Journal Home > Volume 19 , Issue 1
Tsinghua Science and Technology 2014, 19(1): 82-94 https://doi.org/10.1109/TST.2014.6733211
Open Access | Issue | Published: 07 February 2014

Collaborative Network Security in Multi-Tenant Data Center for Cloud Computing

Show Author's Information Zhen Chen( ) Wenyu Dong Hang Li Peng Zhang Xinming Chen Junwei Cao( )
Research Institute of Information Technology and Tsinghua National Lab for Information Science and Technology, Tsinghua University, Beijing 100084, China
Department of Computer Science and Technology, Tsinghua University, Beijing 100084, China
Department of Computer Science and Technology, PLA Univ. of Info. & Eng., Zhengzhou 450001, China
Department of Electronic and Information Engineering, Xi’an Jiaotong University, Xi’an 710049, China
Department of Electrical and Computer Engineering, University of Massachusetts, MA 01003, USA
Keywords:
network security, cloud computing, data center network, software defined network, collaborative network security, multi-tenant, network virtualization, intelligent flow processing
Cite this article:
Chen Z, Dong W, Li H, et al. Collaborative Network Security in Multi-Tenant Data Center for Cloud Computing. Tsinghua Science and Technology, 2014, 19(1): 82-94. https://doi.org/10.1109/TST.2014.6733211
Download citation
EndNote(RIS)
BibTeX

513

Views

48

Downloads

Citations

36

Crossref

N/A

WoS

46

Scopus

0

CSCD

Abstract Full text About this article

A data center is an infrastructure that supports Internet service. Cloud computing is rapidly changing the face of the Internet service infrastructure, enabling even small organizations to quickly build Web and mobile applications for millions of users by taking advantage of the scale and flexibility of shared physical infrastructures provided by cloud computing. In this scenario, multiple tenants save their data and applications in shared data centers, blurring the network boundaries between each tenant in the cloud. In addition, different tenants have different security requirements, while different security policies are necessary for different tenants. Network virtualization is used to meet a diverse set of tenant-specific requirements with the underlying physical network, enabling multi-tenant datacenters to automatically address a large and diverse set of tenants requirements. In this paper, we propose the system implementation of vCNSMS, a collaborative network security prototype system used in a multi-tenant data center. We demonstrate vCNSMS with a centralized collaborative scheme and deep packet inspection with an open source UTM system. A security level based protection policy is proposed for simplifying the security rule management for vCNSMS. Different security levels have different packet inspection schemes and are enforced with different security plugins. A smart packet verdict scheme is also integrated into vCNSMS for intelligence flow processing to protect from possible network attacks inside a data center network.


menu
Abstract
Full text
Outline
About this article

Collaborative Network Security in Multi-Tenant Data Center for Cloud Computing

Show Author's information Zhen Chen( )Wenyu DongHang LiPeng ZhangXinming ChenJunwei Cao( )
Research Institute of Information Technology and Tsinghua National Lab for Information Science and Technology, Tsinghua University, Beijing 100084, China
Department of Computer Science and Technology, Tsinghua University, Beijing 100084, China
Department of Computer Science and Technology, PLA Univ. of Info. & Eng., Zhengzhou 450001, China
Department of Electronic and Information Engineering, Xi’an Jiaotong University, Xi’an 710049, China
Department of Electrical and Computer Engineering, University of Massachusetts, MA 01003, USA

Abstract

A data center is an infrastructure that supports Internet service. Cloud computing is rapidly changing the face of the Internet service infrastructure, enabling even small organizations to quickly build Web and mobile applications for millions of users by taking advantage of the scale and flexibility of shared physical infrastructures provided by cloud computing. In this scenario, multiple tenants save their data and applications in shared data centers, blurring the network boundaries between each tenant in the cloud. In addition, different tenants have different security requirements, while different security policies are necessary for different tenants. Network virtualization is used to meet a diverse set of tenant-specific requirements with the underlying physical network, enabling multi-tenant datacenters to automatically address a large and diverse set of tenants requirements. In this paper, we propose the system implementation of vCNSMS, a collaborative network security prototype system used in a multi-tenant data center. We demonstrate vCNSMS with a centralized collaborative scheme and deep packet inspection with an open source UTM system. A security level based protection policy is proposed for simplifying the security rule management for vCNSMS. Different security levels have different packet inspection schemes and are enforced with different security plugins. A smart packet verdict scheme is also integrated into vCNSMS for intelligence flow processing to protect from possible network attacks inside a data center network.

Keywords: network security, cloud computing, data center network, software defined network, collaborative network security, multi-tenant, network virtualization, intelligent flow processing

References(37)

[1]
NIST definition of cloud computing, http:// csrc.nist.gov/publications/PubsNISTIRs.html, 2007.
[2]
S. Jain, A. Kumar, S. Mandal, J. Ong, L. Poutievski, A. Singh, S. Venkata, J. Wanderer, J. Zhou, M. Zhu, J. Zolla, U. Hozle, S. Stuart, and A. Vahdat, B4: Experience with a globally-deployed software defined WAN, in Proc. ACM SIGCOMM 2013 Conference on SIGCOMM, Hong Kong, China, 2013, pp. 3-14.
DOI
[3]
J.D. Liu, A. Panda, A. Singla, B. Godfrey, M. Schapira, and S. Shenker, Ensuring connectivity via data plane mechanisms, presented at 10th USENIX Symposium on Networked Systems Design and Implementation, Lombard, IL, USA, 2013.
[4]
J. D. Liu, B. H. Yan, S. Shenker, and M. Schapira, Data-driven network connectivity, in Proc.10th ACM Workshop on Hot Topics in Networks, New York, USA, 2011, p. 8.
DOI
[5]
Qihoo 360 Internet Security Center, Development trend of enterprise security in the internet ages, http:// www.gartner.com/technology/mediaproducts/pdfindex.jsp?g=Qihoo issue1, 2013.
[6]
X. M. Chen, B. P. Mu, and C. Zhen, NetSecu: A collaborative network security platform for in-network security, in Proc. 3rd International Conference on Communications and Mobile Computing, Qingdao, China, 2011, pp. 59-64.
DOI
[7]
D. H. Ruan, C. Lin, Z. Chen, and J. Ni, Handling high speed traffic measurement using network processors, presented at International Conference on Communication Technology, Guilin, China, 2006.
[8]
J. Ni, C. Lin, and Z. Chen, A fast multi-pattern matching algorithm for deep packet inspection on a network processor, presented at the IEEE International Conference on Parallel Processing, Xi’an, China, 2007.
DOI
[9]
Z. Chen, C. Lin, J. Ni, D.H. Ruan, B. Zheng, Y. X. Jiang, X. H. Peng, Y. Wang, A. A. Luo, B. Zhu, Y. Yue, and F. Y. Ren, AntiWorm NPU-based parallel bloom filters for TCP/IP content processing in giga-Ethernet LAN, in Proc. the IEEE International Conference on Communications, 2006, pp. 2118-2123.
DOI
[10]
Z. Chen, C. Lin, J. Ni, D. H. Ruan, B. Zheng, Y. X. Jiang, and F. Y. Ren, AntiWorm NPU-based parallel bloom filters for TCP/IP content processing in Giga-Ethernet LAN, in Proc. the IEEE International Conference on Local Computer Networks, Sydney, Australia, 2005, pp. 748-755.
DOI
[11]
S. Shin, P. Porras, V. Yegneswaran, M. Fong, G. F. Gu, and M. Tyson, FRESCO: Modular composable security services for software-defined networks, presented at Network and Distributed Security Symposium, 2013.
[12]
L7 filter project, http://l7-filter.sourceforge.net/Pattern-HOWTO, 2008.
[13]
V. Sekar, M. K. Reiter, W. Willinger, H. Zhang, R. R. Kompella, and D. G. Andersen, cSamp: A system for network-wide flow monitoring, in Proc. 5th USENIX Symposium on Networked Systems Design and Implementation, San Francisco, USA, 2008, pp. 233-246.
[14]
B. Anwer, T. Benson, N. Feamster, D. Levin, and J. Rexford, A slick control plane for network middleboxes, in Proc. Association for Computing Machinery, Hong Kong, China, 2013, pp. 147-148.
DOI
[15]
Z. A. Qazi, C. C. Tu, L. Chiang, R. Miao, V. Sekar, and M. Yu, SIMPLE-fying middlebox policy enforcement using SDN, in Proc. Association for Computing Machinery, Hong Kong, China, 2013, pp. 27-38.
DOI
[16]
K. Wang, Y. Qi, B. Yang, Y. Xue, and J. Li, LiveSec: Towards effective security management in large-scale production networks, in Proc. IEEE 32nd International Conference on Distributed Computing Systems Workshops, Macau, China, 2012, pp. 451-460.
DOI
[17]
X. Wang, Z. Liu, Y. Qi, and J. Li, LiveCloud: A lucid orchestrator for cloud datacenters, in Proc. IEEE 4th International Conference on Cloud Computing Technology and Science, Taipei, China, 2012, pp. 341-348.
DOI
[18]
VMWare Network security, http://www.vmware.com/ products/nsx/resources.html, 2013.
[19]
VMware NSX network virtualization platform, http://www.vmware.com/products/nsx, 2013.
[20]
Y. Zhang, F. Deng, Z. Chen, Y. B. Xue, and C. Lin, UTM-CM: A practical control mechanism solution for UTM system, in Proc. IEEE International Conference on Communications and Mobile Computing, Shenzhen, China, 2010, pp. 86-90.
DOI
[21]
Bro, http://www.bro-ids.org, 2013.
[22]
F. Han, Z. Chen, H. Xu, H. Wang, and Y. Liang, A collaborative botnets suppression system based on overlay network, International Journal of Security and Networks, vol. 7, no. 4, pp. 211-219, 2012.
DOI Google Scholar
[23]
Z. Chen, F. Han, J. Cao, X. Jiang, and S. Chen, Cloud computing-based forensic analysis for collaborative network security management system, Tsinghua Science and Technology, vol. 18, no. 1, pp. 40-50, 2013.
DOI Google Scholar
[24]
X. Chen, K. Ge, Z. Chen, and J. Li, AC-Suffix-Tree: Buffer free string matching on out-of-sequence packets, in Proc. 2011 ACM/IEEE Seventh Symposium on Architectures for Networking and Communications Systems, IEEE Computer Society, Brooklyn, NY, USA, 2011, pp. 36-44.
DOI
[25]
T. Li, F. Han, S. Ding, and Z. Chen, LARX: Large-scale antiphishing by retrospective data-exploring based on a cloud computing platform, in Proc. IEEE 20th International Conference on Computer Communications and Networks, Maui, HI, USA, 2011, pp. 1-5.
DOI
[26]
B. Mu, X. Chen, and Z. Chen, A collaborative network security management system in metropolitan area network, in Proc. IEEE 3rd International Conference on Communications and Mobile Computing, Qingdao, China, 2011, pp. 45-50.
DOI
[27]
Untangle open source appliance, https://gitorious.org/ untangle, 2013.
[28]
Y. D. Lin, R. H. Hwang, and F. Baker, Computer Networks: An Open Source Approach. McGraw-Hill, February 2011.
DOI
[29]
Y. D. Lin, H. Y. Wei, and S. T. Yu, Building an integrated security gateway: Mechanisms, performance evaluations, implementations, and research issues, IEEE Communications Surveys & Tutorials, vol. 4, no. 1, pp. 2-15, 2002.
DOI Google Scholar
[30]
Y. D. Lin, C. W. Jan, P. C. Lin, and Y. C. Lai, Designing an integrated architecture for network content security gateways, Computer, vol. 39, no. 11, pp. 66-72, 2006.
DOI Google Scholar
[31]
C. N. Lu, C. Y. Huang, Y. D. Lin, and Y. C. Lai, Session level flow classification by packet size distribution and session grouping, Computer Networks, vol. 56, no. 1, pp. 260-272, 2012.
DOI Google Scholar
[32]
D. Morris, J. Irwin, and R. Scott, Methods and systems for reputation based resource allocation for networking, US Patents US20070043738A1, February 22, 2007.
[33]
Xtables-addons, http://xtables-addons.sourceforge.net, 2013.
[34]
Snort-inline, http://snort-inline.sourceforge.net, 2009.
[35]
Snort, http://www.snort.org, 2010.
[36]
M. J. Schultz and P. Crowley, Performance analysis of packet capture methods in a 10 Gbps virtualized environment, in Proc. IEEE 21st International Conference on Computer Communications and Networks, Munich, Germany, 2012, pp. 1-8.
DOI
[37]
A. Cardigliano, L. Deri, J. Gasparakis, and F. Fusco, vPFRING: Towards wire-speed network monitoring using virtual machines, in Proc. ACM SIGCOMM Conference on Internet Mearsurement Conference, Berlin, Germany, 2011, pp. 533-548.
DOI
Publication history
Copyright
Acknowledgements
Rights and permissions

Publication history

Received: 18 December 2013
Accepted: 24 December 2013
Published: 07 February 2014
Issue date: February 2014

Copyright

© The author(s) 2014

Acknowledgements

This work was supported in part by the National Key Basic Research and Development (973) Program of China (Nos. 2013CB228206 and 2012CB315801), the National Natural Science Foundation of China (Nos. 61233016 and 61140320).

This work was also supported by the Intel Research Council with the title of "Security Vulnerability Analysis based on Cloud Platform with Intel IA Architecture" and Huawei Corp.

Rights and permissions

Return