integrating a network ids into an open source cloud computing environment
DESCRIPTION
Integrating a Network IDS into an Open Source Cloud Computing Environment. 1st International Workshop on Security and Performance in Emerging Distributed Architectures (SPEDA2010). Claudio Mazzariello Roberto Bifulco Roberto Canonico. “Federico II” University of Napoli. Outline. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Integrating a Network IDS into an Open Source Cloud Computing Environment](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e54550346895dbbe617/html5/thumbnails/1.jpg)
1
Integrating a Network IDS into an Open Integrating a Network IDS into an Open Source Cloud Computing Environment Source Cloud Computing Environment
1st International Workshop on 1st International Workshop on
Security and Performance in Emerging Distributed Security and Performance in Emerging Distributed Architectures (SPEDA2010)Architectures (SPEDA2010)
Claudio MazzarielloClaudio Mazzariello
Roberto BifulcoRoberto Bifulco
Roberto CanonicoRoberto Canonico
““Federico II”Federico II”
University of NapoliUniversity of Napoli
![Page 2: Integrating a Network IDS into an Open Source Cloud Computing Environment](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e54550346895dbbe617/html5/thumbnails/2.jpg)
2
OutlineOutline
• Cloud computing security issues
• Examples of recent security incidents
• Securing a Cloud
• Implementation of a Cloud
• A network Intrusion Detection System
• Experimental evaluation
![Page 3: Integrating a Network IDS into an Open Source Cloud Computing Environment](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e54550346895dbbe617/html5/thumbnails/3.jpg)
3
Cloud Computing peculiaritiesCloud Computing peculiarities
• Shared resources among several customers
• Highly dynamic infrastructures
• Cheap access to large scale computation/storage/communication facilities
• …
![Page 4: Integrating a Network IDS into an Open Source Cloud Computing Environment](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e54550346895dbbe617/html5/thumbnails/4.jpg)
4
Cloud Computing security issuesCloud Computing security issues
• Shared resources among several customers
• New types of attacks (e.g. DoS over colocated VMs)
• Privacy infringement
• ...
• Highly dynamic infrastructures
• Users tracking and profiling
• Cheap access to large scale computation/storage/communication facilities
• Misuse of the CC model aimed at conducting illegal activities
![Page 5: Integrating a Network IDS into an Open Source Cloud Computing Environment](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e54550346895dbbe617/html5/thumbnails/5.jpg)
5
Attack sourceAttack source
• External attackers
• Malicious users perform attacks targeting Cloud users
• Internal attackers
• Malicious users rent a share of Cloud resources
• Cheap, huge amounts of resources can be exploited to perform attacks against remote victims
![Page 6: Integrating a Network IDS into an Open Source Cloud Computing Environment](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e54550346895dbbe617/html5/thumbnails/6.jpg)
6
Examples of CC-related security incidentsExamples of CC-related security incidents
• “We have several customers being attacked from the same EC2 instance on their network for 2 full days now...”
• http://seclists.org/nanog/2010/Apr/811
• “I discovered that several systems on the Amazon EC2 network were preforming brute force attacks, against our VoIP servers.”
• http://www.stuartsheldon.org/blog/2010/04/sip-brute-force-attack-originating-from-amazon-ec2-hosts/
• “Complaints of rampant SIP Brute Force Attacks coming from servers with Amazon EC2 IP Addresses cause many admins to simply drop all Amazon EC2 traffic.”
• http://www.voiptechchat.com/voip/457/amazon-ec2-sip-brute-force-attacks-on-rise/
![Page 7: Integrating a Network IDS into an Open Source Cloud Computing Environment](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e54550346895dbbe617/html5/thumbnails/7.jpg)
7
Securing a Cloud by monitoring trafficSecuring a Cloud by monitoring traffic
• Cloud computing suffers from common network-related security threats
• Cloud computing, with its novel usage paradigm, introduces novel threats
• We evaluate effectiveness and impact of common, production level traffic monitoring tools
• Using different deployment strategies
• Centralized vs. Distributed
• By measuring
• Computational overhead
• Detection capability
![Page 8: Integrating a Network IDS into an Open Source Cloud Computing Environment](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e54550346895dbbe617/html5/thumbnails/8.jpg)
8
IMPLEMENTING A CLOUD
![Page 9: Integrating a Network IDS into an Open Source Cloud Computing Environment](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e54550346895dbbe617/html5/thumbnails/9.jpg)
9
Open Source Cloud ComputingOpen Source Cloud Computing
• Eucalyptus is an open source Cloud Computing system that reproduces all Amazon EC2's services
• It allows the management of multiple “Availability zones”.
Client-side API
Cloud Controller
Cluster Controller Node Controller
Amazon EC2 Interface
Database
![Page 10: Integrating a Network IDS into an Open Source Cloud Computing Environment](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e54550346895dbbe617/html5/thumbnails/10.jpg)
10
Looking at a single clusterLooking at a single cluster
• Our focus is on a single cluster managed by Eucalyptus (One geographic location)
Client-side API
Cloud Controller
Amazon EC2 Interface
![Page 11: Integrating a Network IDS into an Open Source Cloud Computing Environment](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e54550346895dbbe617/html5/thumbnails/11.jpg)
11
NETWORK SECURITY TOOL
![Page 12: Integrating a Network IDS into an Open Source Cloud Computing Environment](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e54550346895dbbe617/html5/thumbnails/12.jpg)
12
Functionalities of an Intrusion Detection System
• Activity monitoring (sensor)
– Network traffic packets
• Recognize suspicious and
inappropriate activities (analyzer)
• Generate alerts (user interface)
Sensor
Analyzer
User Interface
![Page 13: Integrating a Network IDS into an Open Source Cloud Computing Environment](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e54550346895dbbe617/html5/thumbnails/13.jpg)
13
Snort – an open source Intrusion Detection System
• Snort is a signature based IDS– Each detectable attack is described by a static rule– Each rule contains particular byte-patterns and values to
be sought for in both the packet header and payload
• Snort operates in real-time• Snort is open-source
– Flexible– Extendable
![Page 14: Integrating a Network IDS into an Open Source Cloud Computing Environment](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e54550346895dbbe617/html5/thumbnails/14.jpg)
14
EXPERIMENTAL EVALUATION
![Page 15: Integrating a Network IDS into an Open Source Cloud Computing Environment](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e54550346895dbbe617/html5/thumbnails/15.jpg)
15
Distribution of services in nodesDistribution of services in nodes
• Asterisk SIP server
• RTP user agents
• Apache web server
![Page 16: Integrating a Network IDS into an Open Source Cloud Computing Environment](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e54550346895dbbe617/html5/thumbnails/16.jpg)
16
The overall pictureThe overall picture
• “Inviteflood” attack tool
• D-ITG background traffic generator
![Page 17: Integrating a Network IDS into an Open Source Cloud Computing Environment](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e54550346895dbbe617/html5/thumbnails/17.jpg)
17
Two different IDS deployment scenarios
• One IDS close to the cluster controller– Monitors inbound/outbound traffic– Monitors traffic between different security groups– VLAN tags are removed
• Traffic related to different security groups becomes indistinguishable
• Several IDS’s, each close to a physical machine– Each IDS monitors traffic to/from virtual resources hosted on
the physical machine• In both scenarios, all attack instances are correctly detected
![Page 18: Integrating a Network IDS into an Open Source Cloud Computing Environment](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e54550346895dbbe617/html5/thumbnails/18.jpg)
18
MONITORING AT THE CLUSTER CONTROLLER
![Page 19: Integrating a Network IDS into an Open Source Cloud Computing Environment](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e54550346895dbbe617/html5/thumbnails/19.jpg)
19
50 %
100 %
Cluster Front-end CPU profileCluster Front-end CPU profile
Snort
Packet forwarding
![Page 20: Integrating a Network IDS into an Open Source Cloud Computing Environment](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e54550346895dbbe617/html5/thumbnails/20.jpg)
20
MONITORING AT EACH PHYSICAL MACHINE
![Page 21: Integrating a Network IDS into an Open Source Cloud Computing Environment](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e54550346895dbbe617/html5/thumbnails/21.jpg)
21
Attacked worker node CPU profileAttacked worker node CPU profile
50 %
100 % Attacked VM
Dom0
Non-attacked
VMs
![Page 22: Integrating a Network IDS into an Open Source Cloud Computing Environment](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e54550346895dbbe617/html5/thumbnails/22.jpg)
22
Non-Attacked worker node CPU profileNon-Attacked worker node CPU profile
50 %
100 %
![Page 23: Integrating a Network IDS into an Open Source Cloud Computing Environment](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e54550346895dbbe617/html5/thumbnails/23.jpg)
23
ConclusionsConclusions
• Monitoring traffic at the cluster controller– Privileged observation point– Look at all traffic– Misses internal attacks
• Monitoring traffic at each physical machine– Limited scope– Ligthweight– Increased cloud resilience