Secure Cloud Computing with Virtualized Network Infrastructure

953 views

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
953
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
37
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Secure Cloud Computing with Virtualized Network Infrastructure

  1. 1. Secure Cloud Computing with Virtualized Network Infrastructure<br />HotCloud 10<br />By XuanranZong<br />
  2. 2. Cloud Security<br />Two end of the spectrum<br />Amazon EC2<br />Shared, public cloud<br />Resource multiplexing, low cost<br />Low security<br />Government cloud<br />Dedicated infrastructure<br />High cost<br />High security<br />
  3. 3. Design Goal<br />Isolation<br />Transparency<br />Location independence<br />Easy policy control<br />Scalability (?)<br />Low cost<br />
  4. 4. Conventional data center architecture<br />VLAN to ensure security<br />Scalability issue: can take up to 4K id<br />Management and control overhead<br />Per-user security policy control<br />But, how to enforce?<br />End-host? Not secure enough<br />Middlebox? Unnecessary traffic<br />
  5. 5. Secure Elastic Cloud Computing<br />Reference: http://www.usenix.org/events/hotcloud10/tech/slides/hao.pdf<br />
  6. 6. Numbering and addressing<br />Each customer has a unique cnet id<br />VM can be identified by (cnet id, IP)<br />Each domain has a unique eid<br />Use VLAN to separate different customer in the same domain<br />VLAN id can be reused in different domain<br />
  7. 7. Customer network integration<br />Private network can be treated as a special domain where VPN is used to connect it to core domain<br />
  8. 8. Central controller<br />Address mapping <br />VM MAC <-> (cnet id, IP)<br />VM MAC <-> eid<br />eid <-> FE MAC list<br />(cnet id, eid) <-> VLAN id<br />Policy databas<br />E.g. packet from customer A are first forwarded to firewall F.<br />
  9. 9. Forwarding elements<br />Address lookup and mapping<br />FE MAC of the destination domain<br />VLAN ID<br />Policy enforcement<br />By default, packets designated to a different customer are dropped<br />Tunneling between FEs<br />Encapsulate another MAC header<br />
  10. 10. Data forwarding<br />Reference: http://www.usenix.org/events/hotcloud10/tech/slides/hao.pdf<br />
  11. 11. How does it solve the limitation?<br />VLAN scalability<br />Partition network into smaller edge domain, each maintains its own VLAN<br />VLAN id can be reused<br />Per-user security<br />Security policy enforced by FE<br />CC stores security policies for all customers<br />
  12. 12. Discussion<br />Security via isolation and access control<br />Consider the co-residence problem proposed by “Get off my cloud” paper<br />Matching Dom0 IP address<br />Disable traceroute<br />Small round-trip time<br />Every packet needs to go through FE<br />Numerically close IP address<br />Each customer has private IP address<br />
  13. 13. Discussion<br />Cached vs installed forwarding table<br />VM migration<br />Update CC (eid, VLAN id)<br />
  14. 14. Discussion<br />Pros<br />Security enforcement via isolation and access control<br />Scalable in terms of number of customers supported by VLAN<br />Most networking equipments are off-the-shelf<br />Cons?<br />Scalability? Centralized CC?<br />Larger round trip time within the same edge domain<br />Tunneling?<br />

×