A Decentralized Cloud Firewall Framework with Resources Provisioning Cost Optimization

Cloud computing is becoming popular as the next infrastructure of computing platform. Despite the promising model and hype surrounding, security has become the major concern that people hesitate to transfer their applications to clouds. Concretely, cloud platform is under numerous attacks. As a result, it is definitely expected to establish a firewall to protect cloud from these attacks. However, setting up a centralized firewall for a whole cloud data center is infeasible from both performance and financial aspects. In this paper, we propose a decentralized cloud firewall framework for individual cloud customers. We investigate how to dynamically allocate resources to optimize resources provisioning cost, while satisfying QoS requirement specified by individual customers simultaneously. Moreover, we establish novel queuing theory based model M/Geo/1 and M/Geo/m for quantitative system analysis, where the service times follow a geometric distribution. By employing Z-transform and embedded Markov chain techniques, we obtain a closed-form expression of mean packet response time. Through extensive simulations and experiments, we conclude that an M/Geo/1 model reflects the cloud firewall real system much better than a traditional M/M/1 model. Our numerical results also indicate that we are able to set up cloud firewall with affordable cost to cloud customers.

[1]  Kenli Li,et al.  Customer-Satisfaction-Aware Optimal Multiserver Configuration for Profit Maximization in Cloud Computing , 2017, IEEE Transactions on Sustainable Computing.

[2]  Fouad A. Tobagi,et al.  Analysis of delay and delay jitter of voice traffic in the Internet , 2002, Comput. Networks.

[3]  Sally Floyd,et al.  Wide-area traffic: the failure of Poisson modeling , 1994 .

[4]  Per Hokstad,et al.  Approximations for the M/G/m Queue , 1978, Oper. Res..

[5]  Song Guo,et al.  Can We Beat DDoS Attacks in Clouds? , 2014, IEEE Transactions on Parallel and Distributed Systems.

[6]  Raj Jain,et al.  The art of computer systems performance analysis - techniques for experimental design, measurement, simulation, and modeling , 1991, Wiley professional computing.

[7]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[8]  Alex X. Liu Firewall policy change-impact analysis , 2008, TOIT.

[9]  Anees Shaikh,et al.  A Cost-Aware Elasticity Provisioning System for the Cloud , 2011, 2011 31st International Conference on Distributed Computing Systems.

[10]  Alex X. Liu,et al.  Privacy Preserving Collaborative Enforcement of Firewall Policies in Virtual Private Networks , 2011, IEEE Transactions on Parallel and Distributed Systems.

[11]  Daniel P. Heyman,et al.  Stochastic models in operations research , 1982 .

[12]  Feng Wang,et al.  Measurement and utilization of customer-provided resources for cloud computing , 2012, 2012 Proceedings IEEE INFOCOM.

[13]  Ray Jain,et al.  The art of computer systems performance analysis - techniques for experimental design, measurement, simulation, and modeling , 1991, Wiley professional computing.

[14]  Bharadwaj Veeravalli,et al.  On the Design of Distributed Object Placement and Load Balancing Strategies in Large-Scale Networked Multimedia Storage Systems , 2008, IEEE Transactions on Knowledge and Data Engineering.

[15]  Avishai Wool,et al.  The Geometric Efficient Matching Algorithm for Firewalls , 2004, IEEE Transactions on Dependable and Secure Computing.

[16]  Song Guo,et al.  A general cloud firewall framework with dynamic resource allocation , 2013, 2013 IEEE International Conference on Communications (ICC).

[17]  Jelena V. Misic,et al.  Performance of Cloud Centers with High Degree of Virtualization under Batch Task Arrivals , 2013, IEEE Transactions on Parallel and Distributed Systems.

[18]  Sebastien Goasguen,et al.  Image Distribution Mechanisms in Large Scale Cloud Providers , 2010, 2010 IEEE Second International Conference on Cloud Computing Technology and Science.

[19]  Yi-Ru Chen,et al.  Cost Optimization of Elasticity Cloud Resource Subscription Policy , 2014, IEEE Transactions on Services Computing.

[20]  Jun Zhu,et al.  Twinkle: A fast resource provisioning mechanism for internet services , 2011, 2011 Proceedings IEEE INFOCOM.

[21]  Raouf Boutaba,et al.  Performance Modeling and Analysis of Network Firewalls , 2012, IEEE Transactions on Network and Service Management.

[22]  Jelena V. Misic,et al.  Analysis of a Pool Management Scheme for Cloud Computing Centers , 2013, IEEE Transactions on Parallel and Distributed Systems.

[23]  Randy H. Katz,et al.  A view of cloud computing , 2010, CACM.

[24]  Bu-Sung Lee,et al.  Optimization of Resource Provisioning Cost in Cloud Computing , 2012, IEEE Transactions on Services Computing.

[25]  Alex X. Liu,et al.  First Step toward Cloud-Based Firewalling , 2012, 2012 IEEE 31st Symposium on Reliable Distributed Systems.

[26]  Jelena V. Misic,et al.  Performance Analysis of Cloud Computing Centers Using M/G/m/m+r Queuing Systems , 2012, IEEE Transactions on Parallel and Distributed Systems.

[27]  Mihalis G. Markakis,et al.  Queue-Length Asymptotics for Generalized Max-Weight Scheduling in the Presence of Heavy-Tailed Traffic , 2010, IEEE/ACM Transactions on Networking.

[28]  Zahir Tari,et al.  Security and Privacy in Cloud Computing , 2014, IEEE Cloud Computing.

[29]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.