Towards automated provisioning of secure virtualized networks

We describe a secure network virtualization framework that helps realize the abstraction of Trusted Virtual Domains (TVDs), a security-enhanced variant of virtualized network zones. The framework allows groups of related virtual machines running on separate physical machines to be connected together as though there were on their own separate network fabric and, at the same time, helps enforce cross-group security requirements such as isolation, confidentiality, security, and information flow control. The framework uses existing network virtualization technologies, such as Ethernet encapsulation, VLAN tagging, and VPNs, and combines and orchestrates them appropriately to implement TVDs. Our framework aims at automating the instantiation and deployment of the appropriate security mechanism and network virtualization technologies based on an input security model that specifies the required level of isolation and permitted network flows. We have implemented a prototype of the framework based on the Xen hypervisor. Experimental evaluation of the prototype shows that the performance of our virtual networking extensions is comparable to that of the standard Xen configuration.

[1]  Russ Housley,et al.  EtherIP: Tunneling Ethernet Frames in IP Datagrams , 2002, RFC.

[2]  Xuxian Jiang,et al.  Virtual distributed environments in a shared infrastructure , 2005, Computer.

[3]  Hari Balakrishnan,et al.  Resilient overlay networks , 2001, SOSP.

[4]  Ahmad-Reza Sadeghi,et al.  Compartmented Security for Browsers - Or How to Thwart a Phisher with Trusted Computing , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[5]  Andrew T. Campbell,et al.  Spawning networks , 1999, IEEE Netw..

[6]  Andrew T. Campbell,et al.  Managing Spawned Virtual Networks , 1999, IWAN.

[7]  Bernhard Jansen,et al.  Trusted Virtual Domains: Secure Foundations for Business and IT Services , 2005 .

[8]  Peter A. Dinda,et al.  Towards Virtual Networks for Virtual Machine Grid Computing , 2004, Virtual Machine Research and Technology Symposium.

[9]  David E. Culler,et al.  A blueprint for introducing disruptive technology into the Internet , 2003, CCRV.

[10]  Ahmad-Reza Sadeghi,et al.  Enabling Fairer Digital Rights Management with Trusted Computing , 2007, ISC.

[11]  Joseph D. Touch,et al.  Dynamic Internet overlay deployment and management using the X-Bone , 2000, Proceedings 2000 International Conference on Network Protocols.

[12]  David E. Culler,et al.  Operating Systems Support for Planetary-Scale Network Services , 2004, NSDI.

[13]  Xuxian Jiang,et al.  VIOLIN: Virtual Internetworking on Overlay Infrastructure , 2004, ISPA.

[14]  Norman C. Strole,et al.  BladeCenter networking , 2005, IBM J. Res. Dev..

[15]  Ahmad-Reza Sadeghi,et al.  Property-based attestation for computing platforms: caring about properties, not mechanisms , 2004, NSPW '04.

[16]  Dongyan Xu,et al.  Autonomic Live Adaptation of Virtual Computational Environments in a Multi-Domain Infrastructure , 2006, 2006 IEEE International Conference on Autonomic Computing.

[17]  Bill Yeager,et al.  Project JXTA 2.0 Super-Peer Virtual Network , 2003 .

[18]  Renzo Davoli VDE: virtual distributed Ethernet , 2005, First International Conference on Testbeds and Research Infrastructures for the DEvelopment of NeTworks and COMmunities.

[19]  Andrew T. Campbell,et al.  The Genesis Kernel: a programming system for spawning network architectures , 2001, IEEE J. Sel. Areas Commun..