Exploring the firewall security consistency in cloud computing during live migration

Virtualization technology adds great opportunities and challenges to the cloud computing paradigm. Resource management can be efficiently enhanced by employing Live Virtual Machine Migration (LVMM) techniques. Based on the literature of LVMM implementation in the virtualization environment, middle-boxes such as firewalls do not work effectively after LVMM as it introduces dynamic changes in network status and traffic, which may lead to critical security vulnerabilities. One key security hole is that the security context of the firewall do not move with the Virtual Machine after LVMM is triggered. This leads to inconsistency in the firewall level of protection of the migrated Virtual Machine. There is a lack in the literature of practical studies that address this problem in cloud computing platform. This paper demonstrates a practical analysis using OpenStack testbed to study the firewalls limitations in protecting virtual machines after LVMM. Two network scenarios are used to evaluate this problem. The results show that the security context problem does not exist in the stateless firewall but can exist in the stateful firewall

A Security Solution for Wireless Local Area Network (WLAN) Using Firewall and VPN

In the era of internet millions of users share resource for different purpose. The chances of security risks are more when a user connected with internet. Internet technology plays an important role in every aspect of human life. We can create virtual connectivity with-in seconds with anyone in the world and can exchange or share the information through internet. Sometimes these information is very useful for Defense, and personal use. Sometimes this information is stolen on the internet or we can say destroyed so that receiver cannot receive that information, so for successful communication on internet our connection should be protected. For this protection we can use Firewall protection, VPN Network. These Networks is much more protected than normal Network. Network with VPN and Firewall is faster and efficient rather than normal connection. In normal Network user may faces unexpected delay due to malware and virus. In this paper we have described and analyze impact of Virtual Private Network technology and firewall with normal network. We have simulated three scenarios without firewall, with firewall and Firewall_VPN. The simulation results of three scenarios are compared over WLAN and analyze the impact of Firewall and VPN on network performance. OPNET 14.5 is used for simulator work. Keywords: VPN, Firewall, Security, WLAN, OPNET 14.5

A demonstration of VEREFOO: an automated framework for virtual firewall configuration

Nowadays, security automation exploits the agility characterizing network virtualization to replace the traditional error-prone human operations. This dynamism allows user-specified high-level intents to be rapidly refined into the concrete configuration rules which should be deployed on virtual security functions. In this revolutionary context, this paper proposes the demonstration of a novel security framework based on an optimized approach for the automatic orchestration of virtual distributed firewalls. The framework provides formal guarantees for the firewall configuration correctness and minimizes the size of the firewall allocation scheme and rule set. The framework produces rules that can be deployed on multiple types of real virtual function implementations, such as iptables, eBPF firewalls and Open vSwitch

Deliverable DJRA1.3: Tool prototype for creating and stitching multiple network resources for virtual infrastructures

This document describes the prototype FEDERICA Slice Tool developed for the virtualization of network elements in FEDERICA and for creating and stitching network resources over this virtual infrastructure. An SNMP-based resource discovery prototype is also introduced as a new functionality to be integrated in the tool.The deliverable also presents aviability study for the use of traffic prioritization in the FEDERICA infrastructure and some network performance measurements on a real slice within FEDERICA.This document reports the final results of JRA1.2 Activity in the development of a tool prototype for creating sets ofvirtual resourcesinFEDERICA.The prototype goal is to simplify and automate part of the work for NOC.The tool may also serve,with different privileges, a FEDERICA user to operate on his/her slice. The tool described here was designed with the objective of providing an interactive application with a graphical interface to operate on resources for the NOC and the end users (researchers). The tool simplify the creation and configuration of resources in a slice and it is a mandatory step to ensure scalability of the NOC effort. It offers an interactive Graphical User Interface that translates the users’ actions to commands in the substrate (networknodesandV-nodes)andslice elements(VirtualMachines).User accounts may be created for the NOC and for researchers, each with specific privileges to enable different sets of capabilities. The NOC account has full access to all the resources in the substrate, while each user’account has full access only to the virtual resources in his/her slice. The tool has been developed using the Java programming language as Open Source code and relies on the open source Globus® Toolkit. Testing has been performed in a laboratory environment and on some FEDERICA substrate equipment (1switch, 2VMwareServers) in their standard configuration. For testing the router, web services and GUI an additional computer was used, using a public IP address.Postprint (published version

A survey of intrusion detection techniques in Cloud

Cloud computing provides scalable, virtualized on-demand services to the end users with greater flexibility and lesser infrastructural investment. These services are provided over the Internet using known networking protocols, standards and formats under the supervision of different managements. Existing bugs and vulnerabilities in underlying technologies and legacy protocols tend to open doors for intrusion. This paper, surveys different intrusions affecting availability, confidentiality and integrity of Cloud resources and services. It examines proposals incorporating Intrusion Detection Systems (IDS) in Cloud and discusses various types and techniques of IDS and Intrusion Prevention Systems (IPS), and recommends IDS/IPS positioning in Cloud architecture to achieve desired security in the next generation networks

The Raincore API for clusters of networking elements

Clustering technology offers a way to increase overall reliability and performance of Internet information flow by strengthening one link in the chain without adding others. We have implemented this technology in a distributed computing architecture for network elements. The architecture, called Raincore, originated in the Reliable Array of Independent Nodes, or RAIN, research collaboration between the California Institute of Technology and the US National Aeronautics and Space Agency's Jet Propulsion Laboratory. The RAIN project focused on developing high-performance, fault-tolerant, portable clustering technology for spaceborne computing . The technology that emerged from this project became the basis for a spinoff company, Rainfinity, which has the exclusive intellectual property rights to the RAIN technology. The authors describe the Raincore conceptual architecture and distributed services, which are designed to make it easy for developers to port their applications to run on top of a cluster of networking elements. We include two applications: a Web server prototype that was part of the original RAIN research project and a commercial firewall cluster product from Rainfinity