The document summarizes a project report on implementing a model for security in the cloud using a dynamic firewall restriction algorithm. The report includes an abstract describing the proposed security architecture that provides flexible security as a service for cloud tenants and customers. It then outlines the various chapters in the report, including an introduction, literature survey, analysis, module descriptions, implementation details, future work, and conclusions. The proposed system aims to implement an effective firewall security at the tenant level to block unauthorized access and filter unwanted requests before they reach virtual machines in the cloud.

1. A Model for Security in cloud using dynamic
firewall restriction algorithm
A PROJECT REVIEW 2 REPORT
Submitted by
NANDITHA.S(311111104035)
PENTAREDDY SOWMYA SELES (311111104039)
in partial fulfillment for the award of the degree
of
BACHELOR OF ENGINEERING
in
COMPUTER SCIENCE AND ENGINEERING
LOYOLA – ICAM COLLEGE OF ENGINEERING AND
TECHNOLOGY, CHENNAI 600 034
ANNA UNIVERSITY: CHENNAI 600 025
FEBRUARY 2015
i

2. ANNA UNIVERSITY : CHENNAI 600 025
BONAFIDE CERTIFICATE
Certified that this project report “A MODEL FOR SECURITY IN CLOUD
USING DYNAMIC FIREWALL RESTRICTION ALGORITHM” is the
bonafide work of “NANDITHA.S(311111104035),PENTAREDDY SOWMYA
SELES(311111104039)” who carried out the project work under my supervision.
Signature of the Supervisor Signature of the Project Coordinator
Ms S.Sengole Merlin Ms S.Sengole Merlin
Assistant Professor Assistant Professor
Department of Computer Science Department of Computer Science and
Engineering and Engineering
Loyola ICAM College of Engg and Loyola ICAM College of Engg and
Technology Technology
Chennai-600 034 Chennai-600 034
Submitted to Project Review 2 Examination held on_____________
ii

3. ABSTRACT
Cloud computing is becoming increasingly important for provision of services and
storage of data in the Internet. However there are several significant challenges in
securing cloud infrastructures from different types of attacks. The focus of this
paper is on the security services that a cloud provider can offer as part of its
infrastructure to its customers (tenants) to counteract these attacks. Our main
contribution is a security architecture that provides a flexible security as a service
model that a cloud provider can offer to its tenants and customers of its tenants. Our
security as a service model while offering a baseline security to the provider to
protect its own cloud infrastructure also provides flexibility to tenants to have
additional security functionalities that suit their security requirements. It describes
the design of the security architecture and discusses how different types of attacks
are counteracted by the proposed architecture.

4. iii

5. Page | 5
TABLE OF CONTENTS
CHAPTER
NO TITLE PAGENO
ABSTRACT iii
1. INTRODUCTION 1
2. LITERATURE SURVEY 3
3. ANALYSIS 8
3.1 SYSTEM ANALYSIS 8
3.1.1 Existing System 8
3.1.2 Proposed System 9
3.3 REQUIREMENT ANALYSIS 11
3.3.1 Software Specification 11
3.3.2 Hardware Specification 11
4. MODULES DESCRIPTION 11
5. IMPLEMENTATION 12
6. FUTURE WORK 17
7. CONCLUSION 17
8. REFERENCES 18
iv

6. Page | 6
Introduction:
Cloud computing, a long-held dream of computing as a utility, has the potential to
transform a large part of the IT industry, making software even more attractive as a
service and shaping the way IT hardware is designed and purchased. It is clear that
security issue has played the most important role in hindering cloud computing
acceptance. Without doubt, putting the data and running the software on someone
else’s hard disk using someone else’s CPU appears daunting to many. Well known
security issues as data loss, phishing, pose serious threats to individual data and
software. Since virtualization is the fundamental of the cloud computing, there are
needs to study it more deeply to avoid attacks and system failure. Contributions:
several security issues of cloud computing are studied and solutions to few of them
are provided. Someof the security issues are virtual machine escape, cold bootattack
and denial of service attack. Virtual machine escape is the process of breaking out
of a virtual machine and interacting with the host operating system. A cold boot
attack refers to a kind of attack where a (running) machine is cold-booted (i.e.
powered off and onagain without clean shutdown) with a minimal operating system.
Since the minimal OS consumes only very little memory, the rest ofthe memory still
contains what it contained at the time the machine was rebooted. In a denial-of-
service (DoS) attack, an attacker attempts to prevent legitimate users from accessing
information or services. By targeting user computer and its network connection, or
the computers and network of the sites user trying to use, an attacker may be able to
prevent the user from accessing email, websites, online accounts (banking, etc.), or
other services that rely on the affected computer.
Tenants in the cloud can run different operating system and application in virtual
machine. The vulnerabilities in operating system and application can be potentially
exploited by an attacker, this generates different types ofattacks. Although the cloud

7. Page | 7
providers like Amazon mentions that security of tenant virtual machine is the
responsibility of the tenants since they are free to run any of operating system or
applications. Cloud tenants need to make their own arrangements for securing their
virtual machines that are hosted in cloud. Although people use many anti-virus
security tools, due to tools residing in same system as the one being monitored and
hence are vulnerable to attacks. For this the tenants may opt security levels by
provider or baseline default security. The baseline security is needed by the provider
to ensure the malicious tenants are not attacking the cloud infrastructure or hosting
malicious software. However people on top levels will need additional security
functionalities to secure their data. This model manage the tension between privacy
concern and security control offered by the cloud provider. It is the choice of tenant
to opt for additional security. It is to protect tenants from threats posed by cloud
system malicious tenants who misuse their privileges and exploits against privileged
domain. This is not the model that gives protection to just an application but to the
entire operating system. The guest operating system acts as the firewall to prevent
the data from malicious tenants. Here the tenants have complete control over the
virtualized system.

8. Page | 8
Literature survey:
Title- Architecture of virtual machines (Author: R.P.Goldberg)
A model is developed which represents the addressing of resources by processes
executing on a virtual machine. This model distinguishes two kinds of maps: the ø-
map and the f-map. The ø-map maps process names into resource names while the
f-map maps virtual resourcenames into real resource names. A general approachfor
implementing virtual machines is the Hardware Virtualizer which handles all
process exceptions directly within the executing virtual machine without software
intervention. All VM-faults generated by a virtual machine are directed to the
appropriate virtual machine monitor without the knowledge of processes on the
virtual machine. The key point is the relationship between the resources in the
configuration of the virtual machine and those in the configuration of the real (host)
machine. When a process running on a virtual machine references a resource via a
process name, the required real resource name should be obtained by a dynamic
compositionofthe f-map and ø-map at execution time. Wecall a hardware-firmware
device which implements the above functionality a Hardware Virtualizer (HV).
The design of a Hardware Virtualizer must consider the following points:
The database to store f
A mechanism to invoke f
The mechanics of map composition
The action on a VM-fault.

9. Page | 9
The resource map function:
f: V R U (t} such that if y ἐ V and z ἐ R then
f(y)=z if z is the real name for virtual name y ,else y does not have a corresponding
real name. The value f(y) = t causes a trap or fault to the R. We call the function f a
resource map, virtual machine map, or f-map.
The process map function:
ø: P R U {e} suchthat if xἐ P, y ἐ R, then ø(x) = y if y is the resource name for
process namex else, e if x does nothave a correspondingresource. The value ø(x)=e
causes an exception to occur.
Title - Self-service CloudComputing (Author:Shakeel Butt, H. Andr´es Lagar-
Cavilla ,Abhinav Srivastava,Vinod Ganapathy, October 2012.)
Modern cloud computing infrastructures usevirtual machine monitor which includes
complex administrative domain. Attacks against this domain, can compromiseclient
security and also clients inflexible control over their own VM’s. To avoid these
shortcomings, a self -service cloud (SSC) computing model is introduced. It splits
administrative privileges between system-wide domain and per-client administrative
domains. In VMM’s the trusted computing base(TCB),has two parts-the hypervisor
and an administrative domain.The hypervisor directly controls physical hardware
and the administrative domain, controland monitor client VMs. Dom0 has privileges
to start/stop client VMs, change client VM configuration, monitor their physical
resource utilization, and perform I/O for virtualized devices. Endowing dom0 with
such privileges leads to two problems: security and privacy of clients VM’s and the
inflexible control over client VM’s.

10. Page | 10
SSC reduces the power of administrative domain and gives clients more flexible
control over their own VM’s. It splits the responsibilities between Sdom0, Udom0,
service domain and mutually trusted service domains. User dom0(Udom0) is a per-
user administrative domain that can monitor and control the set of VMs of a
particular client.Udom0 can delegate its privilege to service domains (SDs), which
are special-purpose user domains that can perform privileged system services on
Udom.
Sdom0 (System dom0) is the system-wide administrative domain. It retains the
privileges to start/stop Udom0 domains upon request by clients. Sdom0 manages
resources, including scheduling time-slices. SSC’sprivilege modeldisallows Sdom0
from inspecting the state of the client’s domains. SSC resolves this tension by
introducing mutually-trusted service domains (MTSDs). The cloud provider and the
client mutually agree upon policies and mechanisms that the provider will use to
control the client’s VMs.
Title- Secure Virtualization for Cloud Environment Using Hypervisor- Based
Technology (Author-Farzad Sabahi, February 2012)
Virtualization is a technology to helping IT organizations optimize their application
performance in a cost-effective manner. In hypervisor, a virtualization technique
which allow multiple operating systems to run concurrently on a host computer, a
feature called hardware virtualization.
Virtualization approaches are of 3 types:
1. Operating system-based virtualization
2. Application-based virtualization

11. Page | 11
3. Hypervisor-based virtualization
In hypervisor-based virtualization, the failure point is when hypervisor crashes. But
taking control over hypervisor from virtual machine level is a difficult task.
Operating system based virtualization is enabled by a host operating system that
supports virtualized guest OS’s on a single physical server. If an attacker injects
controlling scripts into the host operating system it causes all guest OS’s to gain
control over host OS. Application-based virtualization each VM containing its own
guest operating system and related applications. VSEM and VREM are the new
features in the VM level, added to increase security performance in virtualization
technology. In addition to this model, HSEM and HREM are added at the hypervisor
level. HSEM receives behavioral information from VSEM and HREM never collects
information by itself. The advantages are hypervisor controls the hardware and it is
the only way to access it. Here hypervisor acts as a firewall.
Title- Spack Firewall Restriction With Security In Cloud Over Virtual
Environment(Author- K.A. Rajnivas, R.Ruhin Kotenant, M.Madhavan,
December2014)
Security issues in cloud concerns and mainly associated with security issues faced
by cloud service providers and the service issues faced by the cloud customers. As
the attackers mainly focus on DoS attacks rather than data or media theft. The
extensive use of virtualization in implementing cloud environment brings unique
security providence but for the cloud customers and all other reseller's & subscribers
of a public cloud service access, it ranges a huge amount pay based service access.
The authorized persons are been allowed to enter the cloud through an id, password
with respective machine they registered. This is done through validation of MAC

12. Page | 12
address of the system, as tenant from the valid machine can access the cloud. This
model reduces the DoS attacks and maximizes the throughput responses of cloud
servers.
VM is launched, a patched Xen adds an eatables rule, which adds the information to
every packet from the launched VM. SPAD then decodes theinformation and is able
to determine reliably the sending VM regardless of the packet content (it may be
spoofed). Scalyfor generating the attack traffic with spoofed sourceaddress is used.
This shows the alerts when attack traffic with spoofed sourceaddress is detected by
the SPAD component.
Professional firewall products catch each network packet before the operating
system does, thus, there is no direct path from the Internet to the operating system's
TCP/IP stack. It is therefore very difficult for an intruder to gain control of the
firewall host computer then from the inside.
Phishing is an attempt to get the sensitive information such as password bycreating
a fake website which looks like the real one. To prevent phishing, the client should
know whether the server is genuine. Visual cryptography is used to provide a
trustworthy access. During tenant registration, an image is uploaded to the server.
Each time when a tenant logs to the system, the image and a randomly generated
codeis sent to the tenant’s mail. When the tenant sees the correct image in his mail,
then he can confirm that a website is genuine and enter the code along with his
password to log in the system.

13. Page | 13
Analysis:
System Analysis:
Existing system:
Firewall rule set consistency management:
The consistency management process can be divided in three sequential phases:
Detection (finding the rules that are inconsistent with other rules). Identification
(finding the rules that cause all the inconsistencies among the detected inconsistent
rules). Characterization (naming the identified inconsistent rules among a taxonomy
of faults using rule relations) of inconsistent rules. The combination of detection and
identification is the diagnosis and it is analyzed by two set of algorithms
1. one to one local consistency
2. one to many local consistency
The algorithm used in the existing system is adaptive security algorithm:
• Adaptive Security Algorithm (ASA) is the foundation on which the firewall
is built.
• It defines and examines traffic passing through it and applies various rules to
it. The basic conceptbehind ASA is to keep track of the various requests being
sent to cloud server.
• Based on the information collected about the cloud request, ASA allows
packets to come back into the private network through the firewall.
• All other traffic destined for the private network and coming to the firewall
is blocked.

14. Page | 14
Proposed system:
In the proposed system, an effective firewall security has been implemented for
blocking and filtering the unwanted requests coming from the clients before the
request approach the virtual machine. During the request processing, if the tenant
requests the high level of data from the cloud, then based on the payment made by
the cloud tenant, they can use and access the data’s from the cloud server. If an
unauthorized or unsolicited person trying to access then the permission is declined.
The tenants have to pay if they want high level data.
The algorithm used in the proposed system is Firewall Restriction algorithm:
• The firewall restriction algorithm tends to validate the request over the private
cloud network.
• Outgoing requests from trusted hosts to cloud server is verified by this
algorithm.
• Filtering to be done at virtual Operating System where firewall protection
makes it impractical to use restriction algorithm.
Steps involved in the firewall restriction algorithm are:
• STEP 1: Tenant enters the details in the registration forms
• STEP 2: The entered details is fetched as String data type and been identified
as an identifier.
• STEP 3: The String data is been compared with the SPAM table that been
stored in the database.
• STEP 4: If the fetched String and the table value matches the details are been
identified as SPAM.

15. Page | 15
• STEP 5: A status message of SPAM in details is been displayed and the
registration of the tenant been blocked.
• STEP 6: Else, the tenant registered and he can login to the system.
• STEP 7: Once the tenant login the system IP fetched and been started to ping
by server, when disconnection spotted goto step 10.
• STEP 8: If session spotted inactive for more than 3 minutes then goto step 9.
• STEP 9: Connection to server is been expired re-login is been needed to
access.
• STEP 10: The tenant been blocked by the admin and access is restricted. Until
the tenant is verified as authorized.
• STEP 11: The tenant once access the information, logout of system.
• STEP 12: End the session.
Merits of proposed system:
 Virtual firewall provides enhanced level of security in tenant level access
 Highly authorized tenant alone able to access
 Memory consistency
 The firewall acts as a dynamic one
 Maximizes the throughput response

16. Page | 16
Requirement analysis:
Software requirements
Platform: DOTNET
Database: SQL SERVER 2008
Hardware requirements:
RAM: 4GB
Hard disk: 640GB
Speed: 2.4GHz
Processor: i3
Modules description:
o Web Page creation is a web application that is used as the front end of the
project. This page holds information about the industry. It contains multiple
tabs that display the information about the respective fields.
o Data base creationis the backend of the system. The information regarding
the industry is stored in the database. We can retrieve all the data’s that are
stored in the database using tenant credentials.
o Blocking IP Address and MAC address manually is the module in which,
when the system information is provided, it is blocked manually. The attacker
cannot further retrieve the data from the concerned website. In the existing
system the tenant cannot access their own data if once they are acknowledged
as the intruders.
o Blocking system information using dynamic firewall is a module to block
orallow the tenants to enter into cloud by cross verifying the table and entered

17. Page | 17
computer details. If the tenant entering into website is detected as the attacker
who is trying to access data other than his privileged domain then he will be
blocked. Else if he tries to access the data of his own privileged domain he
will be allowed.
o Cloud implementation is the main phase where the cloud setup is
implemented. Virtualization concept is used in it. The authentication of the
tenant is verified. If the tenant is an unauthorized tenant then the tenant is
blocked and can’t use the system further. The web application created is
deployed in the cloud hosting service.
Implementation:
Web interface:
o Web page:This module serves as the front end of the project. This has all the
details of industry. The industry’s information is displayed when each tab is
clicked.
o Login Module: This module is used to login into the web interface of the
chemical industry. If the tenant does not have an account then the tenant can
sign up for a new account. The tenant can access the information regarding
the industry only through his/her specific privileges.
o Blocking and permitting the tenants manually: In this module, when the
admin specifies mac address or system information then the tenants can be
blocked manually. This is the same for permitting the tenants to fetch the data
of industry.
o Firewall viewer: It is the sub module in which the client access details are
stored and can be viewed by the administrator.

18. Page | 18
Screenshots:
Tenant Entry and Admin Entry:

19. Page | 19
Data Fetching based on certain Criteria:

20. Page | 20
In Firewall blocking IP address and allowing it:

21. Page | 21
Run Firewall Viewer:

22. Page | 22
Future work:
Deploying the industry website in the cloud and giving privileges to access the data
to different tenants based on the payment. Only the trusted tenants can fetch the
stored data and can make any changes accordingly.
Conclusion:
Security as a service in cloud environment will overcomefew drawbacks of existing
systems by giving higher authentication for the privileged tenants and is trustworthy
for the cloud customer. Thus dynamic firewall will restrict the tenant access through
MAC Validation. Across all forms of deployment, architecture and service models
the basic concept of cloud computing remains to be the abstraction of computation
over the used hardware/resources.

23. Page | 23
REFERENCES:
 Author-Farzad Sabahi,(February 2012) Secure virtualization for cloud
environment using hypervisor based technology
 Author-Shakeel Butt, H. Andr´es Lagar-Cavilla ,Abhinav Srivastava,Vinod
Ganapathy, (October 2012 ) Self-service cloud computing.
 Author- P. Goldberg, Architecture of virtual machines (74-112)
 Author-k.a.Rajnivas,(December 2014), r.ruhin kotenant, m.madhavan, Spack
firewall restriction with security in cloud over virtual environment (229-232)