Secure Cloud Computing with Virtualized Network Infrastructure HotCloud 10 By Xuanran Zong.

Slides:

Advertisements

Similar presentations

Network Services for Enhanced Cloud Computing T. V. Lakshman Bell Labs (Jointly with F. Hao, S. Mukherjee, H. Song)

Advertisements

All rights reserved © 2000, Alcatel 1 CPE-based VPNs Hans De Neve Alcatel Network Strategy Group.

Identifying MPLS Applications

All Rights Reserved © Alcatel-Lucent 2009 Enhancing Dynamic Cloud-based Services using Network Virtualization F. Hao, T.V. Lakshman, Sarit Mukherjee, H.

L. Alchaal & al. Page Offering a Multicast Delivery Service in a Programmable Secure IP VPN Environment Lina ALCHAAL Netcelo S.A., Echirolles INRIA.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

PARIS: ProActive Routing In Scalable Data Centers Dushyant Arora, Theophilus Benson, Jennifer Rexford Princeton University.

PortLand: A Scalable Fault-Tolerant Layer 2 Data Center Network Fabric. Presented by: Vinuthna Nalluri Shiva Srivastava.

Data Center Fabrics. Forwarding Today Layer 3 approach: – Assign IP addresses to hosts hierarchically based on their directly connected switch. – Use.

Switching Topic 4 Inter-VLAN routing. Agenda Routing process Routing VLANs – Traditional model – Router-on-a-stick – Multilayer switches EtherChannel.

Agenda Virtual Private Networks (VPNs) Motivation and Basics Deployment Topologies IPSEC (IP Security) Authentication Header (AH) Encapsulating Security.

IPNL: A NAT-Extended Internet Architecture Francis & Gummadi Riku Honkanen.

Network Overlay Framework Draft-lasserre-nvo3-framework-01.

Internet Indirection Infrastructure Ion Stoica UC Berkeley.

Rethink the design of the Internet CSCI 780, Fall 2005.

COS 461: Computer Networks

Authors: Thomas Ristenpart, et at.

Jennifer Rexford Princeton University MW 11:00am-12:20pm Data-Center Traffic Management COS 597E: Software Defined Networking.

A Scalable, Commodity Data Center Network Architecture.

Jennifer Rexford Princeton University MW 11:00am-12:20pm SDN Software Stack COS 597E: Software Defined Networking.

SMUCSE 8344 MPLS Virtual Private Networks (VPNs).

NVO3 Requirements for Tunneling Igor Gashinsky and Bruce Davie IETF.

Microsoft Virtual Academy Module 4 Creating and Configuring Virtual Machine Networks.

Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—2-1 Implementing VLANs in Campus Networks Applying Best Practices for VLAN Topologies.

NETWORKS – NETWORK FUNDAMENTALS. How do computers connect to each other? Wired vs. Wireless Network cards Special device on computer that lets the computer.

Data Center Network Redesign using SDN

29-Aug-154/598N: Computer Networks Switching and Forwarding Outline –Store-and-Forward Switches.

Intranet, Extranet, Firewall. Intranet and Extranet.

Networking in the cloud: An SDN primer Ben Cherian Chief Strategy Midokura.

VL2 – A Scalable & Flexible Data Center Network Authors: Greenberg et al Presenter: Syed M Irteza – LUMS CS678: 2 April 2013.

Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2012 Lecture 4 09/10/2013 Security and Privacy in Cloud Computing.

HAIR: Hierarchical Architecture for Internet Routing Anja Feldmann TU-Berlin / Deutsche Telekom Laboratories Randy Bush, Luca Cittadini, Olaf Maennel,

ECE 526 – Network Processing Systems Design Networking: protocols and packet format Chapter 3: D. E. Comer Fall 2008.

Chapter 2 Network Topology

Module 11: Implementing ISA Server 2004 Enterprise Edition.

CloudNaaS: A Cloud Networking Platform for Enterprise Applications Theophilus Benson*, Aditya Akella*, Anees Shaikh +, Sambit Sahu + (*University of Wisconsin,

June, 2006 Stanford 2006 Ethane. June, 2006 Stanford 2006 Security and You  What does security mean to you?  Data on personal PC?  Data on family PC?

Thomas Ristenpart,Eran Tromer, Horav Shahcham and Stefan Savage

Information-Centric Networks06b-1 Week 6 / Paper 2 A layered naming architecture for the Internet –Hari Balakrishnan, Karthik Lakshminarayanan, Sylvia.

Vytautas Valancius, Nick Feamster, Akihiro Nakao, and Jennifer Rexford.

Vic Liu Liang Xia Zu Qiang Speaker: Vic Liu China Mobile Network as a Service Architecture draft-liu-nvo3-naas-arch-01.

Chapter 19 Binding Protocol Addresses (ARP) A frame transmitted across a physical network must contain the hardware address of the destination. Before.

STORE AND FORWARD & CUT THROUGH FORWARD Switches can use different forwarding techniques— two of these are store-and-forward switching and cut-through.

Information-Centric Networks Section # 6.2: Evolved Naming & Resolution Instructor: George Xylomenos Department: Informatics.

Cisco Confidential © 2013 Cisco and/or its affiliates. All rights reserved. 1 Cisco Networking Training (CCENT/CCT/CCNA R&S) Rick Rowe Ron Giannetti.

: MobileIP. : r Goal: Allow machines to roam around and maintain IP connectivity r Problem: IP addresses => location m This is important for efficient.

VS (Virtual Subnet) draft-xu-virtual-subnet-03 Xiaohu Xu IETF 79, Beijing.

Understanding “Virtual” Networks J.J. Ekstrom Fall 2011.

K. Salah1 Security Protocols in the Internet IPSec.

XRBLOCK IETF 85 Atlanta Network Virtualization Architecture Design and Control Plane Requirements draft-fw-nvo3-server2vcenter-01 draft-wu-nvo3-nve2nve.

This courseware is copyrighted © 2016 gtslearning. No part of this courseware or any training material supplied by gtslearning International Limited to.

Multiprotocol Label Switching (MPLS) Routing algorithms provide support for performance goals – Distributed and dynamic React to congestion Load balance.

Network Virtualization Ben Pfaff Nicira Networks, Inc.

MPLS Virtual Private Networks (VPNs)

InterVLAN Routing 1. InterVLAN Routing 2. Multilayer Switching.

Routing and Addressing in Next-Generation EnteRprises (RANGER)

Ready-to-Deploy Service Function Chaining for Mobile Networks

CIS 700-5: The Design and Implementation of Cloud Networks

B-TECH PROJECT MID-SEM PRESENTATION 2011

Virtual Private Networks

NOX: Towards an Operating System for Networks

Chapter 4 Data Link Layer Switching

Network Virtualization

Security Protocols in the Internet

Firewalls Routers, Switches, Hubs VPNs

NTHU CS5421 Cloud Computing

Cengage Learning: Computer Networking from LANs to WANs

OCI – VPN Connect Internet Customer Premises

Presentation transcript:

Secure Cloud Computing with Virtualized Network Infrastructure HotCloud 10 By Xuanran Zong

Cloud Security Two end of the spectrum – Amazon EC2 Shared, public cloud Resource multiplexing, low cost Low security – Government cloud Dedicated infrastructure High cost High security

Design Goal Isolation Transparency Location independence Easy policy control Scalability (?) Low cost

Conventional data center architecture VLAN to ensure security – Scalability issue: can take up to 4K id – Management and control overhead Per-user security policy control – But, how to enforce? End-host? Not secure enough Middlebox? Unnecessary traffic

Secure Elastic Cloud Computing Reference:

Numbering and addressing Each customer has a unique cnet id VM can be identified by (cnet id, IP) Each domain has a unique eid Use VLAN to separate different customer in the same domain VLAN id can be reused in different domain

Customer network integration Private network can be treated as a special domain where VPN is used to connect it to core domain

Central controller Address mapping – VM MAC (cnet id, IP) – VM MAC eid – eid FE MAC list – (cnet id, eid) VLAN id Policy databas – E.g. packet from customer A are first forwarded to firewall F.

Forwarding elements Address lookup and mapping – FE MAC of the destination domain – VLAN ID Policy enforcement – By default, packets designated to a different customer are dropped Tunneling between FEs – Encapsulate another MAC header

Data forwarding Reference:

How does it solve the limitation? VLAN scalability – Partition network into smaller edge domain, each maintains its own VLAN – VLAN id can be reused Per-user security – Security policy enforced by FE – CC stores security policies for all customers

Discussion Security via isolation and access control – Consider the co-residence problem proposed by “Get off my cloud” paper – Matching Dom0 IP address Disable traceroute – Small round-trip time Every packet needs to go through FE – Numerically close IP address Each customer has private IP address

Discussion Cached vs installed forwarding table VM migration – Update CC (eid, VLAN id)

Discussion Pros – Security enforcement via isolation and access control – Scalable in terms of number of customers supported by VLAN – Most networking equipments are off-the-shelf Cons? – Scalability? Centralized CC? – Larger round trip time within the same edge domain – Tunneling?