Virtual Firewall Security on Virtual Machines in Cloud Environment

Virtual Firewall Security on Virtual Machines in Cloud Environment

International Journal of Scientific & Engineering Research, Volume 6, Issue 2, February-2015 990 ISSN 2229-5518 Virtual Firewall Security on Virtual Machines in Cloud Environment Gladman Jekese, R.Subburaj Professor, Chiedza Hwata Abstract —Virtualization is revolutionizing how information technology resources and services are used and managed and has led to an explosive growth in the cloud computing industry, illustrated by Google’s Cloud Platform and Amazon’s Elastic Cloud. It brings unique security problems such as virtual traffic, denial of service and intrusion, resulting in penetration of virtual machines, which is disastrous for the enterprise, the user and the cloud provider. Virtual traffic between virtual machines may never leave the physical host hardware; making traditional physical firewalls hopeless to monitor and secure it. This paper proposes a virtual firewall which allows managing the network security of the virtual infrastructure per-virtual machine basis, defining network traffic rules, and hardening the security of the virtual environment. A private cloud is designed using open source solutions and to manage the firewall rules, we implement a Tree-Rule firewall technique which filters packets in a tree-like way based on their attributes such as IP address and protocols. The speed of filtering and processing packets on virtual firewall is highly improved to avoid overload of the firewall in the particular case. It permits to log and analyze network traffic logs for each of the monitored virtual machines. The virtual firewall will provide the power to control the bandwidth utilization of each virtual machine in the infrastructure, preventing overutilization and denial of service to critical applications. Index Terms— virtual firewall, hypervisor, virtualization, virtual machine, tree-rule firewall, stateful firewall, virtual traffic —————————— —————————— One way to secure and monitor VM-to-VM traffic is 1 INTRODUCTION through routing the virtualized network traffic out of the N cloud computing multi tenancy is problematic, especially virtual network and onto the physical network via Virtual I with public clouds. For example, co-locating two Local Area Networks (VLANs), and hence into a physical competing companies in the same physical server can raise firewall already present. The VLAN traffic could be monitored some privacy concerns unless tenants are properly isolated and filtered by the physical firewall and then passed back into from each other [1]. Also hybrid clouds introduce inter-cloud the virtual network and on to the target virtual machine. This communications a security threat that has to be properly process also presents risks to the hypervisor so it might be authenticated and protected to avoid abuse. In this paper, we more efficient to keep the traffic entirely within the virtualized propose a virtual firewall to improve security for virtual environment and secure it from there [6], [7]. The solution to machines (VMs) in cloud environment. this issue is the use of virtual firewall. Virtualization permits not only to reduce costs (electrical, space, hardware) by loweringIJSER the number of physical machines, but it also eases the management of an ever- growing number of computers and servers. VM systems can be categorized into two groups: Type I VMMs or Type II VMMs as shown in Figure 1. A Type I VMM runs directly on the physical hardware and a Type II VMM runs as an application in a normal operating system. However, virtualization is both an opportunity and a threat [2], [3]. The process of collapsing multiple servers into a single one, with several VMs inside, result in eliminating firewall and other Fig 1. Type 1 and Type II VMM Architecture protections in existence prior to the virtualization. Traditional 1.1 Traditional Firewalls physical security measures literally become blind to traffic A firewall puts a barrier that controls the flow of traffic between VMs since the virtual network traffic may never leave among domains, hosts and networks. A firewall is usually the physical host hardware [4], [5]. placed between the public internet and a private and trusted ———————————————— network. They are a combination of hardware (network • Gladman Jekese is an M.Tech student in Information Technology at SRM switches and routers) and software that deals with network University, Chennai, India, E-mail: [email protected] • Dr. R Subburaj is a Professor and Consultant in the Department of packets according to a given set of rules (firewall policy) that Information Technology at SRM University, Chennai., India, E- is the security policy. Conceptually there are three types of mail: [email protected] firewalls which are static, dynamic and application-layer • Chiedza Hwata is an M.Tech student in Information Technology at SRM University, Chennai, India, E-mail: [email protected] firewalls that generally apply different filtering rules. There have been many studies about firewall rule conflicts (anomalies) that occur within rule sets. The traditional IJSER © 2015 http://www.ijser.org International Journal of Scientific & Engineering Research, Volume 6, Issue 2, February-2015 991 ISSN 2229-5518 firewalls filter packets by comparing their header information security problems because a virtual machine (VM) behind the against a set of pre-defined firewall rules. Packets are filtered firewall may be attacked by other situated in the same in a sequential order, starting from the first rule until there is a domain. Therefore, to upgrade the security level, one proposal matching rule. If there is no matching rule found, the packet is is to reposition the firewalls as shown in Fig. 1(b) [9]. processed by the default rule. This process operates rule by However, this positioning consumes much more resource rule until a specific condition is reached. The rules in (e.g., disk space, Random Access Memory (RAM), and traditional firewalls are a list of condition statements followed hypervisor’s Central Processing Unit (CPU)). To resolve this by actions which are shown in Table 1 [8]. problem, the firewall can be a managed kernel process running within the host hypervisor that sits atop all VM Table. 1 An example of rule in Traditional Firewalls activity as shown in Fig. 1(c) [9] and this proposal consumes less resource but requests more rules in the firewall than the one shown in Fig. 1(a). The added rules are the ones for preventing the attacks between VMs. To overcome the problems, a virtual firewall is presented to support the third model (Fig. 1(c)) and evaluate its performance. Basically there are key issues with the traditional firewalls such as: • Security problem, caused by potential shadowed rules and the change of meaning of the rule policy due to rule repositioning, • Functional speed problem, raised by shadowed rules redundant rules and sequential rule matching, and • Difficulty in rule design, in which one needs to carefully choose the proper positions for the firewall rules in order to avoid listing 'bigger rules’ before 'smaller rules'[8]. 1.2 Virtual Firewalls Virtual firewalls are the linchpin of enterprise security in cloud environment and IJSERare the most widely adopted technology for protecting virtual private networks. An error in a firewall policy either creates security holes that will allow malicious traffic to sneak into a virtual private network or blocks legitimate traffic and disrupts normal business processes, which, in turn, could lead to irreparable, if not tragic, consequences. A virtual firewall is a firewall service running in a virtualized environment and providing the usual packet filtering and monitoring services that a physical firewall would provide. Virtual firewalls enable the use of network access controls Fig 2. Firewall models in cloud environment between VMs and other points in virtual and physical environments. Virtual firewalls are deployed within the fabric The rest of this paper is organized as follows. In Section 2 of the virtualization environment. A firewall can be we review previous studies on (virtual security) and firewall implemented on cloud environment as a service or appliance. optimization mainly from a theoretical view of point. In If a software firewall is applied, the firewall position is as Section 3 we show the methodology and design of the firewall shown in Fig. 1(a) [9]. It can be a purpose-built virtual security from a practical view of point and section 4 the appliance and the firewall position differs from what is shown implementation details of the virtual firewall. Finally in in Fig. 1(a) [10] and the firewall is not in the hypervisor Section 5 we conclude with an outline of possible although the levels of network security remain the same. The improvements. firewall positioning in Fig. 1(a) has its own benefits because it does not consume much resource as only a single firewall 2 RELATED WORK computer is required. However, this positioning still faces As a recommendation to understand virtual firewalls, [11], IJSER © 2015 http://www.ijser.org International Journal of Scientific & Engineering Research, Volume 6, Issue 2, February-2015 992 ISSN 2229-5518 [12], provides an overview of virtual firewalls and firewall virtualization techniques cannot be directly applied to the policy focusing on both network service access policy and cloud environment due to the semantic gap problem. As the firewall design policy. They did not look at the semantic gap increases the number of false alarms increases. implementation of the firewalls, nor do they use any particular Some public cloud providers have provided ways to apply products or security architectures or models. Their overlooked a set of static firewall rules to a cloud instance when it is the performance of the virtual firewall in the cloud provisioned. For example the IBM SmartCloud Enterprise environment an issue that we are going to look at in this (SCE) allows for such firewall definitions to be included in the paper. “parameters.xml” [21] that is associated with the cloud image R Schwarzkopf suggested the use of software updates and that is used to create the instance.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    6 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us