As the use of cloud computing grows, so do the threats that endanger a cloud environment. Seungwon Shin, Ph.D., assistant professor at the graduate school of information security at the Korea Advanced Institute of Science and Technology, recently developed a framework that uses OpenFlow to implement more granular security monitoring for cloud service providers.
Shin detailed the creation and implementation of this framework in his research paper, CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks, which he completed as a PhD student at Texas A&M University. We asked Shin to expand on the challenges network administrators are facing today with regard cloud security, and how CloudWatcher uses OpenFlow to enable security in multi-tenant cloud environments.
SDN is very promising because it has the potential to make networks cheaper to build and manage on an ongoing basis.
Seungwon Shin, Ph.D.,
assistant professor, Korea Advanced Institute of Science and Technology
What are some of the challenges of monitoring and securing cloud networks?
Seungwon Shin: There are several issues in monitoring cloud networks for security -- the most critical, I think, is the complexity of network configurations. There are many hosts and VMs [virtual machines] in a cloud network, and they are connected to each other to provide network services. It requires many network connection links, and all these links can be the points for monitoring.
Previously, we just needed to monitor network traffic [for security] at the point between the outside network and the inside network, which we call the DMZ point. However, there are currently many threats from inside. For example, in a cloud network, there should [be] many different tenants, and if there are some malicious tenants, they can easily attack other tenants located in the same cloud network. Therefore, some cloud service providers [e.g., Amazon] try to investigate most network traffic inside, and it requires many additional security-monitoring devices and complicated network configurations.
What is CloudWatcher? Please outline the three key elements of the framework.
Shin: CloudWatcher is a security monitoring service for a cloud service provider, and it depends on SDN functionalities. Based on the defined security policies, CloudWatcher delivers network traffic to network monitoring devices [or security middle boxes] by rerouting the traffic. This rerouting operation is transparent to anyone, so network administrators do not need to worry about network configurations or installations of network monitoring devices [or security middle boxes]. The network administrator can also define some response actions, such as a packet drop, through CloudWatcher to protect his network.
In addition, I want to emphasize the following three elements:
- A policy manager: This element receives some security or monitoring policies from network administrators.
- A network flow handler: Based on the defined policies, this element reroutes network traffic to deliver it to monitoring devices.
- A response manager: If some network packets are detected as malicious, this element can drop or block packets.
How specifically is OpenFlow used in this framework?
Shin: To realize services that CloudWatcher provides, we use OpenFlow functions to control each network device. In our service, we assume all network devices support OpenFlow or SDN-related functions, meaning we can control network traffic with a centralized controller. CloudWatcher has been implemented as a network service running on an OpenFlow controller [specifically, NOX and POX].
In this case, since we can change packet headers in each network device, we can reroute network packets as we want. In addition, the response actions provided by CloudWatcher can be implemented by controlling network packets in each network device [e.g., enforce a flow rule to drop some network packets to a network device].
How does CloudWatcher enable security in multi-tenant cloud environments?
Shin: CloudWatcher provides a policy management function, and with the help of this, each tenant can define his own security or monitoring policies. CloudWatcher will orchestrate policies to remove any conflicts, but this service has not been implemented yet.
Describe the implementation process of the CloudWatcher framework. What challenges did you encounter within the different test network environments?
Shin: I had decided to implement CloudWatcher as a network application on the NOX controller. However, since this controller has been deprecated, I needed to find another controller. [Since then,] CloudWatcher has been ported to the POX controller.
More on SDN's use within security
SDN enables automated network security
SDN security strategies
DDoS protection is added to OpenDaylight
It is very hard to find a real network that supports SDN these days, so we decided to set up a small test bed network, which consists of six OpenFlow switches. To reduce the cost, we used some cheap wireless APs [access points] [e.g., LinkSys wireless router] for our OpenFlow switches, and we have tested several possible network configurations. In addition, we used Mininet to emulate a much larger network, like a network consisting of 128 switches.
What are some of the limitations of the CloudWatcher framework that you discovered during the implementation phase?
Shin: There are several limitations in this work. For example, we haven't finalized the orchestration service for multiple tenants. We also need to test this framework with a real SDN network, and we need to improve the performance of this framework.
Overall, what benefits does CloudWatcher provide to those looking to secure their cloud networks?
Shin: When I talked with network administrators, I noticed that they mainly suffered from the complexity of network configurations, or when they want to provide useful security monitoring services to tenants. Using CloudWatcher, they can set up security monitoring services without modifying network configurations. They can also let each tenant define his/her own security policy with this service. It reduces operational costs and the burden [placed on] network administrators. We are currently improving and extending CloudWatcher to provide better security monitoring services, and we believe it will be presented soon, possibly early next year.