Upload
ijsrnet-editorial
View
225
Download
0
Embed Size (px)
Citation preview
7/27/2019 Secure Virtualization In Cloud Computing Using Eucalyptus
1/4
7/27/2019 Secure Virtualization In Cloud Computing Using Eucalyptus
2/4
tsitah
et
c
c
2T
dp
B
2
Tvaadatf
s
2
a.
b
c.
Inte
e fastest alution. It supcluding Wine Free BSD.d most privi
ost multiple
ecuted witrminology,
eated automanagement pnfigure virtu
.1 Bridge M
his mode i
rectly to sysical netw
HCP requestHCP requestridge and Vi
Figure:
.2 Route Mo
he second mrtual netwoministratord each VM
efined in added to dom0is mode, eacee MAC/IP tHCP doesn
ructure of ro
Fi
.3 Virtualisa
The breakeven have. Data segrefully segre Privacy: explatforms i
national J
d most secports a widedows, Linux,A Xen systeleged of whiguest operat
in a secudomain). T
tically whenrivileges. Xeal network:
de
structs Xen
ftware Etherk. The admis the same ws. Figure 1 illtual Interface
1 Structure o
e
ode offeredk is route.o create a p. A set ofance becauss routing tabh VM instanple and relework in ro
te in Xen.
ure 2: Struc
ion Challen
f isolation.
ccess to the hation: one in
ated from otposure of seplies legal li
ournal of
re infrastruange of guesSolaris and
has multiplh is Xen itseng systems,
e virtualhe first do
the system boffers two
to attach t
net Bridgeistrator cany as handlinstrates the st(VIF) Bridg
f Network-Br
y Xen for tThis configint-to-point lAC and IProutes to e
le before a Ve created bysed when thte mode. Fi
ure of route i
es in Cloud
VM can mo
ost machine.tance of cust
er customersitive inforability and lo
cience an
Volume
ture virtualit operating syarious versi
e layers, the lf. Xen in tureach of wh
achine (inain, domain
ots and has smodes for us
e VMs int
connected tandle VM necommon ne
ructure of Nein Xen.
idge in XEN
e configuratiration allowink betweenaddresses mch VM shoM is started.Xen is assigVM is termiure 2 presen
n XEN
Computing
itor another
omer data ha
ata.ation storedss of reputati
Research
2 Issue 6,
www.ijsr.
ationstemsns ofowest
maych is
Xen0, is
pecialers to
erface
o thetworktworktwork
on ofs thedom0st beld beSo, inned aated.
ts the
ne or
to be
n then;
i. Rehyfacinscoscr
ii.iii. De
ennetthataksyres
iv. 2.4VitoThbet
forcoma
mamaensecpr
v. 2.5
Clent
mamaancomuris
preact
locen
3.
IncomeNwithabepr
unseconabi
anTh
Thof
(IJSR), In
June 2013
et
ote manervisors nor
ilities for atance, usessoles also o
ipting, SQL i
nial of servi
ironment, rework are shat a DOS wille all the posstem will denources availa
Dynamic Vi
tual machine
revious instaey can alsoween physica
VM sprawlsistent secury be unkno
intain an audichine at anyironments, iturity state oximity to oth
Vulnerabili
ud computinerprise and
chines and plware to rem
applicationsputing envltiple virtual
of VM-to-
vention systivity at the
ation of tironment.
Eucalypt
the cloud, Vnectivity, ians every vir
under Eucalh each other.to fulfil the
ause usersvisioned VM
erlying neturity concernone physicallity to snoop
ther. Note ts work is do
e public intera given set
dia Online
agementally have
ministratorsen Centre
pen new vuljection, etc.
e (DOS) v
sources suchred by VMsbe imposed tble resource
any requestle.
rtual Machi
are dynamic
nces, pausedbe readily cl servers. Thi
makes it difity. Vulneraingly propa
table recordgiven pointwill be nec
f a system,er, potentially
y Exploits a
g servers usweb appli
ysical servertely exploitis a signific
ironments.machines inM compro
ms need tovirtual-mac
e VM wi
s Method
M instanceolation, anual machineyptus controlBut besidesisolation betare granteds and they m
ork interfas, in case thmachine, a
and influenc
at current he incorporati
face is assigof VM in
ISSN: 231
ulnerabilitieanagementto manage
o manage tnerabilities,
lnerabilities:
as CPU,and the host.o VMs whicfrom the hofrom the gue
es: VM Stat
. They can q
and restarted,loned and ss dynamic na
icult to achiilities or coated. Also,
f the securitin time. Inssary to beregardless oinsecure virt
d VM-To-V
the same oations as l
. The abilityulnerabilitiesant threat ton addition,reases the atise. Intrusi
be able toine level, r
thin the v
etwork solutperforman
in the samemust be abl
connectivity,een instancsuper user
y have super
es. This at if two instser of onenetwork pac
pervisor don with the E
ed for comstances. For
9-7064
: Commeconsoles asVMs. Xen,eir VMs. Tuch a Cross
In virtualiz
emory, diskSo it is poscorrespondi
t. As a resultsts because o
and Spraw
ickly be reve
relatively eaamlessly mure and pote
ve and mainfiguration erit is difficul
state of a vicloud compuble to prove
its locatioal machines.
M Attacks
erating systocalized vir
for an attackin these syst
virtualized clco-location
tack surfacen detection
detect malicgardless of
rtualized cl
ion must ade. ConnectC or in diffto communi
the networks. It is impoaccess to
user access t
ility can cnces are runM may havkets belongi
not supportCALYPTU
unication ouexample, in
rcialnewfor
hese-site
tion
andible
ngly, thef no
l.
rted
sily.vedtial
tainrorst to
tualtingtheor
ms,tual
r oremsoud
ofandand
ousthe
oud
ressvityrentcatealsotantheirthe
ausening
theg to
this..
sidean
130
7/27/2019 Secure Virtualization In Cloud Computing Using Eucalyptus
3/4
International Journal of Science and Research (IJSR), India Online ISSN: 2319-7064
Volume 2 Issue 6, June 2013
www.ijsr.net
environment that has available public IP addresses, these
addresses may be assigned to VM instances at instance boottime. In environments where instances are connected to a
private local network and this local network has a router thatsupports external communication through network addresstranslation (NAT). In this case, the public interface may beassigned with a valid private IP address given by the router.
The private interface is used only for inter VMcommunication across zones, where VM instances arerunning inside separate private networks (zones) but need tocommunicate with one another. Figure 3 illustrates that theinstances private interface is connected via a bridge to avirtual software Ethernet system called Virtual DistributedEthernet (VDE). VDE is an Ethernet protocol, where users
can specify and control virtual Ethernet switch and cableabstractions that are implemented as programs. When a
system is initiated, it sets up a VDE network overlay thatcreates one VDE switch per CC and NC component andmany VDE wire established between switches. The VDEswitches support a spanning tree protocol, which allows
redundant links to exist while preventing loops in thenetwork.
At instance run time, the NC responsible for controlling theVM creates a new Ethernet bridge that is connected to thelocal VDE switch and configures the instance to attach its
private interface to the new bridge. At this point, ourrequirement of instance connectivity is satisfied, because
any VM started on any NC will be able to contact any otherVM over the virtual Ethernet. Currently, Eucalyptus allowsthe administrator to define a class B IP subnet that is to beused by instances connected to the private network, and eachnew instance is assigned a dynamic IP address from within
the specified subnet.
Figure: 3 Each VM instance is assigned a public interface
for external network connections, and a private interfaceconnected to a fully virtual Ethernet network for inter VM
Communication.
Now the second requirement of the virtual network isnetwork traffic isolation between instances. As mentionedfrom the beginning, we want that if two instances, owned byseparate users, are running on the same host or on different
hosts connected to the same physical Ethernet, they do not
have the ability to inspect or modify each others networktraffic. To solve this problem, simply use the concept of avirtual local area network (VLAN). In VLAN every set ofinstances owned by a particular user is assigned a tag,inserted into every communicated frame header that is then
used as an identifier assigned to that users instances. VDE
switch ports then only forward packets that have the sameVLAN tag. So a set of instances will only be forwardedtraffic on VDE ports that other instances in the set areattached to, and all traffic they generate will be tagged witha VLAN identifier at the virtual switch level, thus isolatinginstance network traffic even when two instances are
running on the same physical resource. Figure 4 illustrates
this scenario.
Figure 4: Two instances owned by user A and user Brunning on the same physical resource are connected to the
VDE network through ports configured to only forwardtraffic based on a particular VMs assigned VLAN.
4. Measures to Control VM SecurityA variety of distinct security technologies should bedeployed to achieve comprehensive VM-level security thatincreases protection and maintains the compliance integrity
of servers and applications, whether in virtual or cloudenvironments. These include security layers such asfirewalls, intrusion detection and prevention; file integrity
monitoring, log inspection, and anti-malware protection.
A firewall decreases the attack surface of virtualizedservers in cloud computing environments. A bi-directionalstateful firewall, deployed on individual VMs, can providecentralized management of server firewall policy. Itshould include pre-defined templates for common
enterprise server types. Intrusion detection and prevention systems (IDS/IPS)
intervene against attacks that attempt to exploit known
vulnerabilities long before patches are published ordeployed. Implementing IDS/IPS within the virtualizedenvironment can shield applications and operating systems
from newly discovered vulnerabilities. This achievestimely protection against known and zero day attacks. Inparticular, vulnerability rules shield a knownvulnerability for example, those disclosed monthly byMicrosoft from an unlimited number of exploits.
File integrity monitoring inspects files, systems, andregistry for changes. Integrity monitoring of critical
operating system and application files (e.g., files,directories, registry keys and values, etc.) is necessary fordetecting malicious and unexpected changes that could
signal a compromise of virtual and cloud computingresources.
Log inspection provides visibility into important security
events captured in log files. Log inspection rules optimize
131
7/27/2019 Secure Virtualization In Cloud Computing Using Eucalyptus
4/4
International Journal of Science and Research (IJSR), India Online ISSN: 2319-7064
Volume 2 Issue 6, June 2013
www.ijsr.net
the identification of important security events buried in
multiple log entries from numerous sources. These eventscan be aggregated and sent to a stand-alone security
system, or forwarded to a security information and eventmanagement (SIEM) system for correlation with otherinfrastructure events, reporting, and archiving.
Anti-malware protection defends against viruses, spyware,
Trojans and other malware. It should detect malware in
real time and incorporate cleanup capabilities to helpremove malicious code and repair any system damagecaused by the malware.
5. Results and DiscussionThe paper focuses on the security of virtual machine in
cloud computing. Virtualization is a key feature of cloudcomputing. After virtualization, it has been possible topresent compute resources in the form of Virtual Machine(VM) Images. Security is significant concern in cloudcomputing. One of biggest challenges of security issues inthe design of a cloud computing platform is that of virtual
machine (VM) instance interconnectivity. Because userswho are granted super-user access to their provisioned VMs,without care, may have possibilities that a VM can monitoranother VM or access the underlying network interfaces
The proposed method is implemented using Eucalyptus
(Elastic Utility Computing Architecture for Linking YourPrograms to Useful Systems). The Experiment using theexisting architecture shows that the virtual machines arevulnerable to attacks such as spoofing and sniffing. Theenhanced novel model can be effectively used for virtualmachine interconnection without further security threats.
6. Conclusion and Future WorkThe inability of physical segregation and hardware-basedsecurity to deal with attacks between virtual machines on thesame server highlights the need for mechanisms to bedeployed directly on the server, or virtual machines.Deploying a line of defence including firewall, intrusiondetection and prevention, integrity monitoring, log
inspection, and malware protection as software on virtualmachines is the most effective method to maintain integrityof compliance and preserve security policy protection asvirtual resources move from on-premise to public cloud
environments
Eucalyptus is still young and under development. Eucalyptus1.5.1 doesn't support a http POST request, so when we triedto implement a POST request, it returns undefined errors.Although Eucalyptus has the same interface as Amazon, ithas some differences too. Eucalyptus uses hypervisors tocontrol life cycles of instances. The hypervisors may have
their special networking configurations, or hypervisor likeXen needs a xenified kernel to run with (but KVM not). Or
Xen currently doesn't get support from Ubuntu with axenified kernel. So the work can be expanded to support allthe hypervisor such as Xen, etc.
References
[1] Z. Pervez, Sungyoung Lee, Young-Koo Lee. Multi-Tenant, Secure, Load Disseminated SaaS Architecture.In proceedings of the 12th Advanced Communication
Technology (ICACT) International Conference.Phoenix, USA, 2010, pp. 214 219.
[2] Hanqian Wu, Yi Ding, Chunk Winer, Li Yao -Network security for virtual machines in cloudcomputing, International Conference on ServicesComputing , 2011, pp. 564-520.
[3] B. R. Kandukuri, R. P. V. and A. Rakshit, "CloudSecurity Issues ," in Proceedings of the 2009 IEEE
International Conference on Services Computing ,2011, pp. 517-520
[4] M. Jensen, J. Schwenk, N. Gruschka, and L. L. Iacono,"On Technical Security Issues in Cloud Computing,"Cloud Computing, IEEE International Conference on,vol. 0, pp. 109-116, 2010.
[5] Neil MacDonald. Security considerations and bestpractices for securing virtual machines. Gartner, Inc.,
March 2011[6] J. Kirch. Virtual Machine Security Guidelines Version
1.0. The Centres for Internet Security, September2010.
[7] Xen Networking (July 2010),http://wiki.xensource.com/xenwiki/XenNetworking.
[8] S. Roschke, et aI., "Intrusion Detection in the Cloud,"presented at the Eighth IEEE International Conferenceon Dependable, Autonomic and Secure Computing,Chengdu, China, 2009.
[9] Cloud Computing, http://www.ibm.com/ibm/cloud/Author Profile
Dr. M. C. Padma received her B.E. Degree in
Computer Science and Engineering and M.Sc. Tech.by Research degree from University of Mysore,
Mysore, India and Ph.D. from VisvesvarayaTechnological University, Belgaum. She is currently
working as Professor in the department of Computer Science and
Engineering, PES College of Engineering, Mandya, Karnataka. Hermain research interests are in the area of image processing, patternrecognition, database management system, data structures, natural
language processing, data mining, document image processing,network security and cryptography.
Abdul Jabbar. K born in 1987. He received his
graduation in computer Science and engineering fromInstitution of Engineers India (IEI), Kolkata. Now
pursuing M Tech degree in Computer Science andEngineering from PES College of engineering,
Mandya, Karnataka, India. He is currently doing training on cloud
computing from HASH Solutions, Cochin. His research interestsare cloud computing, web services and networking.
132