Domain Isolation in a Multi-Tenant Software-Defined Network

Software-Defined Networking (SDN) has evolved as a new networking paradigm to solve many of current obstacles and limitations in communication networks. The SDN technology is going to be implemented in multi-tenant environments like data centers where several customers, which are called “tenants”, share network resources. In fact, the integration of SDN allows tenants in a shared network to have higher levels of control over available resources. While this approach has several advantages, the isolation between the tenants of a shared network becomes a vital factor which has not been discussed clearly so far. This thesis discusses multi-tenancy and explains current isolation approaches in a multi-tenant SDN. For increasing isolation between tenants, this thesis proposes a scalable solution that provides traffic isolation, address space isolation, control isolation and performance isolation. In the new system architecture, tenants are not limited to their own networks and they are able to make interaction with each other and external resources. Indeed, while tenants are isolated from each other, they are allowed to access special services offered by other tenants or external services outside of a shared network. The evaluation of the prototype proves that the new architecture provides a high level of isolation in a multi-tenant SDN and it is scalable enough to be implemented in large networks with millions of tenants

Investigation of Virtual Network Isolation security in Cloud computing : data leakage issues

Software Defined Networking (SDN) or Virtual Networks (VNs) are required for cloud tenants to leverage demands. However, multi-tenancy can be compromised without proper isolation. Much research has been conducted into VN Isolation; many researchers are not tackling security aspects or checking if their isolation evaluation is complete. Therefore, data leakage is a major security worry in the cloud in general. This paper uses an OpenStack VN and OpenStack Tenant Network to test multi-tenancy features. We aim to evaluate the relationship between isolation methods used in cloud VN and the amount of data being leaked through using penetration tests. These tests will be used to identify the vulnerabilities causing cloud VN data leakage and to investigate how the vulnerabilities, and the leaked data, can compromise the tenant Virtual Networks.Publisher PDFPeer reviewe

SDN based security solutions for multi-tenancy NFV

The Internet continues to expand drastically as a result of explosion of mobile devices, content, server virtualization, and advancement of cloud services. This increase has significantly changed traffic patterns within the enterprise data centres. Therefore, advanced technologies are needed to improve traditional network deployments to enable them to handle the changing network patterns. Software defined networks (SDN) and network function virtualisation (NFV) are innovative technologies that enable network flexibility, increase network and service agility, and support service-driven virtual networks using concepts of virtualisation and softwarisation. Collaboration of these two concepts enable cloud operator to offer network-as-a-service (NaaS) to multiple tenants in a data-centre deployment. Despite the benefits brought by these technologies, they also bring along security challenges that need to be addressed and managed to ensure successful deployment and encourage faster adoption in industry. This dissertation proposes security solution based on tenant isolation, network access control (NAC) and network reconfiguration that can be implemented in NFV multi-tenant deployment to guarantee privacy and security of tenant functions. The evaluation of the proof-of-concept framework proves that SDN based tenant isolation solution provides a high level of isolation in a multi-tenant NFV cloud. It also shows that the proposed network reconfiguration greatly reduces chances of an attacker correctly identifying location and IP addresses of tenant functions within the cloud environment. Because of resource limitation, the proposed NAC solution was not evaluated. The efficiency of this solution for multitenancy NFV has been added as part of future work