1

Integrating a Network IDS into an Open Integrating a Network IDS into an Open Source Cloud Computing Environment Source Cloud Computing Environment

1st International Workshop on 1st International Workshop on

Security and Performance in Emerging Distributed Security and Performance in Emerging Distributed Architectures (SPEDA2010)Architectures (SPEDA2010)

Claudio MazzarielloClaudio Mazzariello

Roberto BifulcoRoberto Bifulco

Roberto CanonicoRoberto Canonico

““Federico II”Federico II”

University of NapoliUniversity of Napoli

2

OutlineOutline

• Cloud computing security issues

• Examples of recent security incidents

• Securing a Cloud

• Implementation of a Cloud

• A network Intrusion Detection System

• Experimental evaluation

3

Cloud Computing peculiaritiesCloud Computing peculiarities

• Shared resources among several customers

• Highly dynamic infrastructures

• Cheap access to large scale computation/storage/communication facilities

• …

4

Cloud Computing security issuesCloud Computing security issues

• Shared resources among several customers

• New types of attacks (e.g. DoS over colocated VMs)

• Privacy infringement

• ...

• Highly dynamic infrastructures

• Users tracking and profiling

• Cheap access to large scale computation/storage/communication facilities

• Misuse of the CC model aimed at conducting illegal activities

5

Attack sourceAttack source

• External attackers

• Malicious users perform attacks targeting Cloud users

• Internal attackers

• Malicious users rent a share of Cloud resources

• Cheap, huge amounts of resources can be exploited to perform attacks against remote victims

6

Examples of CC-related security incidentsExamples of CC-related security incidents

• “We have several customers being attacked from the same EC2 instance on their network for 2 full days now...”

• http://seclists.org/nanog/2010/Apr/811

• “I discovered that several systems on the Amazon EC2 network were preforming brute force attacks, against our VoIP servers.”

• http://www.stuartsheldon.org/blog/2010/04/sip-brute-force-attack-originating-from-amazon-ec2-hosts/

• “Complaints of rampant SIP Brute Force Attacks coming from servers with Amazon EC2 IP Addresses cause many admins to simply drop all Amazon EC2 traffic.”

• http://www.voiptechchat.com/voip/457/amazon-ec2-sip-brute-force-attacks-on-rise/

7

Securing a Cloud by monitoring trafficSecuring a Cloud by monitoring traffic

• Cloud computing suffers from common network-related security threats

• Cloud computing, with its novel usage paradigm, introduces novel threats

• We evaluate effectiveness and impact of common, production level traffic monitoring tools

• Using different deployment strategies

• Centralized vs. Distributed

• By measuring

• Computational overhead

• Detection capability

8

IMPLEMENTING A CLOUD

9

Open Source Cloud ComputingOpen Source Cloud Computing

• Eucalyptus is an open source Cloud Computing system that reproduces all Amazon EC2's services

• It allows the management of multiple “Availability zones”.

Client-side API

Cloud Controller

Cluster Controller Node Controller

Amazon EC2 Interface

Database

10

Looking at a single clusterLooking at a single cluster

• Our focus is on a single cluster managed by Eucalyptus (One geographic location)

Client-side API

Cloud Controller

Amazon EC2 Interface

11

NETWORK SECURITY TOOL

12

Functionalities of an Intrusion Detection System

• Activity monitoring (sensor)

– Network traffic packets

• Recognize suspicious and

inappropriate activities (analyzer)

• Generate alerts (user interface)

Sensor

Analyzer

User Interface

13

Snort – an open source Intrusion Detection System

• Snort is a signature based IDS– Each detectable attack is described by a static rule– Each rule contains particular byte-patterns and values to

be sought for in both the packet header and payload

• Snort operates in real-time• Snort is open-source

– Flexible– Extendable

14

EXPERIMENTAL EVALUATION

15

Distribution of services in nodesDistribution of services in nodes

• Asterisk SIP server

• RTP user agents

• Apache web server

16

The overall pictureThe overall picture

• “Inviteflood” attack tool

• D-ITG background traffic generator

17

Two different IDS deployment scenarios

• One IDS close to the cluster controller– Monitors inbound/outbound traffic– Monitors traffic between different security groups– VLAN tags are removed

• Traffic related to different security groups becomes indistinguishable

• Several IDS’s, each close to a physical machine– Each IDS monitors traffic to/from virtual resources hosted on

the physical machine• In both scenarios, all attack instances are correctly detected

18

MONITORING AT THE CLUSTER CONTROLLER

19

50 %

100 %

Cluster Front-end CPU profileCluster Front-end CPU profile

Snort

Packet forwarding

20

MONITORING AT EACH PHYSICAL MACHINE

21

Attacked worker node CPU profileAttacked worker node CPU profile

50 %

100 % Attacked VM

Dom0

Non-attacked

VMs

22

Non-Attacked worker node CPU profileNon-Attacked worker node CPU profile

50 %

100 %

23

ConclusionsConclusions

• Monitoring traffic at the cluster controller– Privileged observation point– Look at all traffic– Misses internal attacks

• Monitoring traffic at each physical machine– Limited scope– Ligthweight– Increased cloud resilience

24

Thank you!Thank you!

Claudio Mazzariello – claudio.mazzariello@unina.it