08-10-2016, 04:45 PM
1458530640-06733211.pdf (Size: 2.51 MB / Downloads: 10)
Abstract: A data center is an infrastructure that supports Internet service. Cloud computing is rapidly changing
the face of the Internet service infrastructure, enabling even small organizations to quickly build Web and mobile
applications for millions of users by taking advantage of the scale and flexibility of shared physical infrastructures
provided by cloud computing. In this scenario, multiple tenants save their data and applications in shared data
centers, blurring the network boundaries between each tenant in the cloud. In addition, different tenants have
different security requirements, while different security policies are necessary for different tenants. Network
virtualization is used to meet a diverse set of tenant-specific requirements with the underlying physical network,
enabling multi-tenant datacenters to automatically address a large and diverse set of tenants requirements. In this
paper, we propose the system implementation of vCNSMS, a collaborative network security prototype system used
in a multi-tenant data center. We demonstrate vCNSMS with a centralized collaborative scheme and deep packet
inspection with an open source UTM system. A security level based protection policy is proposed for simplifying
the security rule management for vCNSMS. Different security levels have different packet inspection schemes and
are enforced with different security plugins. A smart packet verdict scheme is also integrated into vCNSMS for
intelligence flow processing to protect from possible network attacks inside a data center network.
Introduction
A cloud data center is an infrastructure that supports Internet services. A cloud data center may be defined
from a variety of perspectives, and the most popular
ones are categorized by IaaS, PaaS, and SaaS proposed
by the NIST[1] and include public cloud, private cloud,
hybrid cloud, and other different categories. Other
categories include computing, networking, storage
from a system’s perspective or using (in use), archiving
(at rest), and transmission (in motion) from a data
perspective. Specific to the cloud network, there are
different characteristics of a cloud (remote access),
within a cloud, and between cloud networks. The
debut of VMware NSX provides the virtualization
of networks with Software-Defined Network (SDN)
inside a data center. The Google B4 network[2] also
uses an OpenFlow-based SDN[3, 4] to implement all the
interconnections among cloud data centers in different
locations.
The challenge posed by SDN is the dynamic
characteristic of network boundaries that is the “twin”
of the network topology with expanded flexibility
provided by virtualization. In other words, the original
static, natural, and physical boundaries within the
traditional network are replaced by the dynamic and
virtual logical boundaries of SDN.
1.1 State-of-the-art network security in data center
networks
Traditional security devices such as Firewalls, IDS,
WAF, and other devices are deployed with the
Middleboxes model inside and outside networks. With
the development of cloud computing technology, the
deployment of Middleboxes is facing new challenges
in the large-scale data center network environment[5]
.
(1) In multi-tenant cases, the network boundaries
are blurring.
With the increase of Internet users, the data center
network topology becomes more complicated. Multiple
tenants save their data in the same server, and the
same tenant may store data on different servers
with multiple hot backups, causing the network
boundaries between each user to become blurred, as
opposed to the set boundaries found in traditional
physical isolation. The original static, natural, and
physical boundaries within the network are replaced
by dynamic and virtual logical boundaries. Hence,
network security within the cloud will be more
dependent on dynamic deployment, configuration,
and management of security policies and security
components, and more dependent on the network
security system for flow and traffic awareness, decisionmaking,
and response. Undoubtedly, this causes
network management to become more complex. How
to ensure network security is a challenge in such a
complex network environment.
(2) The deployment location of Middleboxes also
has new changes.
In traditional networks, the data of several hosts are
from the same gateway, and the entire network may
have several gateways. So long as security devices
are deployed in network vantage points and ensure
data through the gateway is safe and reliable. In the
data center network, the physical vantage points have
been replaced by virtual logical gateways. To protect
the security of virtual logical boundaries between
tenants, Firewall, IDS/IPS, and other devices are
required to collaborate with the traffic controller to
adapt to performance and safety requirements of each
tenant or security domain, provide security of dynamic
boundaries caused by virtual machine migration, and
meet the dynamic security requirements of virtual
machines[6-10]. Therefore, to meet these requirements,
how to properly deploy these security devices is also an
important issue.
(3) Security requirements for different tenants are
different.
Since different tenants have different security
requirements, it is necessary to create different security
policies for different tenants, and this is undoubtedly
a major challenge for traditional security devices. The
traditional approach is to set rules for the device
where data passed through. Obviously, in a data center
network, this strategy no longer applies, and now we
have to address the question how to meet diverse
security requirements when multiple tenants’ data pass
through the same security device and how to provide
effective enforcement.
(4) The migration of the virtual machine results in
the switchover of security domain.
To meet the security needs of a single tenant, it needs
to configure multiple security devices to control traffic
and thus completely implement the tenant’s security
policy. When service host migrates to other locations
in the network, the topology of the network changes
and appropriate security policies also migrate with the
tenant host. The original security configuration of the
security device will no longer work, the migration to
the new security domain also requires tenants on that
server to apply some configuration updates. Therefore,
to protect the mapping of the security policies from the
logical network to the physical network and maintain its
correctness and consistency will be a major challenge to
the control function of a data center network.
1.2 Software-defined network in data center
network
To enable network virtualization, SDN is one of the
supporting technologies to build cloud data center
virtual networks. Cloud data center virtual networks
need to ensure tenants’ security domains have complete
and isolated network boundaries. This is not a
simple network security technology, because the virtual
network itself provides services for multiple tenants
or basic virtual private cloud services that should be
guaranteed in the implementation of the network. Due
to the different virtual machines of different tenants sharing the same physical resources, system security
guarantees such as preventing the virtual machine from
escaping its boundaries are also the issue of network
virtualization security.
Comparing software-defined network security (e.g.,
OpenFlow based on SDN) with a traditional physical
network, the changes are in the control mechanisms of
switches, routers, and other forwarding devices. The
forwarding devices worked according to a flow table
issued by the controller, thereby more efficient and
less costly. The controller also collects network status
information, discovers network topologies, checks the
network forwarding policies, and generates and releases
new flow table according to status update.
Thus, handling of the first network packets header
of a flow should not happen in the gateway, but in the
controller. The traditional Access Control List (ACL)
scheme or network packet filtering Firewall should
be deployed in the controller. However, the controller
usually only receives the first packet header and cannot
perform an deep inspection of the network flows. The
stateful Firewalls and deep packet inspection that filter
packet payloads should be deployed in the data plane
or in the data plane and control plane. Therefore,
the network access control deployed on the physical
network gateway should still be reasonable for a logical
gateway.
Through Openflow protocols and controllers, data
center network security based on SDN addresses the
problems of Middleboxes positioning and separation of
security rules by setting a flow table and guiding traffic
that matches the corresponding policies to the proper
security devices.
It is possible to optimize the controller by
configuration and management, and update rules for
dynamic migration and reconfiguration to solve security
policy inconsistencies caused by Middlebox movement
and virtual machine migration.
2 Related Work
2.1 Network security in data center networks
Among the security research in data center networks,
SDN security is a hot topic both for academia and
industry.
FRESCO[11-13] introduces a new security application
development framework. It is used to solve several key
issues when implementing security service components
on demand. OpenFlow is an open standard that is able
to provide simplified and convenient design of complex
network security applications and their integration
into large networks. However, so far there remains a
lack of convincing applications regarding the security
aspects of OpenFlow. FRESCO provides a scripting
language Application Programming Interface (API) that
programmer can use to write security monitoring logic
with a modular library of basic processing unit in
FRESCO. A FRESCO module allows customization of
stream processing rules to provide an effective response
to detected networks threats.
Slick[14] is a proposed programming framework that
separates the controller and Middleboxes and provides
an interface for communication. There are more and
more programs running on controllers which cross data
planes and control planes to call actions, and there is
no complete solution to meet this requirement. While
OpenFlow provides a programmable control plane,
it has a relatively simple data plane. In contrast,
Middleboxes are able to effectively extend the data
plane and provide a complex data plane, but cannot
provide effective integration with the control plane.
Slick extends data plane programmability in two
aspects. First, Slick arranges complex data plane
functions dynamically in the network, and also guides
a subset of packet through the appropriate function
processing queue that adapts to the position of the
layout and response as these change over time to meet
the changeable network conditions and transmission
mode. Second, to achieve modularity, reusability,
and integration strategy across multiple applications
and network resources, Slick allows programmers to
coordinate multiple actions among different entities in
the data plane.
SIMPLE, based on SDN, is proposed in Refs. [15-
18], and is an implementation of strategy layer
that directs traffic to specific Middleboxes. Today’s
networks must rely on Middleboxes to provide high
throughput, high security, and efficient decisionprocessing
capabilities. To achieve these goals, we
need to ensure that traffic goes directly to the required
Middleboxes queue, an operation that once requires
extensive manual effort and operator’s expertise. In this
respect, an SDN provides a promising option, but also
introduces some functions that do not belong to the
traditional L2/L3 functions, such as policy components,
resource management, and packet manipulation.
SIMPLE allows network operators to specify routing
policies in a logical Middlebox, and automatically update forwarding rules according to the physical
topologies, switching capacity, and resource constraints
of Middleboxes to guide traffic to the proper
Middleboxes queues. Under the premise of existing
SDN functions and without modifying the existing
implementation of Middleboxes, SIMPLE increases
the flexibility of Middleboxes deployment effectively
by flow oriented control, and also generates and
loads new rules to maintain network stability when
any Middleboxes fail and/or network transmission is
overloaded.