T. Li, F. Han, S. Ding, and Z. Chen, LARX: Large-scale antiphishing by retrospective data-exploring based on a cloud computing platform, in Proc. IEEE 20th International Conference on Computer Communications and Networks, Maui, HI, USA, 2011, pp. 1-5.
[26]
B. Mu, X. Chen, and Z. Chen, A collaborative network security management system in metropolitan area network, in Proc. IEEE 3rd International Conference on Communications and Mobile Computing, Qingdao, China, 2011, pp. 45-50.
[27]
Untangle open source appliance, https://gitorious.org/ untangle, 2013.
[28]
Y. D. Lin, R. H. Hwang, and F. Baker, Computer Networks: An Open Source Approach. McGraw-Hill, February 2011.
[29]
Y. D. Lin, H. Y. Wei, and S. T. Yu, Building an integrated security gateway: Mechanisms, performance evaluations, implementations, and research issues, IEEE Communications Surveys & Tutorials, vol. 4, no. 1, pp. 2-15, 2002.
[30]
Y. D. Lin, C. W. Jan, P. C. Lin, and Y. C. Lai, Designing an integrated architecture for network content security gateways, Computer, vol. 39, no. 11, pp. 66-72, 2006.
[31]
C. N. Lu, C. Y. Huang, Y. D. Lin, and Y. C. Lai, Session level flow classification by packet size distribution and session grouping, Computer Networks, vol. 56, no. 1, pp. 260-272, 2012.
[32]
D. Morris, J. Irwin, and R. Scott, Methods and systems for reputation based resource allocation for networking, US Patents US20070043738A1, February 22, 2007.
[33]
Xtables-addons, http://xtables-addons.sourceforge.net, 2013.
[34]
[35]
Snort, http://www.snort.org, 2010.
[36]
M. J. Schultz and P. Crowley, Performance analysis of packet capture methods in a 10 Gbps virtualized environment, in Proc. IEEE 21st International Conference on Computer Communications and Networks, Munich, Germany, 2012, pp. 1-8.
[37]
A. Cardigliano, L. Deri, J. Gasparakis, and F. Fusco, vPFRING: Towards wire-speed network monitoring using virtual machines, in Proc. ACM SIGCOMM Conference on Internet Mearsurement Conference, Berlin, Germany, 2011, pp. 533-548.
Tsinghua Science and Technology
Pages 82-94
Cite this article:
Chen Z, Dong W, Li H, et al. Collaborative Network Security in Multi-Tenant Data Center for Cloud Computing. Tsinghua Science and Technology, 2014, 19(1): 82-94. https://doi.org/10.1109/TST.2014.6733211

631

Views

63

Downloads

36

Crossref

N/A

Web of Science

47

Scopus

0

CSCD

Altmetrics

Received: 18 December 2013
Accepted: 24 December 2013
Published: 07 February 2014
© The author(s) 2014
Return