Your SlideShare is downloading. ×
Secure Cloud Computing with Virtualized Network Infrastructure
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Secure Cloud Computing with Virtualized Network Infrastructure

665
views

Published on

Published in: Technology, Business

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
665
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
28
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Secure Cloud Computing with Virtualized Network Infrastructure
    HotCloud 10
    By XuanranZong
  • 2. Cloud Security
    Two end of the spectrum
    Amazon EC2
    Shared, public cloud
    Resource multiplexing, low cost
    Low security
    Government cloud
    Dedicated infrastructure
    High cost
    High security
  • 3. Design Goal
    Isolation
    Transparency
    Location independence
    Easy policy control
    Scalability (?)
    Low cost
  • 4. Conventional data center architecture
    VLAN to ensure security
    Scalability issue: can take up to 4K id
    Management and control overhead
    Per-user security policy control
    But, how to enforce?
    End-host? Not secure enough
    Middlebox? Unnecessary traffic
  • 5. Secure Elastic Cloud Computing
    Reference: http://www.usenix.org/events/hotcloud10/tech/slides/hao.pdf
  • 6. Numbering and addressing
    Each customer has a unique cnet id
    VM can be identified by (cnet id, IP)
    Each domain has a unique eid
    Use VLAN to separate different customer in the same domain
    VLAN id can be reused in different domain
  • 7. Customer network integration
    Private network can be treated as a special domain where VPN is used to connect it to core domain
  • 8. Central controller
    Address mapping
    VM MAC <-> (cnet id, IP)
    VM MAC <-> eid
    eid <-> FE MAC list
    (cnet id, eid) <-> VLAN id
    Policy databas
    E.g. packet from customer A are first forwarded to firewall F.
  • 9. Forwarding elements
    Address lookup and mapping
    FE MAC of the destination domain
    VLAN ID
    Policy enforcement
    By default, packets designated to a different customer are dropped
    Tunneling between FEs
    Encapsulate another MAC header
  • 10. Data forwarding
    Reference: http://www.usenix.org/events/hotcloud10/tech/slides/hao.pdf
  • 11. How does it solve the limitation?
    VLAN scalability
    Partition network into smaller edge domain, each maintains its own VLAN
    VLAN id can be reused
    Per-user security
    Security policy enforced by FE
    CC stores security policies for all customers
  • 12. Discussion
    Security via isolation and access control
    Consider the co-residence problem proposed by “Get off my cloud” paper
    Matching Dom0 IP address
    Disable traceroute
    Small round-trip time
    Every packet needs to go through FE
    Numerically close IP address
    Each customer has private IP address
  • 13. Discussion
    Cached vs installed forwarding table
    VM migration
    Update CC (eid, VLAN id)
  • 14. Discussion
    Pros
    Security enforcement via isolation and access control
    Scalable in terms of number of customers supported by VLAN
    Most networking equipments are off-the-shelf
    Cons?
    Scalability? Centralized CC?
    Larger round trip time within the same edge domain
    Tunneling?