Collaborative network security in multi-tenant data center for cloud computing

A data center is an infrastructure that supports Internet service. Cloud computing is rapidly changing the face of the Internet service infrastructure, enabling even small organizations to quickly build Web and mobile applications for millions of users by taking advantage of the scale and flexibility of shared physical infrastructures provided by cloud computing. In this scenario, multiple tenants save their data and applications in shared data centers, blurring the network boundaries between each tenant in the cloud. In addition, different tenants have different security requirements, while different security policies are necessary for different tenants. Network virtualization is used to meet a diverse set of tenant-specific requirements with the underlying physical network, enabling multi-tenant datacenters to automatically address a large and diverse set of tenants requirements. In this paper, we propose the system implementation of vCNSMS, a collaborative network security prototype system used in a multi-tenant data center. We demonstrate vCNSMS with a centralized collaborative scheme and deep packet inspection with an open source UTM system. A security level based protection policy is proposed for simplifying the security rule management for vCNSMS. Different security levels have different packet inspection schemes and are enforced with different security plugins. A smart packet verdict scheme is also integrated into vCNSMS for intelligence flow processing to protect from possible network attacks inside a data center network.

[1]  Ying-Dar Lin,et al.  Building an integrated security gateway: Mechanisms, performance evaluations, implementations, and research issues , 2002, IEEE Communications Surveys & Tutorials.

[2]  李丽,et al.  《Tsinghua Science and Technology》网上国际审稿 , 2002 .

[3]  Chuang Lin,et al.  AntiWorm NPU-based Parallel Bloom Filters for TCP/IP Content Processing in Giga-Ethernet LAN , 2005, The IEEE Conference on Local Computer Networks 30th Anniversary (LCN'05)l.

[4]  Lin Chuang,et al.  Handling High Speed Traffic Measurement Using Network Processors , 2006, 2006 International Conference on Communication Technology.

[5]  Yuan-Cheng Lai,et al.  Designing an Integrated Architecture for Network Content Security Gateways , 2006, Computer.

[6]  Chuang Lin,et al.  AntiWorm NPU-based Parallel Bloom filters in Giga-Ethernet LAN , 2006, 2006 IEEE International Conference on Communications.

[7]  Chuang Lin,et al.  A Fast Multi-pattern Matching Algorithm for Deep Packet Inspection on a Network Processor , 2007, 2007 International Conference on Parallel Processing (ICPP 2007).

[8]  Walter Willinger,et al.  cSamp: A System for Network-Wide Flow Monitoring , 2008, NSDI.

[9]  Chuang Lin,et al.  UTM-CM: A Practical Control Mechanism Solution for UTM System , 2010, 2010 International Conference on Communications and Mobile Computing.

[10]  Fred Baker,et al.  Computer Networks: An Open Source Approach , 2011 .

[11]  Luca Deri,et al.  vPF_RING: towards wire-speed network monitoring using virtual machines , 2011, IMC '11.

[12]  P. Mell,et al.  The NIST Definition of Cloud Computing , 2011 .

[13]  Beipeng Mu,et al.  NetSecu: A Collaborative Network Security Platform for In-network Security , 2011, 2011 Third International Conference on Communications and Mobile Computing.

[14]  Shuai Ding,et al.  LARX: Large-Scale Anti-Phishing by Retrospective Data-Exploring Based on a Cloud Computing Platform , 2011, 2011 Proceedings of 20th International Conference on Computer Communications and Networks (ICCCN).

[15]  Junda Liu,et al.  Data-driven network connectivity , 2011, HotNets-X.

[16]  Zhen Chen,et al.  AC-Suffix-Tree: Buffer Free String Matching on Out-of-Sequence Packets , 2011, 2011 ACM/IEEE Seventh Symposium on Architectures for Networking and Communications Systems.

[17]  Beipeng Mu,et al.  A Collaborative Network Security Management System in Metropolitan Area Network , 2011, 2011 Third International Conference on Communications and Mobile Computing.

[18]  Zhi Liu,et al.  LiveCloud: A lucid orchestrator for cloud datacenters , 2012, 4th IEEE International Conference on Cloud Computing Technology and Science Proceedings.

[19]  Chun-Ying Huang,et al.  Session Level Flow Classification by Packet Size Distribution and Session Grouping , 2012, 2012 26th International Conference on Advanced Information Networking and Applications Workshops.

[20]  Patrick Crowley,et al.  Performance Analysis of Packet Capture Methods in a 10 Gbps Virtualized Environment , 2012, 2012 21st International Conference on Computer Communications and Networks (ICCCN).

[21]  Kai Wang,et al.  LiveSec: Towards Effective Security Management in Large-Scale Production Networks , 2012, 2012 32nd International Conference on Distributed Computing Systems Workshops.

[22]  Zhen Chen,et al.  A collaborative botnets suppression system based on overlay network , 2012, Int. J. Secur. Networks.

[23]  Nick Feamster,et al.  A slick control plane for network middleboxes , 2013, HotSDN '13.

[24]  Junda Liu,et al.  Ensuring connectivity via data plane mechanisms , 2013, NSDI 2013.

[25]  Minlan Yu,et al.  SIMPLE-fying middlebox policy enforcement using SDN , 2013, SIGCOMM.

[26]  Xin Jiang,et al.  Cloud computing-based forensic analysis for collaborative network security management system , 2013 .

[27]  Mabry Tyson,et al.  FRESCO: Modular Composable Security Services for Software-Defined Networks , 2013, NDSS.

[28]  Min Zhu,et al.  B4: experience with a globally-deployed software defined wan , 2013, SIGCOMM.