Improving network security through SDN in cloud scenarios

The recent emergence of cloud enabled applications raises security concerns increasingly, since more and more personal and company data is outsourced. The security of single systems and services was broadly treated in the past. Cloud systems and services require a more detailed observation of their security requirements and fulfillment, since a huge amount of services and systems coexist on one virtualization layer without knowing other systems on the same layer. Only the cloud provider has a rare idea of these systems' behavior in his own cloud environment. Therefore this work proposes a network security approach which is aware of all existing systems and services hosted by at least one cloud provider. The main idea is to maintain a logically centralized database that provides latest security related information about each system or service. Using this knowledge base, our approach ponders a systems' security score, security requirements given by the systems' owners and the cloud provider, and reconfigures the network accordingly to meet the security requirements for every system. In addition, the reconfiguration process can be used to redirect traffic to additional security systems, in order to obtain more detailed information about a system and therefore increase the accuracy of the specific systems' security score.

[1]  Aurobindo Sundaram,et al.  An introduction to intrusion detection , 1996, CROS.

[2]  Aviel D. Rubin,et al.  Risks of the Passport single signon protocol , 2000, Comput. Networks.

[3]  Ari Juels,et al.  HAIL: a high-availability and integrity layer for cloud storage , 2009, CCS.

[4]  Kevin Benton,et al.  OpenFlow vulnerability assessment , 2013, HotSDN '13.

[5]  Rodrigo Braga,et al.  Lightweight DDoS flooding attack detection using NOX/OpenFlow , 2010, IEEE Local Computer Network Conference.

[6]  Robert Koch,et al.  Evaluation of State of the Art IDS Message Exchange Protocols , 2013 .

[7]  Zetao Jiang,et al.  Semi-proxy Based on Protocol Analysis: A New Design of HTTP Anti-virus Gateway , 2010, 2010 Second International Conference on Networks Security, Wireless Communications and Trusted Computing.

[8]  Bing Wang,et al.  Malware Detection for Mobile Devices Using Software-Defined Networking , 2013, 2013 Second GENI Research and Educational Experiment Workshop.

[9]  Ehab Al-Shaer,et al.  Openflow random host mutation: transparent moving target defense using software defined networking , 2012, HotSDN '12.

[10]  Avishai Wool,et al.  A quantitative study of firewall configuration errors , 2004, Computer.

[11]  V. Kavitha,et al.  A survey on security issues in service delivery models of cloud computing , 2011, J. Netw. Comput. Appl..

[12]  Joan Feigenbaum,et al.  The Role of Trust Management in Distributed Systems Security , 2001, Secure Internet Programming.

[13]  Nick Feamster Outsourcing home network security , 2010, HomeNets '10.

[14]  Bernhard Plattner,et al.  Large-scale vulnerability analysis , 2006, LSAD '06.

[15]  Basil S. Maglaris,et al.  Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments , 2014, Comput. Networks.

[16]  Sakir Sezer,et al.  Sdn Security: A Survey , 2013, 2013 IEEE SDN for Future Networks and Services (SDN4FNS).

[17]  Fernando M. V. Ramos,et al.  Towards secure and dependable software-defined networks , 2013, HotSDN '13.

[18]  Balachandra Reddy Kandukuri,et al.  Cloud Security Issues , 2009, 2009 IEEE International Conference on Services Computing.

[19]  Rob Sherwood,et al.  FlowVisor: A Network Virtualization Layer , 2009 .