The Experts below are selected from a list of 705 Experts worldwide ranked by ideXlab platform
Luis Henrique M. K. Costa - One of the best experts on this subject based on the ideXlab platform.
-
GLOBECOM - XTC: A Throughput Control Mechanism for Xen-Based Virtualized Software Routers
2011 IEEE Global Telecommunications Conference - GLOBECOM 2011, 2011Co-Authors: Rodrigo S. Couto, Miguel Elias M. Campista, Luis Henrique M. K. CostaAbstract:Xen is a tool for hardware virtualization often used to build virtual routers. Xen, however, does not assure the fundamental requirement of Network Isolation among these routers. This work proposes XTC (Xen Throughput Control) to fill this gap, and therefore, to guarantee multiple Network coexistence without interference. XTC sets the amount of CPU allocated to each virtual router according to the maximum throughput allowed. Xen behavior is modeled by using experimental data, and based on these data, XTC is designed using feedback control. Results obtained in a testbed demonstrate the XTC ability to isolate virtual Network capacities and to adapt to system changes.
-
XTC: A Throughput Control Mechanism for Xen-Based Virtualized Software Routers
2011 IEEE Global Telecommunications Conference - GLOBECOM 2011, 2011Co-Authors: Rodrigo S. Couto, Miguel Elias M. Campista, Luis Henrique M. K. CostaAbstract:Xen is a tool for hardware virtualization often used to build virtual routers. Xen, however, does not assure the fundamental requirement of Network Isolation among these routers. This work proposes XTC (Xen Throughput Control) to fill this gap, and therefore, to guarantee multiple Network coexistence without interference. XTC sets the amount of CPU allocated to each virtual router according to the maximum throughput allowed. Xen behavior is modeled by using experimental data, and based on these data, XTC is designed using feedback control. Results obtained in a testbed demonstrate the XTC ability to isolate virtual Network capacities and to adapt to system changes.
Mourad Debbabi - One of the best experts on this subject based on the ideXlab platform.
-
Auditing Virtual Network Isolation Across Cloud Layers
Cloud Security Auditing, 2019Co-Authors: Suryadipta Majumdar, Yushun Wang, Taous Madi, Yosr Jarraya, Amir Alimohammadifar, Makan Pourzandi, Lingyu Wang, Azadeh Tabiban, Momen Oqaily, Mourad DebbabiAbstract:In this chapter, taking into account the complexity factor and multi-layered nature of the cloud, we present an automated cross-layer approach that tackles the above issues for auditing Isolation requirements between virtual Networks in a multi-tenant cloud. We focus on Isolation at layer 2 virtual Networks and overlay, namely topology Isolation, which is the basic building block for Network communication and segregation for upper Network layers. To the best of our knowledge, this is the first effort on auditing cloud infrastructure Isolation at layer 2 virtual Networks and overlay taking into account cross-layer consistency in the cloud stack.
-
ISOTOP: Auditing Virtual Networks Isolation Across Cloud Layers in OpenStack
ACM Transactions on Privacy and Security, 2019Co-Authors: Taous Madi, Yushun Wang, Suryadipta Majumdar, Yosr Jarraya, Amir Alimohammadifar, Makan Pourzandi, Lingyu Wang, Mourad DebbabiAbstract:Multi-tenancy in the cloud is a double-edged sword. While it enables cost-effective resource sharing, it increases security risks for the hosted applications. Indeed, multiplexing virtual resources belonging to different tenants on the same physical substrate may lead to critical security concerns such as cross-tenants data leakage and denial of service. Particularly, virtual Networks Isolation failures are among the foremost security concerns in the cloud. To remedy these, automated tools are needed to verify security mechanisms compliance with relevant security policies and standards. However, auditing virtual Networks Isolation is challenging due to the dynamic and layered nature of the cloud. Particularly, inconsistencies in Network Isolation mechanisms across cloud-stack layers, namely, the infrastructure management and the implementation layers, may lead to virtual Networks Isolation breaches that are undetectable at a single layer. In this article, we propose an offline automated framework for auditing consistent Isolation between virtual Networks in OpenStack-managed cloud spanning over overlay and layer 2 by considering both cloud layers’ views. To capture the semantics of the audited data and its relation to consistent Isolation requirement, we devise a multi-layered model for data related to each cloud-stack layer’s view. Furthermore, we integrate our auditing system into OpenStack, and present our experimental results on assessing several properties related to virtual Network Isolation and consistency. Our results show that our approach can be successfully used to detect virtual Network Isolation breaches for large OpenStack-based data centers in reasonable time.
-
tenantguard scalable runtime verification of cloud wide vm level Network Isolation
Network and Distributed System Security Symposium, 2017Co-Authors: Yushun Wang, Taous Madi, Suryadipta Majumdar, Yosr Jarraya, Amir Alimohammadifar, Makan Pourzandi, Lingyu Wang, Mourad DebbabiAbstract:The multi-tenancy of a cloud usually leads to security concerns over Network Isolation around each cloud tenant's virtual resources. However, verifying Network Isolation in cloud virtual Networks poses several unique challenges. The sheer size of virtual Networks implies a prohibitive complexity, whereas the constant changes in virtual resources demand a short response time. To make things worse, such Networks typically allow fine-grained (e.g., VM-level) and distributed (e.g., security groups) Network access control. Those challenges can either invalidate existing approaches or cause an unacceptable delay which prevents runtime applications. In this thesis, we present TenantGuard, a scalable system for verifying cloud-wide, VM-level Network Isolation at runtime. We take advantage of the hierarchical nature of virtual Networks, efficient data structures, incremental verification, and parallel computation to reduce the performance overhead of security verification. We implement our approach based on OpenStack and evaluate its performance both in-house and on Amazon EC2, which confirms its scalability and efficiency (13 seconds for verifying 168 millions of VM pairs). We further integrate TenantGuard with Congress, an OpenStack policy service, to verify the compliance of Isolation results against tenant-specific high level security policies.
-
NDSS - TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation.
Proceedings 2017 Network and Distributed System Security Symposium, 2017Co-Authors: Yushun Wang, Taous Madi, Suryadipta Majumdar, Yosr Jarraya, Amir Alimohammadifar, Makan Pourzandi, Lingyu Wang, Mourad DebbabiAbstract:The multi-tenancy of a cloud usually leads to security concerns over Network Isolation around each cloud tenant's virtual resources. However, verifying Network Isolation in cloud virtual Networks poses several unique challenges. The sheer size of virtual Networks implies a prohibitive complexity, whereas the constant changes in virtual resources demand a short response time. To make things worse, such Networks typically allow fine-grained (e.g., VM-level) and distributed (e.g., security groups) Network access control. Those challenges can either invalidate existing approaches or cause an unacceptable delay which prevents runtime applications. In this thesis, we present TenantGuard, a scalable system for verifying cloud-wide, VM-level Network Isolation at runtime. We take advantage of the hierarchical nature of virtual Networks, efficient data structures, incremental verification, and parallel computation to reduce the performance overhead of security verification. We implement our approach based on OpenStack and evaluate its performance both in-house and on Amazon EC2, which confirms its scalability and efficiency (13 seconds for verifying 168 millions of VM pairs). We further integrate TenantGuard with Congress, an OpenStack policy service, to verify the compliance of Isolation results against tenant-specific high level security policies.
Rodrigo S. Couto - One of the best experts on this subject based on the ideXlab platform.
-
GLOBECOM - XTC: A Throughput Control Mechanism for Xen-Based Virtualized Software Routers
2011 IEEE Global Telecommunications Conference - GLOBECOM 2011, 2011Co-Authors: Rodrigo S. Couto, Miguel Elias M. Campista, Luis Henrique M. K. CostaAbstract:Xen is a tool for hardware virtualization often used to build virtual routers. Xen, however, does not assure the fundamental requirement of Network Isolation among these routers. This work proposes XTC (Xen Throughput Control) to fill this gap, and therefore, to guarantee multiple Network coexistence without interference. XTC sets the amount of CPU allocated to each virtual router according to the maximum throughput allowed. Xen behavior is modeled by using experimental data, and based on these data, XTC is designed using feedback control. Results obtained in a testbed demonstrate the XTC ability to isolate virtual Network capacities and to adapt to system changes.
-
XTC: A Throughput Control Mechanism for Xen-Based Virtualized Software Routers
2011 IEEE Global Telecommunications Conference - GLOBECOM 2011, 2011Co-Authors: Rodrigo S. Couto, Miguel Elias M. Campista, Luis Henrique M. K. CostaAbstract:Xen is a tool for hardware virtualization often used to build virtual routers. Xen, however, does not assure the fundamental requirement of Network Isolation among these routers. This work proposes XTC (Xen Throughput Control) to fill this gap, and therefore, to guarantee multiple Network coexistence without interference. XTC sets the amount of CPU allocated to each virtual router according to the maximum throughput allowed. Xen behavior is modeled by using experimental data, and based on these data, XTC is designed using feedback control. Results obtained in a testbed demonstrate the XTC ability to isolate virtual Network capacities and to adapt to system changes.
Dorgival Guedes - One of the best experts on this subject based on the ideXlab platform.
-
Efficient virtual Network Isolation in multi-tenant data centers on commodity ethernet switches
2016 IFIP Networking Conference (IFIP Networking) and Workshops, 2016Co-Authors: Heitor Moraes, Marcos A. M. Vieira, Ítalo Cunha, Dorgival GuedesAbstract:Infrastructure-as-a-Service providers need to provision and isolate their tenants's virtual Networks. Current Network Isolation solutions either suffer from limited scalability, incur encapsulation overheads, or require advanced (e.g., OpenFlow) hardware switches. We propose LANES, a system that provides Isolation between billions of virtual machines using commodity Ethernet switches without encapsulation overheads. LANES virtualizes each tenant's Network address space and configures rules on each server to translate (tenant) virtual addresses to (infrastructure) physical addresses. Virtual address spaces give tenants flexibility when configuring their virtual Networks, and physical addresses reduce demand on infrastructure switches. We implement LANES in OpenStack, leveraging OpenStack's Network description functionalities and using OpenFlow to configure Open vSwitch on infrastructure servers. Our evaluation shows LANES ensures Network Isolation with acceptable rule configuration latency.
-
Networking - Efficient virtual Network Isolation in multi-tenant data centers on commodity ethernet switches
2016 IFIP Networking Conference (IFIP Networking) and Workshops, 2016Co-Authors: Heitor Moraes, Marcos A. M. Vieira, Ítalo Cunha, Dorgival GuedesAbstract:Infrastructure-as-a-Service providers need to provision and isolate their tenants's virtual Networks. Current Network Isolation solutions either suffer from limited scalability, incur encapsulation overheads, or require advanced (e.g., OpenFlow) hardware switches. We propose LANES, a system that provides Isolation between billions of virtual machines using commodity Ethernet switches without encapsulation overheads. LANES virtualizes each tenant's Network address space and configures rules on each server to translate (tenant) virtual addresses to (infrastructure) physical addresses. Virtual address spaces give tenants flexibility when configuring their virtual Networks, and physical addresses reduce demand on infrastructure switches. We implement LANES in OpenStack, leveraging OpenStack's Network description functionalities and using OpenFlow to configure Open vSwitch on infrastructure servers. Our evaluation shows LANES ensures Network Isolation with acceptable rule configuration latency.
-
LCN - Virtualized Network Isolation using Software Defined Networks
38th Annual IEEE Conference on Local Computer Networks, 2013Co-Authors: Rogerio V. Nunes, Raphael L. Pontes, Dorgival GuedesAbstract:The increasing interest in Cloud Computing has brought new demands to providers of “Infrastructure-as-a-service” solutions. To host a large number of clients in the same datacenter, they require multi-tenant Networks that can guarantee traffic Isolation and scalability, with low costs. This paper describes a solution for this problem using Software Defined Networks (SDN). With SDN, we can program the virtual switches at the physical servers so as to meet all those requirements, without demanding special hardware in the Network.
-
Virtualized Network Isolation using Software Defined Networks
Proceedings - Conference on Local Computer Networks LCN, 2013Co-Authors: Rogerio V. Nunes, Raphael L. Pontes, Dorgival GuedesAbstract:The increasing interest in Cloud Computing has brought new demands to providers of “Infrastructure-as-a-service” solutions. To host a large number of clients in the same datacenter, they require multi-tenant Networks that can guarantee traffic Isolation and scalability, with low costs. This paper describes a solution for this problem using Software Defined Networks (SDN). With SDN, we can program the virtual switches at the physical servers so as to meet all those requirements, without demanding special hardware in the Network.
Yushun Wang - One of the best experts on this subject based on the ideXlab platform.
-
Auditing Virtual Network Isolation Across Cloud Layers
Cloud Security Auditing, 2019Co-Authors: Suryadipta Majumdar, Yushun Wang, Taous Madi, Yosr Jarraya, Amir Alimohammadifar, Makan Pourzandi, Lingyu Wang, Azadeh Tabiban, Momen Oqaily, Mourad DebbabiAbstract:In this chapter, taking into account the complexity factor and multi-layered nature of the cloud, we present an automated cross-layer approach that tackles the above issues for auditing Isolation requirements between virtual Networks in a multi-tenant cloud. We focus on Isolation at layer 2 virtual Networks and overlay, namely topology Isolation, which is the basic building block for Network communication and segregation for upper Network layers. To the best of our knowledge, this is the first effort on auditing cloud infrastructure Isolation at layer 2 virtual Networks and overlay taking into account cross-layer consistency in the cloud stack.
-
ISOTOP: Auditing Virtual Networks Isolation Across Cloud Layers in OpenStack
ACM Transactions on Privacy and Security, 2019Co-Authors: Taous Madi, Yushun Wang, Suryadipta Majumdar, Yosr Jarraya, Amir Alimohammadifar, Makan Pourzandi, Lingyu Wang, Mourad DebbabiAbstract:Multi-tenancy in the cloud is a double-edged sword. While it enables cost-effective resource sharing, it increases security risks for the hosted applications. Indeed, multiplexing virtual resources belonging to different tenants on the same physical substrate may lead to critical security concerns such as cross-tenants data leakage and denial of service. Particularly, virtual Networks Isolation failures are among the foremost security concerns in the cloud. To remedy these, automated tools are needed to verify security mechanisms compliance with relevant security policies and standards. However, auditing virtual Networks Isolation is challenging due to the dynamic and layered nature of the cloud. Particularly, inconsistencies in Network Isolation mechanisms across cloud-stack layers, namely, the infrastructure management and the implementation layers, may lead to virtual Networks Isolation breaches that are undetectable at a single layer. In this article, we propose an offline automated framework for auditing consistent Isolation between virtual Networks in OpenStack-managed cloud spanning over overlay and layer 2 by considering both cloud layers’ views. To capture the semantics of the audited data and its relation to consistent Isolation requirement, we devise a multi-layered model for data related to each cloud-stack layer’s view. Furthermore, we integrate our auditing system into OpenStack, and present our experimental results on assessing several properties related to virtual Network Isolation and consistency. Our results show that our approach can be successfully used to detect virtual Network Isolation breaches for large OpenStack-based data centers in reasonable time.
-
tenantguard scalable runtime verification of cloud wide vm level Network Isolation
Network and Distributed System Security Symposium, 2017Co-Authors: Yushun Wang, Taous Madi, Suryadipta Majumdar, Yosr Jarraya, Amir Alimohammadifar, Makan Pourzandi, Lingyu Wang, Mourad DebbabiAbstract:The multi-tenancy of a cloud usually leads to security concerns over Network Isolation around each cloud tenant's virtual resources. However, verifying Network Isolation in cloud virtual Networks poses several unique challenges. The sheer size of virtual Networks implies a prohibitive complexity, whereas the constant changes in virtual resources demand a short response time. To make things worse, such Networks typically allow fine-grained (e.g., VM-level) and distributed (e.g., security groups) Network access control. Those challenges can either invalidate existing approaches or cause an unacceptable delay which prevents runtime applications. In this thesis, we present TenantGuard, a scalable system for verifying cloud-wide, VM-level Network Isolation at runtime. We take advantage of the hierarchical nature of virtual Networks, efficient data structures, incremental verification, and parallel computation to reduce the performance overhead of security verification. We implement our approach based on OpenStack and evaluate its performance both in-house and on Amazon EC2, which confirms its scalability and efficiency (13 seconds for verifying 168 millions of VM pairs). We further integrate TenantGuard with Congress, an OpenStack policy service, to verify the compliance of Isolation results against tenant-specific high level security policies.
-
NDSS - TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation.
Proceedings 2017 Network and Distributed System Security Symposium, 2017Co-Authors: Yushun Wang, Taous Madi, Suryadipta Majumdar, Yosr Jarraya, Amir Alimohammadifar, Makan Pourzandi, Lingyu Wang, Mourad DebbabiAbstract:The multi-tenancy of a cloud usually leads to security concerns over Network Isolation around each cloud tenant's virtual resources. However, verifying Network Isolation in cloud virtual Networks poses several unique challenges. The sheer size of virtual Networks implies a prohibitive complexity, whereas the constant changes in virtual resources demand a short response time. To make things worse, such Networks typically allow fine-grained (e.g., VM-level) and distributed (e.g., security groups) Network access control. Those challenges can either invalidate existing approaches or cause an unacceptable delay which prevents runtime applications. In this thesis, we present TenantGuard, a scalable system for verifying cloud-wide, VM-level Network Isolation at runtime. We take advantage of the hierarchical nature of virtual Networks, efficient data structures, incremental verification, and parallel computation to reduce the performance overhead of security verification. We implement our approach based on OpenStack and evaluate its performance both in-house and on Amazon EC2, which confirms its scalability and efficiency (13 seconds for verifying 168 millions of VM pairs). We further integrate TenantGuard with Congress, an OpenStack policy service, to verify the compliance of Isolation results against tenant-specific high level security policies.
