Presentation is loading. Please wait.

Presentation is loading. Please wait.

Anna Giannakou Christine Morin, Jean-Louis Pazat, Louis Rilling

Published byDavid Atkins Modified over 6 years ago

Similar presentations

Presentation on theme: "Anna Giannakou Christine Morin, Jean-Louis Pazat, Louis Rilling"— Presentation transcript:

1 Anna Giannakou Christine Morin, Jean-Louis Pazat, Louis Rilling
AL-SAFE: A Secure Self-Adaptable Application-Level Firewall for IaaS Clouds Anna Giannakou Christine Morin, Jean-Louis Pazat, Louis Rilling

2 Infrastructure as a Service Clouds

3 Infrastructure as a Service Clouds

4 Infrastructure as a Service Clouds

5 Infrastructure as a Service Clouds

6 Infrastructure as a Service Clouds

7 Infrastructure as a Service Clouds

8 The Need for Adaptable Security Monitoring
IaaS cloud environments are very dynamic Topology-related changes (VM creation, deletion, migration) Traffic load fluctuation Service addition/removal Traditional security monitoring is ineffective Reconfiguration of monitoring system should be automated Several actors with different security requirements (declared in the SLA)

9 Firewalls Rule-based configuration

10 Application-level Firewalls: Overview
Complete overview of the host they are running on

11 Application-level Firewalls: Vulnerabilities

12 Application-level Firewalls: The way of the Introspection
How to secure an application-level firewall? Our Approach: Use virtual machine introspection

13 Approach: Two-level Firewall
External firewall: Block malicious traffic early No CPU% cost in running VMs At the switch level: Block inter VM traffic Less network load Less traffic load on other probes Both firewalls: Self-configurable rule sets

14 Two-level Firewall: Initial Set-up

15 Two-level Firewall: Introspection

16 Two-level Firewall: White-list Comparison

17 Two-level Firewall: Rule Creation

18 Two-level Firewall: Rule Insertion-External

19 Two-level Firewall: Rule Insertion-Switch

20 Two-level Firewall: Complete Approach

21 Two-level Firewall: SAIDS Integration
Towards Self Adaptable Security Monitoring in IaaS Clouds. A. Giannakou et al. In Cluster, Cloud and Grid Computing (CCGrid), May 2015

22 Implementation & Current Status
Implementation details: Prototype in OpenStack and Open vSwitch Nftables as external firewall LibVMI + Volatility for introspection Current Status: Performance evaluation: Process/Network intensive applications Normal cloud operations (e.g VM migration) Micro-benchmarks Correctness Filter out all unauthorized packets

23 Conclusion Conclusion Future work
Application-level firewalls are vulnerable to host compromisation We can address this vulnerability through virtualization and introspection Future work Address multi-tenancy Enable component sharing

24 Thank you

Download ppt "Anna Giannakou Christine Morin, Jean-Louis Pazat, Louis Rilling"

Similar presentations

Virtual Switching Without a Hypervisor for a More Secure Cloud Xin Jin Princeton University Joint work with Eric Keller(UPenn) and Jennifer Rexford(Princeton)

Virtual Switching Without a Hypervisor for a More Secure Cloud Xin Jin Princeton University Joint work with Eric Keller(UPenn) and Jennifer Rexford(Princeton)
Ragib Hasan Johns Hopkins University en.600.412 Spring 2010 Lecture 3 02/15/2010 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2010 Lecture 3 02/15/2010 Security and Privacy in Cloud Computing.
Live Migration of an Entire Network (and its Hosts) Eric Keller, Soudeh Ghorbani, Matthew Caesar, Jennifer Rexford HotNets 2012.

Live Migration of an Entire Network (and its Hosts) Eric Keller, Soudeh Ghorbani, Matthew Caesar, Jennifer Rexford HotNets 2012.
Brocade VDX 6746 switch module for Hitachi Cb500

Brocade VDX 6746 switch module for Hitachi Cb500
Cloud Computing Part #3 Zigmunds Buliņš, Mg. sc. ing 1.

Cloud Computing Part #3 Zigmunds Buliņš, Mg. sc. ing 1.
Introduction to Firewall Technologies. Objectives Upon completion of this course, you will be able to: Understand basic concepts of network security Master.

Introduction to Firewall Technologies. Objectives Upon completion of this course, you will be able to: Understand basic concepts of network security Master.
1 In VINI Veritas: Realistic and Controlled Network Experimentation Jennifer Rexford with Andy Bavier, Nick Feamster, Mark Huang, and Larry Peterson

1 In VINI Veritas: Realistic and Controlled Network Experimentation Jennifer Rexford with Andy Bavier, Nick Feamster, Mark Huang, and Larry Peterson
Inferring the Topology and Traffic Load of Parallel Programs in a VM environment Ashish Gupta Resource Virtualization Winter Quarter Project.

Inferring the Topology and Traffic Load of Parallel Programs in a VM environment Ashish Gupta Resource Virtualization Winter Quarter Project.
Dynamic Topology Adaptation of Virtual Networks of Virtual Machines Ananth I. Sundararaj Ashish Gupta Peter A. Dinda Prescience Lab Department of Computer.

Dynamic Topology Adaptation of Virtual Networks of Virtual Machines Ananth I. Sundararaj Ashish Gupta Peter A. Dinda Prescience Lab Department of Computer.
Inferring the Topology and Traffic Load of Parallel Programs in a VM environment Ashish Gupta Peter Dinda Department of Computer Science Northwestern University.

Inferring the Topology and Traffic Load of Parallel Programs in a VM environment Ashish Gupta Peter Dinda Department of Computer Science Northwestern University.
Authors: Thomas Ristenpart, et at.

Authors: Thomas Ristenpart, et at.
Microsoft Virtual Academy Module 4 Creating and Configuring Virtual Machine Networks.

Microsoft Virtual Academy Module 4 Creating and Configuring Virtual Machine Networks.
SOFTWARE AS A SERVICE PLATFORM AS A SERVICE INFRASTRUCTURE AS A SERVICE.

SOFTWARE AS A SERVICE PLATFORM AS A SERVICE INFRASTRUCTURE AS A SERVICE.
Getting Started with Oracle Compute Cloud

Getting Started with Oracle Compute Cloud
QTIP Version 0.2 4th August 2015.

QTIP Version 0.2 4th August 2015.
Design and Implementation of a Single System Image Operating System for High Performance Computing on Clusters Christine MORIN PARIS project-team, IRISA/INRIA.

Design and Implementation of a Single System Image Operating System for High Performance Computing on Clusters Christine MORIN PARIS project-team, IRISA/INRIA.
1 Integrating a Network IDS into an Open Source Cloud Computing Environment 1st International Workshop on Security and Performance in Emerging Distributed.

1 Integrating a Network IDS into an Open Source Cloud Computing Environment 1st International Workshop on Security and Performance in Emerging Distributed.
Data Center Network Redesign using SDN

Data Center Network Redesign using SDN
Cyber Security of SCADA Systems Testbed Testbed Development Group Members: Justin Fitzpatrick Rafi Adnan Michael Higdon Ben Kregel Adviser: Dr. Manimaran.

Cyber Security of SCADA Systems Testbed Testbed Development Group Members: Justin Fitzpatrick Rafi Adnan Michael Higdon Ben Kregel Adviser: Dr. Manimaran.
Network Configuration Charles (Cal) Loomis & Mohammed Airaj LAL, Univ. Paris-Sud, CNRS/IN2P3 24-25 October 2013.

Network Configuration Charles (Cal) Loomis & Mohammed Airaj LAL, Univ. Paris-Sud, CNRS/IN2P October 2013.

Similar presentations

Ads by Google