AI Chat Paper
Note: Please note that the following content is generated by AMiner AI. SciOpen does not take any responsibility related to this content.
{{lang === 'zh_CN' ? '文章概述' : 'Summary'}}
{{lang === 'en_US' ? '中' : 'Eng'}}
Chat more with AI
PDF (10.7 MB)
Collect
Submit Manuscript AI Chat Paper
Show Outline
Outline
Show full outline
Hide outline
Outline
Show full outline
Hide outline
Open Access

Research and Practice of Dynamic Network Security Architecture for IaaS Platforms

College of Computer Science, Sichuan University, Chengdu 610065, China.
Show Author Information

Abstract

Network security requirements based on virtual network technologies in IaaS platforms and corresponding solutions were reviewed. A dynamic network security architecture was proposed, which was built on the technologies of software defined networking, Virtual Machine (VM) traffic redirection, network policy unified management, software defined isolation networks, vulnerability scanning, and software updates. The proposed architecture was able to obtain the capacity for detection and access control for VM traffic by redirecting it to configurable security appliances, and ensured the effectiveness of network policies in the total life cycle of the VM by configuring the policies to the right place at the appropriate time, according to the impacts of VM state transitions. The virtual isolation domains for tenants’ VMs could be built flexibly based on VLAN policies or Netfilter/Iptables firewall appliances, and vulnerability scanning as a service and software update as a service were both provided as security supports. Through cooperation with IDS appliances and automatic alarm mechanisms, the proposed architecture could dynamically mitigate a wide range of network-based attacks. The experimental results demonstrate the effectiveness of the proposed architecture.

References

[1]
P. Mell and T. Grance, The NIST definition of cloud computing, National Institute of Standards and Technology, Gaithersburg, USA, 2011.
[2]
G. Brunette and R. Mogull, Security guidance for critical areas of focus in cloud computing v3.0, Cloud Security Alliance, Toronto, Canada, 2011.
[3]
K. Scarfone, M. Souppaya, and P. Hoffman, Guide to security for full virtualization technologies, National Institute of Standards and Technology, Gaithersburg, USA, 2011.
[4]
D. Catteddu, Cloud computing: Benefits, risks and recommendations for information security, European Network and Information Security Agency, Heraklion, Greece, 2009.
[5]
Internetworking Task Groups of IEEE 802.1.802.1Qbg - Edge Virtual Bridging, http://www.ieee802.org/1/pages/802.1bg.html, 2014.
[6]
Internetworking Task Groups of IEEE 802.1.802. 1Qbh - Bridge Port Extension, http://www.ieee802.org/1/pages/802.1bh.html, 2014.
[7]
E. Maill and R. F. Mennec, WMware vSphere 5 Building a Virtual Datacenter. Old Tappan, USA: Pearson Education, 2012.
[8]
S. Gai, T. Salli, and R. Andersson, Cisco Unified Computing System (UCS) (Data Center): A Complete Reference Guide to the Cisco Data Center Virtualization Server Architecture. Old Tappan, USA: Pearson Education, 2010.
[9]
S. E. Sun and Z. F. Lv, The security policy migration method and equipment of virtual machine, Chinese Patent 102739645A, October 17, 2012.
[10]
G. Toraldo, OpenNebula 3 Cloud Computing. Birmingham, UK: Packt Publishing Ltd, 2012.
[11]
S. J. Vaughan-Nichols, OpenFlow: The next generation of the network? Computer, vol. 44, no. 8, pp. 13-15, 2011.
[12]
G. L. Jiang, B. Z. Fu, M. Y. Chen, and L. X. Zhang, Survey and quantitative analysis of SDN controllers, (in Chinese), Journal of Frontiers of Computer Science and Technology, vol. 8, no. 6, pp. 653-664, 2014.
[13]
K. K. Surksum, VMware NSX network virtualization design guide, http://www.vmware.com/files/pdf/products/nsx/vmwnsx-network-virtualization-design-guide.pdf, 2014.
[14]
Software Defined Perimeter Working Group, Software defined perimeter, Cloud Security Alliance, Toronto, Canada, 2013.
[15]
G. S. Zhao, W. C. He, H. Y. Wang, Y. Tang, and Q. Yue, On the research and implementation of IaaS network security architecture, Journal on Communications, vol. 32, no. 9A, pp. 108-117, 2011.
[16]
C. J. Chung, P. Khatkar, T. Xing, J. Lee, and D. Huang, NICE: Network intrusion detection and countermeasure selection in virtual network systems, IEEE Transactions on Dependable and Secure Computing, vol. 10, no. 4, pp. 198-211, 2013.
[17]
M. Ficco, Security event correlation approach for cloud computing, International Journal of High Performance Computing and Networking, vol. 7, no. 3, pp. 173-185, 2013.
[18]
A. Q. Zakaria, A. D. Basheer, and A. K. Qsama, DDoS protection as a service: Hiding behind giants, International Journal of Computing Science and Engineering, vol. 9, no. 4, pp. 292-300, 2014.
[19]
G. L. Shao, X. S. Chen, X. Y. Yin, and F. W. Zhang, Design and implementation of virtual machine traffic detection system based on OpenFlow, (in Chinese), Journal of Computer Applications, vol. 34, no. 4, pp. 948-952, 2014.
[20]
L. Chen, X. S. Chen, and J. F. Jiang, A policy dynamic loading mechanism for VIF of virtual machine at runtime in IaaS environment, (in Chinese), Journal of Sichuan University: Engineering Science Edition, vol. 46, no. 4, pp. 94-102, 2014.
[21]
J. F. Jiang, X. S. Chen, and L. Chen, A vulnerability scanning framework based on a monitoring agent for IaaS platforms, (in Chinese), Journal of Sichuan University: Engineering Science Edition, vol. 46, no. S2, pp.116-121, 2014.
[22]
P. Leach, M. Mealling, and R. Salz, A Universally Unique IDentifier (UUID) URN Namespace, http://www.ietf.org/rfc/rfc4122.txt, 2014.
Tsinghua Science and Technology
Pages 496-507
Cite this article:
Chen L, Chen X, Jiang J, et al. Research and Practice of Dynamic Network Security Architecture for IaaS Platforms. Tsinghua Science and Technology, 2014, 19(5): 496-507. https://doi.org/10.1109/TST.2014.6919826

530

Views

26

Downloads

3

Crossref

N/A

Web of Science

7

Scopus

0

CSCD

Altmetrics

Received: 15 July 2014
Revised: 15 August 2014
Accepted: 20 August 2014
Published: 13 October 2014
© The Author(s) 2014
Return