-
7/27/2019 Secure Virtualization In Cloud Computing Using
Eucalyptus
1/4
-
7/27/2019 Secure Virtualization In Cloud Computing Using
Eucalyptus
2/4
tsitah
et
c
c
2T
dp
B
2
Tvaadatf
s
2
a.
b
c.
Inte
e fastest alution. It supcluding Wine Free BSD.d most privi
ost multiple
ecuted witrminology,
eated automanagement pnfigure virtu
.1 Bridge M
his mode i
rectly to sysical netw
HCP requestHCP requestridge and Vi
Figure:
.2 Route Mo
he second mrtual netwoministratord each VM
efined in added to dom0is mode, eacee MAC/IP tHCP doesn
ructure of ro
Fi
.3 Virtualisa
The breakeven have. Data segrefully segre Privacy: explatforms
i
national J
d most secports a widedows, Linux,A Xen systeleged of whiguest
operat
in a secudomain). T
tically whenrivileges. Xeal network:
de
structs Xen
ftware Etherk. The admis the same ws. Figure 1 illtual
Interface
1 Structure o
e
ode offeredk is route.o create a p. A set ofance becauss routing
tabh VM instanple and relework in ro
te in Xen.
ure 2: Struc
ion Challen
f isolation.
ccess to the hation: one in
ated from otposure of seplies legal li
ournal of
re infrastruange of guesSolaris and
has multiplh is Xen itseng systems,
e virtualhe first do
the system boffers two
to attach t
net Bridgeistrator cany as handlinstrates the st(VIF) Bridg
f Network-Br
y Xen for tThis configint-to-point lAC and IProutes to e
le before a Ve created bysed when thte mode. Fi
ure of route i
es in Cloud
VM can mo
ost machine.tance of cust
er customersitive inforability and lo
cience an
Volume
ture virtualit operating syarious versi
e layers, the lf. Xen in tureach of wh
achine (inain, domain
ots and has smodes for us
e VMs int
connected tandle VM necommon ne
ructure of Nein Xen.
idge in XEN
e configuratiration allowink betweenaddresses mch VM shoM is
started.Xen is assigVM is termiure 2 presen
n XEN
Computing
itor another
omer data ha
ata.ation storedss of reputati
Research
2 Issue 6,
www.ijsr.
ationstemsns ofowest
maych is
Xen0, is
pecialers to
erface
o thetworktworktwork
on ofs thedom0st beld beSo, inned aated.
ts the
ne or
to be
n then;
i. Rehyfacinscoscr
ii.iii. De
ennetthataksyres
iv. 2.4VitoThbet
forcoma
mamaensecpr
v. 2.5
Clent
mamaancomuris
preact
locen
3.
IncomeNwithabepr
unseconabi
anTh
Thof
(IJSR), In
June 2013
et
ote manervisors nor
ilities for atance, usessoles also o
ipting, SQL i
nial of servi
ironment, rework are shat a DOS wille all the posstem will
denources availa
Dynamic Vi
tual machine
revious instaey can alsoween physica
VM sprawlsistent secury be unkno
intain an audichine at anyironments, iturity state oximity to
oth
Vulnerabili
ud computinerprise and
chines and plware to rem
applicationsputing envltiple virtual
of VM-to-
vention systivity at the
ation of tironment.
Eucalypt
the cloud, Vnectivity, ians every vir
under Eucalh each other.to fulfil the
ause usersvisioned VM
erlying neturity concernone physicallity to snoop
ther. Note ts work is do
e public intera given set
dia Online
agementally have
ministratorsen Centre
pen new vuljection, etc.
e (DOS) v
sources suchred by VMsbe imposed tble resource
any requestle.
rtual Machi
are dynamic
nces, pausedbe readily cl servers. Thi
makes it difity. Vulneraingly propa
table recordgiven pointwill be nec
f a system,er, potentially
y Exploits a
g servers usweb appli
ysical servertely exploitis a signific
ironments.machines inM compro
ms need tovirtual-mac
e VM wi
s Method
M instanceolation, anual machineyptus controlBut
besidesisolation betare granteds and they m
ork interfas, in case thmachine, a
and influenc
at current he incorporati
face is assigof VM in
ISSN: 231
ulnerabilitieanagementto manage
o manage tnerabilities,
lnerabilities:
as CPU,and the host.o VMs whicfrom the hofrom the gue
es: VM Stat
. They can q
and restarted,loned and ss dynamic na
icult to achiilities or coated. Also,
f the securitin time. Inssary to beregardless oinsecure virt
d VM-To-V
the same oations as l
. The abilityulnerabilitiesant threat ton addition,reases the
atise. Intrusi
be able toine level, r
thin the v
etwork solutperforman
in the samemust be abl
connectivity,een instancsuper user
y have super
es. This at if two instser of onenetwork pac
pervisor don with the E
ed for comstances. For
9-7064
: Commeconsoles asVMs. Xen,eir VMs. Tuch a Cross
In virtualiz
emory, diskSo it is poscorrespondi
t. As a resultsts because o
and Spraw
ickly be reve
relatively eaamlessly mure and pote
ve and mainfiguration erit is difficul
state of a vicloud compuble to prove
its locatioal machines.
M Attacks
erating systocalized vir
for an attackin these syst
virtualized clco-location
tack surfacen detection
detect malicgardless of
rtualized cl
ion must ade. ConnectC or in diffto communi
the networks. It is impoaccess to
user access t
ility can cnces are runM may havkets belongi
not supportCALYPTU
unication ouexample, in
rcialnewfor
hese-site
tion
andible
ngly, thef no
l.
rted
sily.vedtial
tainrorst to
tualtingtheor
ms,tual
r oremsoud
ofandand
ousthe
oud
ressvityrentcatealsotantheirthe
ausening
theg to
this..
sidean
130
-
7/27/2019 Secure Virtualization In Cloud Computing Using
Eucalyptus
3/4
International Journal of Science and Research (IJSR), India
Online ISSN: 2319-7064
Volume 2 Issue 6, June 2013
www.ijsr.net
environment that has available public IP addresses, these
addresses may be assigned to VM instances at instance boottime.
In environments where instances are connected to a
private local network and this local network has a router
thatsupports external communication through network
addresstranslation (NAT). In this case, the public interface may
beassigned with a valid private IP address given by the router.
The private interface is used only for inter VMcommunication
across zones, where VM instances arerunning inside separate private
networks (zones) but need tocommunicate with one another. Figure 3
illustrates that theinstances private interface is connected via a
bridge to avirtual software Ethernet system called Virtual
DistributedEthernet (VDE). VDE is an Ethernet protocol, where
users
can specify and control virtual Ethernet switch and
cableabstractions that are implemented as programs. When a
system is initiated, it sets up a VDE network overlay
thatcreates one VDE switch per CC and NC component andmany VDE wire
established between switches. The VDEswitches support a spanning
tree protocol, which allows
redundant links to exist while preventing loops in
thenetwork.
At instance run time, the NC responsible for controlling theVM
creates a new Ethernet bridge that is connected to thelocal VDE
switch and configures the instance to attach its
private interface to the new bridge. At this point,
ourrequirement of instance connectivity is satisfied, because
any VM started on any NC will be able to contact any otherVM
over the virtual Ethernet. Currently, Eucalyptus allowsthe
administrator to define a class B IP subnet that is to beused by
instances connected to the private network, and eachnew instance is
assigned a dynamic IP address from within
the specified subnet.
Figure: 3 Each VM instance is assigned a public interface
for external network connections, and a private
interfaceconnected to a fully virtual Ethernet network for inter
VM
Communication.
Now the second requirement of the virtual network isnetwork
traffic isolation between instances. As mentionedfrom the
beginning, we want that if two instances, owned byseparate users,
are running on the same host or on different
hosts connected to the same physical Ethernet, they do not
have the ability to inspect or modify each others
networktraffic. To solve this problem, simply use the concept of
avirtual local area network (VLAN). In VLAN every set ofinstances
owned by a particular user is assigned a tag,inserted into every
communicated frame header that is then
used as an identifier assigned to that users instances. VDE
switch ports then only forward packets that have the sameVLAN
tag. So a set of instances will only be forwardedtraffic on VDE
ports that other instances in the set areattached to, and all
traffic they generate will be tagged witha VLAN identifier at the
virtual switch level, thus isolatinginstance network traffic even
when two instances are
running on the same physical resource. Figure 4 illustrates
this scenario.
Figure 4: Two instances owned by user A and user Brunning on the
same physical resource are connected to the
VDE network through ports configured to only forwardtraffic
based on a particular VMs assigned VLAN.
4. Measures to Control VM SecurityA variety of distinct security
technologies should bedeployed to achieve comprehensive VM-level
security thatincreases protection and maintains the compliance
integrity
of servers and applications, whether in virtual or
cloudenvironments. These include security layers such asfirewalls,
intrusion detection and prevention; file integrity
monitoring, log inspection, and anti-malware protection.
A firewall decreases the attack surface of virtualizedservers in
cloud computing environments. A bi-directionalstateful firewall,
deployed on individual VMs, can providecentralized management of
server firewall policy. Itshould include pre-defined templates for
common
enterprise server types. Intrusion detection and prevention
systems (IDS/IPS)
intervene against attacks that attempt to exploit known
vulnerabilities long before patches are published ordeployed.
Implementing IDS/IPS within the virtualizedenvironment can shield
applications and operating systems
from newly discovered vulnerabilities. This achievestimely
protection against known and zero day attacks. Inparticular,
vulnerability rules shield a knownvulnerability for example, those
disclosed monthly byMicrosoft from an unlimited number of
exploits.
File integrity monitoring inspects files, systems, andregistry
for changes. Integrity monitoring of critical
operating system and application files (e.g., files,directories,
registry keys and values, etc.) is necessary fordetecting malicious
and unexpected changes that could
signal a compromise of virtual and cloud computingresources.
Log inspection provides visibility into important security
events captured in log files. Log inspection rules optimize
131
-
7/27/2019 Secure Virtualization In Cloud Computing Using
Eucalyptus
4/4
International Journal of Science and Research (IJSR), India
Online ISSN: 2319-7064
Volume 2 Issue 6, June 2013
www.ijsr.net
the identification of important security events buried in
multiple log entries from numerous sources. These eventscan be
aggregated and sent to a stand-alone security
system, or forwarded to a security information and
eventmanagement (SIEM) system for correlation with
otherinfrastructure events, reporting, and archiving.
Anti-malware protection defends against viruses, spyware,
Trojans and other malware. It should detect malware in
real time and incorporate cleanup capabilities to helpremove
malicious code and repair any system damagecaused by the
malware.
5. Results and DiscussionThe paper focuses on the security of
virtual machine in
cloud computing. Virtualization is a key feature of
cloudcomputing. After virtualization, it has been possible
topresent compute resources in the form of Virtual Machine(VM)
Images. Security is significant concern in cloudcomputing. One of
biggest challenges of security issues inthe design of a cloud
computing platform is that of virtual
machine (VM) instance interconnectivity. Because userswho are
granted super-user access to their provisioned VMs,without care,
may have possibilities that a VM can monitoranother VM or access
the underlying network interfaces
The proposed method is implemented using Eucalyptus
(Elastic Utility Computing Architecture for Linking YourPrograms
to Useful Systems). The Experiment using theexisting architecture
shows that the virtual machines arevulnerable to attacks such as
spoofing and sniffing. Theenhanced novel model can be effectively
used for virtualmachine interconnection without further security
threats.
6. Conclusion and Future WorkThe inability of physical
segregation and hardware-basedsecurity to deal with attacks between
virtual machines on thesame server highlights the need for
mechanisms to bedeployed directly on the server, or virtual
machines.Deploying a line of defence including firewall,
intrusiondetection and prevention, integrity monitoring, log
inspection, and malware protection as software on
virtualmachines is the most effective method to maintain
integrityof compliance and preserve security policy protection
asvirtual resources move from on-premise to public cloud
environments
Eucalyptus is still young and under development. Eucalyptus1.5.1
doesn't support a http POST request, so when we triedto implement a
POST request, it returns undefined errors.Although Eucalyptus has
the same interface as Amazon, ithas some differences too.
Eucalyptus uses hypervisors tocontrol life cycles of instances. The
hypervisors may have
their special networking configurations, or hypervisor likeXen
needs a xenified kernel to run with (but KVM not). Or
Xen currently doesn't get support from Ubuntu with axenified
kernel. So the work can be expanded to support allthe hypervisor
such as Xen, etc.
References
[1] Z. Pervez, Sungyoung Lee, Young-Koo Lee. Multi-Tenant,
Secure, Load Disseminated SaaS Architecture.In proceedings of the
12th Advanced Communication
Technology (ICACT) International Conference.Phoenix, USA, 2010,
pp. 214 219.
[2] Hanqian Wu, Yi Ding, Chunk Winer, Li Yao -Network security
for virtual machines in cloudcomputing, International Conference on
ServicesComputing , 2011, pp. 564-520.
[3] B. R. Kandukuri, R. P. V. and A. Rakshit, "CloudSecurity
Issues ," in Proceedings of the 2009 IEEE
International Conference on Services Computing ,2011, pp.
517-520
[4] M. Jensen, J. Schwenk, N. Gruschka, and L. L. Iacono,"On
Technical Security Issues in Cloud Computing,"Cloud Computing, IEEE
International Conference on,vol. 0, pp. 109-116, 2010.
[5] Neil MacDonald. Security considerations and bestpractices
for securing virtual machines. Gartner, Inc.,
March 2011[6] J. Kirch. Virtual Machine Security Guidelines
Version
1.0. The Centres for Internet Security, September2010.
[7] Xen Networking (July
2010),http://wiki.xensource.com/xenwiki/XenNetworking.
[8] S. Roschke, et aI., "Intrusion Detection in the
Cloud,"presented at the Eighth IEEE International Conferenceon
Dependable, Autonomic and Secure Computing,Chengdu, China,
2009.
[9] Cloud Computing, http://www.ibm.com/ibm/cloud/Author
Profile
Dr. M. C. Padma received her B.E. Degree in
Computer Science and Engineering and M.Sc. Tech.by Research
degree from University of Mysore,
Mysore, India and Ph.D. from VisvesvarayaTechnological
University, Belgaum. She is currently
working as Professor in the department of Computer Science
and
Engineering, PES College of Engineering, Mandya, Karnataka.
Hermain research interests are in the area of image processing,
patternrecognition, database management system, data structures,
natural
language processing, data mining, document image
processing,network security and cryptography.
Abdul Jabbar. K born in 1987. He received his
graduation in computer Science and engineering fromInstitution
of Engineers India (IEI), Kolkata. Now
pursuing M Tech degree in Computer Science andEngineering from
PES College of engineering,
Mandya, Karnataka, India. He is currently doing training on
cloud
computing from HASH Solutions, Cochin. His research interestsare
cloud computing, web services and networking.
132
