Research and Practice of Dynamic Network Security Architecture for IaaS Platforms

Lin Chen; Xingshu Chen; Junfang Jiang; Xueyuan Yin; Guolin Shao

doi:10.1109/TST.2014.6919826

Tsinghua Science and Technology 2014, 19(5): 496-507 https://doi.org/10.1109/TST.2014.6919826

Open Access | Issue | Published: 13 October 2014

Research and Practice of Dynamic Network Security Architecture for IaaS Platforms

Show Author's Information Hide Author's Information Lin Chen, Xingshu Chen(

), Junfang Jiang, Xueyuan Yin, Guolin Shao

College of Computer Science, Sichuan University, Chengdu 610065, China.

Keywords:

network security, cloud computing, IaaS, life cycle, network policy

Cite this article:

Chen L, Chen X, Jiang J, et al. Research and Practice of Dynamic Network Security Architecture for IaaS Platforms. Tsinghua Science and Technology, 2014, 19(5): 496-507. https://doi.org/10.1109/TST.2014.6919826

Download citation

EndNote(RIS)

BibTeX

426

Views

Downloads

Citations

Crossref

N/A

WoS

Scopus

CSCD

Abstract Full text About this article

Abstract

Network security requirements based on virtual network technologies in IaaS platforms and corresponding solutions were reviewed. A dynamic network security architecture was proposed, which was built on the technologies of software defined networking, Virtual Machine (VM) traffic redirection, network policy unified management, software defined isolation networks, vulnerability scanning, and software updates. The proposed architecture was able to obtain the capacity for detection and access control for VM traffic by redirecting it to configurable security appliances, and ensured the effectiveness of network policies in the total life cycle of the VM by configuring the policies to the right place at the appropriate time, according to the impacts of VM state transitions. The virtual isolation domains for tenants’ VMs could be built flexibly based on VLAN policies or Netfilter/Iptables firewall appliances, and vulnerability scanning as a service and software update as a service were both provided as security supports. Through cooperation with IDS appliances and automatic alarm mechanisms, the proposed architecture could dynamically mitigate a wide range of network-based attacks. The experimental results demonstrate the effectiveness of the proposed architecture.

Full text

Abstract

Full text

Outline

About this article

Research and Practice of Dynamic Network Security Architecture for IaaS Platforms

Show Author's information Hide Author's Information Lin Chen, Xingshu Chen(

), Junfang Jiang, Xueyuan Yin, Guolin Shao

College of Computer Science, Sichuan University, Chengdu 610065, China.

Abstract

Keywords: network security, cloud computing, IaaS, life cycle, network policy

References(22)

[1]

P. Mell and T. Grance, The NIST definition of cloud computing, National Institute of Standards and Technology, Gaithersburg, USA, 2011.

DOI

[2]

G. Brunette and R. Mogull, Security guidance for critical areas of focus in cloud computing v3.0, Cloud Security Alliance, Toronto, Canada, 2011.

[3]

K. Scarfone, M. Souppaya, and P. Hoffman, Guide to security for full virtualization technologies, National Institute of Standards and Technology, Gaithersburg, USA, 2011.

DOI

[4]

D. Catteddu, Cloud computing: Benefits, risks and recommendations for information security, European Network and Information Security Agency, Heraklion, Greece, 2009.

DOI

[5]

Internetworking Task Groups of IEEE 802.1.802.1Qbg - Edge Virtual Bridging, http://www.ieee802.org/1/pages/802.1bg.html, 2014.

[6]

Internetworking Task Groups of IEEE 802.1.802. 1Qbh - Bridge Port Extension, http://www.ieee802.org/1/pages/802.1bh.html, 2014.

[7]

E. Maill and R. F. Mennec, WMware vSphere 5 Building a Virtual Datacenter. Old Tappan, USA: Pearson Education, 2012.

[8]

S. Gai, T. Salli, and R. Andersson, Cisco Unified Computing System (UCS) (Data Center): A Complete Reference Guide to the Cisco Data Center Virtualization Server Architecture. Old Tappan, USA: Pearson Education, 2010.

[9]

S. E. Sun and Z. F. Lv, The security policy migration method and equipment of virtual machine, Chinese Patent 102739645A, October 17, 2012.

[10]

G. Toraldo, OpenNebula 3 Cloud Computing. Birmingham, UK: Packt Publishing Ltd, 2012.

[11]

S. J. Vaughan-Nichols, OpenFlow: The next generation of the network? Computer, vol. 44, no. 8, pp. 13-15, 2011.

DOI Google Scholar

[12]

G. L. Jiang, B. Z. Fu, M. Y. Chen, and L. X. Zhang, Survey and quantitative analysis of SDN controllers, (in Chinese), Journal of Frontiers of Computer Science and Technology, vol. 8, no. 6, pp. 653-664, 2014.

Google Scholar

[13]

K. K. Surksum, VMware NSX network virtualization design guide, http://www.vmware.com/files/pdf/products/nsx/vmwnsx-network-virtualization-design-guide.pdf, 2014.

[14]

Software Defined Perimeter Working Group, Software defined perimeter, Cloud Security Alliance, Toronto, Canada, 2013.

[15]

G. S. Zhao, W. C. He, H. Y. Wang, Y. Tang, and Q. Yue, On the research and implementation of IaaS network security architecture, Journal on Communications, vol. 32, no. 9A, pp. 108-117, 2011.

Google Scholar

[16]

C. J. Chung, P. Khatkar, T. Xing, J. Lee, and D. Huang, NICE: Network intrusion detection and countermeasure selection in virtual network systems, IEEE Transactions on Dependable and Secure Computing, vol. 10, no. 4, pp. 198-211, 2013.

DOI Google Scholar

[17]

M. Ficco, Security event correlation approach for cloud computing, International Journal of High Performance Computing and Networking, vol. 7, no. 3, pp. 173-185, 2013.

DOI Google Scholar

[18]

A. Q. Zakaria, A. D. Basheer, and A. K. Qsama, DDoS protection as a service: Hiding behind giants, International Journal of Computing Science and Engineering, vol. 9, no. 4, pp. 292-300, 2014.

DOI Google Scholar

[19]

G. L. Shao, X. S. Chen, X. Y. Yin, and F. W. Zhang, Design and implementation of virtual machine traffic detection system based on OpenFlow, (in Chinese), Journal of Computer Applications, vol. 34, no. 4, pp. 948-952, 2014.

Google Scholar

[20]

L. Chen, X. S. Chen, and J. F. Jiang, A policy dynamic loading mechanism for VIF of virtual machine at runtime in IaaS environment, (in Chinese), Journal of Sichuan University: Engineering Science Edition, vol. 46, no. 4, pp. 94-102, 2014.

Google Scholar

[21]

J. F. Jiang, X. S. Chen, and L. Chen, A vulnerability scanning framework based on a monitoring agent for IaaS platforms, (in Chinese), Journal of Sichuan University: Engineering Science Edition, vol. 46, no. S2, pp.116-121, 2014.

Google Scholar

[22]

P. Leach, M. Mealling, and R. Salz, A Universally Unique IDentifier (UUID) URN Namespace, http://www.ietf.org/rfc/rfc4122.txt, 2014.

About this article

Publication history

Acknowledgements

Rights and permissions

Publication history

Received: 15 July 2014

Revised: 15 August 2014

Accepted: 20 August 2014

Published: 13 October 2014

Issue date: October 2014

Copyright

Acknowledgements

This work was supported by the National Natural Science Foundation of China (No. 61272447) and the National Key Technology Research and Development Program of China (No. 2012BAH18B05) and the National New Generation Broadband Wireless Mobile Communication Network Major Project (03 Project) of China (No. 12H1510).