Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Cloud Computing with Virtualized Network Infrastructure HotCloud 10 By Xuanran Zong.

Published byBriana Todd Modified over 9 years ago

Similar presentations

Presentation on theme: "Secure Cloud Computing with Virtualized Network Infrastructure HotCloud 10 By Xuanran Zong."— Presentation transcript:

1 Secure Cloud Computing with Virtualized Network Infrastructure HotCloud 10 By Xuanran Zong

2 Cloud Security Two end of the spectrum – Amazon EC2 Shared, public cloud Resource multiplexing, low cost Low security – Government cloud Dedicated infrastructure High cost High security

3 Design Goal Isolation Transparency Location independence Easy policy control Scalability (?) Low cost

4 Conventional data center architecture VLAN to ensure security – Scalability issue: can take up to 4K id – Management and control overhead Per-user security policy control – But, how to enforce? End-host? Not secure enough Middlebox? Unnecessary traffic

5 Secure Elastic Cloud Computing Reference: http://www.usenix.org/events/hotcloud10/tech/slides/hao.pdfhttp://www.usenix.org/events/hotcloud10/tech/slides/hao.pdf

6 Numbering and addressing Each customer has a unique cnet id VM can be identified by (cnet id, IP) Each domain has a unique eid Use VLAN to separate different customer in the same domain VLAN id can be reused in different domain

7 Customer network integration Private network can be treated as a special domain where VPN is used to connect it to core domain

8 Central controller Address mapping – VM MAC (cnet id, IP) – VM MAC eid – eid FE MAC list – (cnet id, eid) VLAN id Policy databas – E.g. packet from customer A are first forwarded to firewall F.

9 Forwarding elements Address lookup and mapping – FE MAC of the destination domain – VLAN ID Policy enforcement – By default, packets designated to a different customer are dropped Tunneling between FEs – Encapsulate another MAC header

10 Data forwarding Reference: http://www.usenix.org/events/hotcloud10/tech/slides/hao.pdfhttp://www.usenix.org/events/hotcloud10/tech/slides/hao.pdf

11 How does it solve the limitation? VLAN scalability – Partition network into smaller edge domain, each maintains its own VLAN – VLAN id can be reused Per-user security – Security policy enforced by FE – CC stores security policies for all customers

12 Discussion Security via isolation and access control – Consider the co-residence problem proposed by “Get off my cloud” paper – Matching Dom0 IP address Disable traceroute – Small round-trip time Every packet needs to go through FE – Numerically close IP address Each customer has private IP address

13 Discussion Cached vs installed forwarding table VM migration – Update CC (eid, VLAN id)

14 Discussion Pros – Security enforcement via isolation and access control – Scalable in terms of number of customers supported by VLAN – Most networking equipments are off-the-shelf Cons? – Scalability? Centralized CC? – Larger round trip time within the same edge domain – Tunneling?

Download ppt "Secure Cloud Computing with Virtualized Network Infrastructure HotCloud 10 By Xuanran Zong."

Similar presentations

Network Services for Enhanced Cloud Computing T. V. Lakshman Bell Labs (Jointly with F. Hao, S. Mukherjee, H. Song)

Network Services for Enhanced Cloud Computing T. V. Lakshman Bell Labs (Jointly with F. Hao, S. Mukherjee, H. Song)
All rights reserved © 2000, Alcatel 1 CPE-based VPNs Hans De Neve Alcatel Network Strategy Group.

All rights reserved © 2000, Alcatel 1 CPE-based VPNs Hans De Neve Alcatel Network Strategy Group.
Identifying MPLS Applications

Identifying MPLS Applications
All Rights Reserved © Alcatel-Lucent 2009 Enhancing Dynamic Cloud-based Services using Network Virtualization F. Hao, T.V. Lakshman, Sarit Mukherjee, H.

All Rights Reserved © Alcatel-Lucent 2009 Enhancing Dynamic Cloud-based Services using Network Virtualization F. Hao, T.V. Lakshman, Sarit Mukherjee, H.
L. Alchaal & al. Page 1 2002 Offering a Multicast Delivery Service in a Programmable Secure IP VPN Environment Lina ALCHAAL Netcelo S.A., Echirolles INRIA.

L. Alchaal & al. Page Offering a Multicast Delivery Service in a Programmable Secure IP VPN Environment Lina ALCHAAL Netcelo S.A., Echirolles INRIA.
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
PARIS: ProActive Routing In Scalable Data Centers Dushyant Arora, Theophilus Benson, Jennifer Rexford Princeton University.

PARIS: ProActive Routing In Scalable Data Centers Dushyant Arora, Theophilus Benson, Jennifer Rexford Princeton University.
PortLand: A Scalable Fault-Tolerant Layer 2 Data Center Network Fabric. Presented by: Vinuthna Nalluri Shiva Srivastava.

PortLand: A Scalable Fault-Tolerant Layer 2 Data Center Network Fabric. Presented by: Vinuthna Nalluri Shiva Srivastava.
Data Center Fabrics. Forwarding Today Layer 3 approach: – Assign IP addresses to hosts hierarchically based on their directly connected switch. – Use.

Data Center Fabrics. Forwarding Today Layer 3 approach: – Assign IP addresses to hosts hierarchically based on their directly connected switch. – Use.
Switching Topic 4 Inter-VLAN routing. Agenda Routing process Routing VLANs – Traditional model – Router-on-a-stick – Multilayer switches EtherChannel.

Switching Topic 4 Inter-VLAN routing. Agenda Routing process Routing VLANs – Traditional model – Router-on-a-stick – Multilayer switches EtherChannel.
Agenda Virtual Private Networks (VPNs) Motivation and Basics Deployment Topologies IPSEC (IP Security) Authentication Header (AH) Encapsulating Security.

Agenda Virtual Private Networks (VPNs) Motivation and Basics Deployment Topologies IPSEC (IP Security) Authentication Header (AH) Encapsulating Security.
IPNL: A NAT-Extended Internet Architecture Francis & Gummadi Riku Honkanen.

IPNL: A NAT-Extended Internet Architecture Francis & Gummadi Riku Honkanen.
Network Overlay Framework Draft-lasserre-nvo3-framework-01.

Network Overlay Framework Draft-lasserre-nvo3-framework-01.
Internet Indirection Infrastructure Ion Stoica UC Berkeley.

Internet Indirection Infrastructure Ion Stoica UC Berkeley.
Rethink the design of the Internet CSCI 780, Fall 2005.

Rethink the design of the Internet CSCI 780, Fall 2005.
COS 461: Computer Networks

COS 461: Computer Networks
Authors: Thomas Ristenpart, et at.

Authors: Thomas Ristenpart, et at.
Jennifer Rexford Princeton University MW 11:00am-12:20pm Data-Center Traffic Management COS 597E: Software Defined Networking.

Jennifer Rexford Princeton University MW 11:00am-12:20pm Data-Center Traffic Management COS 597E: Software Defined Networking.
A Scalable, Commodity Data Center Network Architecture.

A Scalable, Commodity Data Center Network Architecture.
Jennifer Rexford Princeton University MW 11:00am-12:20pm SDN Software Stack COS 597E: Software Defined Networking.

Jennifer Rexford Princeton University MW 11:00am-12:20pm SDN Software Stack COS 597E: Software Defined Networking.

Similar presentations

Ads by Google