research-article

Exploring the Firewall Security Consistency in Cloud Computing during Live Migration

Authors:

Shadha Mohamed ALAmri,

Lin GuanAuthors Info & Claims

ICCCNT '16: Proceedings of the 7th International Conference on Computing Communication and Networking Technologies

Article No.: 40, Pages 1 - 6

https://doi.org/10.1145/2967878.2967922

Published: 06 July 2016 Publication History

Abstract

Virtualization technology adds great opportunities and challenges to the cloud computing paradigm. Resource management can be efficiently enhanced by employing Live Virtual Machine Migration (LVMM) techniques. Based on the literature of LVMM implementation in the virtualization environment, middle-boxes such as firewalls do not work effectively after LVMM as it introduces dynamic changes in network status and traffic, which may lead to critical security vulnerabilities. One key security hole is that the security context of the firewall do not move with the Virtual Machine after LVMM is triggered. This leads to inconsistency in the firewall level of protection of the migrated Virtual Machine. There is a lack in the literature of practical studies that address this problem in cloud computing platform. This paper demonstrates a practical analysis using OpenStack testbed to study the firewalls limitations in protecting virtual machines after LVMM. Two network scenarios are used to evaluate this problem. The results show that the security context problem does not exist in the stateless firewall but can exist in the stateful firewall.

References

[1]

Ian Foster, Yong Zhao, Ioan Raicu, and Shiyong Lu. Cloud computing and grid computing 360-degree compared. In Grid Computing Environments Workshop, 2008. GCE'08, pages 1--10. Ieee, 2008.

[2]

Chirag Modi, Dhiren Patel, Bhavesh Borisaniya, Avi Patel, and Muttukrishnan Rajarajan. A survey on security issues and solutions at different layers of cloud computing. The Journal of Supercomputing, 63(2):561--592, 2013.

Digital Library

[3]

M Azua Himmel and F Grossman. Security on distributed systems: Cloud security versus traditional it. IBM Journal of Research and Development, 58(1):3--1, 2014.

Digital Library

[4]

Luis M Vaquero, Luis Rodero-Merino, and Daniel Morán. Locking the sky: a survey on iaas cloud security. Computing, 91(1):93--118, 2011.

Digital Library

[5]

Rajkumar Buyya, James Broberg, and Andrzej M Goscinski. Cloud computing: Principles and paradigms, volume 87. John Wiley & Sons, 2010.

Digital Library

[6]

Raja Wasim Ahmad, Abdullah Gani, Siti Hafizah Ab Hamid, Muhammad Shiraz, Feng Xia, and Sajjad A Madani. Virtual machine migration in cloud data centers: a review, taxonomy, and open research issues. The Journal of Supercomputing, pages 1--43, 2015.

Digital Library

[7]

Viktor Mauch, Marcel Kunze, and Marius Hillenbrand. High performance cloud computing. Future Generation Computer Systems, 29(6):1408--1416, 2013.

Digital Library

[8]

Violeta Medina and Juan Manuel García. A survey of migration mechanisms of virtual machines. ACM Computing Surveys (CSUR), 46(3):30, 2014.

Digital Library

[9]

Mayank Mishra, Anwesha Das, Purushottam Kulkarni, and Anirudha Sahoo. Dynamic resource management using virtual machine migrations. Communications Magazine, IEEE, 50(9):34--40, 2012.

[10]

L YamunaDevi, P Aruna, D Sudha Devi, and N Priya. Security in virtual machine live migration for kvm. In Process Automation, Control and Computing (PACC), 2011 International Conference on, pages 1--6. IEEE, 2011.

[11]

Wesam Dawoud, Ibrahim Takouna, and Christoph Meinel. Infrastructure as a service security: Challenges and solutions. In Informatics and Systems (INFOS), 2010 The 7th International Conference on, pages 1--8. IEEE, 2010.

[12]

Fengzhe Zhang, Yijian Huang, Huihong Wang, Haibo Chen, and Binyu Zang. Palm: security preserving vm live migration for systems with vmm-enforced protection. In Trusted Infrastructure Technologies Conference, 2008. APTC'08. Third Asia-Pacific, pages 9--18. IEEE, 2008.

Digital Library

[13]

Jon Oberheide, Evan Cooke, and Farnam Jahanian. Empirical exploitation of live virtual machine migration. In Proc. of BlackHat DC convention. Citeseer, 2008.

[14]

Xinyu Zhang, Yongli Zhao, Xin Su, Ruiying He, Weiwei Wang, and Jie Zhang. Load balancing algorithm based virtual machine dynamic migration scheme for datacenter application with optical networks. In Communications and Networking in China (CHINACOM), 2012 7th International ICST Conference on, pages 271--276. IEEE, 2012.

[15]

Chen Xianqin, Wan Han, Wang Sumei, and Long Xiang. Seamless virtual machine live migration on network security enhanced hypervisor. In Broadband Network & Multimedia Technology, 2009. IC-BNMT'09. 2nd IEEE International Conference on, pages 847--853. IEEE, 2009.

[16]

Zahra Tavakoli, Sebastian Meier, and Alexander Vensmer. A framework for security context migration in a firewall secured virtual machine environment. In Information and Communication Technologies, pages 41--51. Springer, 2012.

[17]

Yosr Jarraya, Arash Eghtesadi, Mourad Debbabi, Ying Zhang, and Makan Pourzandi. Cloud calculus: Security verification in elastic cloud computing platform. In Collaboration Technologies and Systems (CTS), 2012 International Conference on, pages 447--454. IEEE, 2012.

[18]

Yosr Jarraya, Arash Eghtesadi, Mourad Debbabi, Ying Zhang, and Makan Pourzandi. Formal verification of security preservation for migrating virtual machines in the cloud. In Stabilization, Safety, and Security of Distributed Systems, pages 111--125. Springer, 2012.

Digital Library

[19]

Mahwish Anwar. Virtual firewalling for migrating virtual machines in cloud computing. In Information & Communication Technologies (ICICT), 2013 5th International Conference on, pages 1--11. IEEE, 2013.

[20]

Beaulah Navamani, Chuan Yue, Xiaobo Zhou, and Edward Chow. An analysis of the virtual machine migration incurred security problems in the cloud. 2014.

[21]

Tom Fifield, Diane Fleming, Anne Gentle, Lorin Hochstein, Jonathan Proulx, Everett Toews, and Joe Topjian. OpenStack Operations Guide." O'Reilly Media, Inc.", 2014.

Digital Library

[22]

Dirk Achenbach, Jörn Müller-Quade, and Jochen Rill. Universally composable firewall architectures using trusted hardware. In International Conference on Cryptography and Information Security in the Balkans, pages 57--74. Springer, 2014.

Digital Library

[23]

Mohamed G Gouda and Alex X Liu. A model of stateful firewalls and its properties. In Dependable Systems and Networks, 2005. DSN 2005. Proceedings. International Conference on, pages 128--137. IEEE, 2005.

Digital Library

[24]

Masoud Moshref, Minlan Yu, Abhishek Sharma, and Ramesh Govindan. vcrib: Virtualized rule management in the cloud. In Proc. NSDI, 2013.

[25]

Takahiro Hirofuchi, Hidemoto Nakada, Satoshi Itoh, and Satoshi Sekiguchi. Reactive consolidation of virtual machines enabled by postcopy live migration. In Proceedings of the 5th international workshop on Virtualization technologies in distributed computing, pages 11--18. ACM, 2011.

Digital Library

[26]

Sebastian Biedermann, Martin Zittel, and Stefan Katzenbeisser. Improving security of virtual machines during live migrations. In Privacy, Security and Trust (PST), 2013 Eleventh Annual International Conference on, pages 352--357. IEEE, 2013.

[27]

Wenjin Hu, Andrew Hicks, Long Zhang, Eli M Dow, Vinay Soni, Hao Jiang, Ronny Bull, and Jeanna N Matthews. A quantitative study of virtual machine live migration. In Proceedings of the 2013 ACM Cloud and Autonomic Computing Conference, page 11. ACM, 2013.

Digital Library

[28]

Qin Li, Jinpeng Huai, Jianxin Li, Tianyu Wo, and Minxiong Wen. Hypermip: Hypervisor controlled mobile ip for virtual machine live migration across networks. In High Assurance Systems Engineering Symposium, 2008. HASE 2008. 11th IEEE, pages 80--88. IEEE, 2008.

Digital Library

[29]

Petter Svärd, Benoit Hudzia, Steve Walsh, Johan Tordsson, and Erik Elmroth. Principles and performance characteristics of algorithms for live vm migration. ACM SIGOPS Operating Systems Review, 49(1):142--155, 2015.

Digital Library

[30]

Debashis Basak, Rohit Toshniwal, Serge Maskalik, and Allwyn Sequeira. Virtualizing networking and security in the cloud. ACM SIGOPS Operating Systems Review, 44(4):86--94, 2010.

Digital Library

[31]

Diogo AB Fernandes, Liliana FB Soares, João V Gomes, Mário M Freire, and Pedro RM Inácio. Security issues in cloud environments: a survey. International Journal of Information Security, 13(2):113--170, 2014.

Digital Library

[32]

Jan Wiebelitz, Michael Brenner, Christopher Kunz, and Matthew Smith. Early defense: enabling attribute-based authorization in grid firewalls. In Proceedings of the 19th ACM International Symposium on High Performance Distributed Computing, pages 336--339. ACM, 2010.

Digital Library

[33]

Jordan Cropper, Johanna Ullrich, Peter Fruhwirt, and Edgar Weippl. The role and security of firewalls in iaas cloud computing. In Availability, Reliability and Security (ARES), 2015 10th International Conference on, pages 70--79. IEEE, 2015.

Digital Library

[34]

Cheng Jin, Anurag Srivastava, Yu Jin, and Zhi-Li Zhang. Secgras: Security group analysis as a cloud service. In Network Protocols (ICNP), 2014 IEEE 22nd International Conference on, pages 215--220. IEEE, 2014.

Digital Library

[35]

Yosr Jarraya, Arash Eghtesadi, Sahba Sadri, Mourad Debbabi, and Makan Pourzandi. Verification of firewall reconfiguration for virtual machines migrations in the cloud. Computer Networks, 93:480--491, 2015.

Digital Library

Cited By

Wang XChen XWang YGe L(2019)An efficient scheme for SDN state consistency verification in cloud computing environmentConcurrency and Computation: Practice and Experience10.1002/cpe.544032:2Online publication date: 10-Jul-2019
https://doi.org/10.1002/cpe.5440
Sulaiyam Al Amri S(2018)IaaS-cloud security enhancement: An intelligent attribute-based access control framework2018 Majan International Conference (MIC)10.1109/MINTC.2018.8363159(1-9)Online publication date: Mar-2018
https://doi.org/10.1109/MINTC.2018.8363159

Index Terms

Exploring the Firewall Security Consistency in Cloud Computing during Live Migration
1. Hardware
  1. Communication hardware, interfaces and storage
2. Networks
  1. Network architectures

Recommendations

Performance Analysis for Pareto-Optimal Green Consolidation Based on Virtual Machines Live Migration

Huge energy requirement of cloud data centers is prime concern. Dynamic Virtual Machine VM consolidation based on VM live migration to switched-off or put some of the under-loaded host Physical Machines PMs into a low power consumption mode can ...
Traffic-sensitive live migration of virtual machines
CCGRID '15: Proceedings of the 15th IEEE/ACM International Symposium on Cluster, Cloud, and Grid Computing

In this paper we address the problem of network contention between the migration traffic and the Virtual Machine (VM) application traffic for the live migration of co-located Virtual Machines. When VMs are migrated with pre-copy, they run at the source ...
Security-Preserving Live Migration of Virtual Machines in the Cloud

Hypervisor-based process protection is a novel approach that provides isolated execution environments for applications running on untrusted commodity operating systems. It is based on off-the-shelf hardware and trusted hypervisors while it meets the ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ICCCNT '16: Proceedings of the 7th International Conference on Computing Communication and Networking Technologies

July 2016

262 pages

ISBN:9781450341790

DOI:10.1145/2967878

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

University of North Texas: University of North Texas

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 06 July 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ICCCNT '16

ICCCNT '16: 7th International Conference on Computing Communication and Networking Technologies

July 6 - 8, 2016

TX, Dallas, USA

Acceptance Rates

ICCCNT '16 Paper Acceptance Rate 48 of 101 submissions, 48%;

Overall Acceptance Rate 48 of 101 submissions, 48%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
186
Total Downloads

Downloads (Last 12 months)8
Downloads (Last 6 weeks)3

Reflects downloads up to 28 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Wang XChen XWang YGe L(2019)An efficient scheme for SDN state consistency verification in cloud computing environmentConcurrency and Computation: Practice and Experience10.1002/cpe.544032:2Online publication date: 10-Jul-2019
https://doi.org/10.1002/cpe.5440
Sulaiyam Al Amri S(2018)IaaS-cloud security enhancement: An intelligent attribute-based access control framework2018 Majan International Conference (MIC)10.1109/MINTC.2018.8363159(1-9)Online publication date: Mar-2018
https://doi.org/10.1109/MINTC.2018.8363159

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten