当前位置:
X-MOL 学术
›
IEEE Trans. Dependable Secure Comput.
›
论文详情
Our official English website, www.x-mol.net, welcomes your feedback! (Note: you will need to create a separate account there.)
VMGuard: State-Based Proactive Verification of Virtual Network Isolation With Application to NFV
IEEE Transactions on Dependable and Secure Computing ( IF 7.3 ) Pub Date : 2020-11-30 , DOI: 10.1109/tdsc.2020.3041430 Gagandeep Singh Chawla , Mengyuan Zhang , Suryadipta Majumdar , Yosr Jarraya , Makan Pourzandi , Lingyu Wang , Mourad Debbabi
IEEE Transactions on Dependable and Secure Computing ( IF 7.3 ) Pub Date : 2020-11-30 , DOI: 10.1109/tdsc.2020.3041430 Gagandeep Singh Chawla , Mengyuan Zhang , Suryadipta Majumdar , Yosr Jarraya , Makan Pourzandi , Lingyu Wang , Mourad Debbabi
Network Functions Virtualization (NFV) leverages from clouds to simplify and automate the creation and deployment of network services on the fly in a multi-tenant environment. However, clouds may also bring issues leading to tenants’ concerns over possible breaches violating the isolation of their deployments. Verifying such network isolation breaches in cloud-enabled NFV environments faces unique challenges. The fine-grained and distributed network access control (e.g., per-function security group rules), which is typical to virtual cloud infrastructures, requires examining not only the events but also the states of all virtual resources using a state-based verification approach. However, verifying the state of a virtual infrastructure may become highly complex and non-scalable due to its sheer size paired with the self-serviced dynamic nature of clouds. In this article, we propose VMGuard, a state-based proactive approach for efficiently verifying large-scale virtual infrastructures in cloud and NFV against network isolation policies. Informally, our key idea is to proactively trigger the verification based on predicted events and their simulated impact upon the current state, such that we can have the best of both worlds, i.e., the efficiency of a proactive approach and the effectiveness of state-based verification. We implement and evaluate VMGuard based on OpenStack, and our experiments with both real and synthetic data demonstrate the performance and efficiency, e.g., less than five milliseconds to perform incremental verification on a dataset with more than 25, 000 VMs and less than two milliseconds with the proactive module enabled.
中文翻译:
VMGuard:虚拟网络隔离的基于状态的主动验证与 NFV 应用
网络功能虚拟化 (NFV) 利用云来简化和自动化在多租户环境中动态创建和部署网络服务。然而,云也可能带来问题,导致租户担心可能违反其部署隔离的违规行为。在支持云的 NFV 环境中验证此类网络隔离漏洞面临着独特的挑战。细粒度和分布式网络访问控制(例如,每个功能的安全组规则)是虚拟云基础架构的典型特征,不仅需要检查事件,还需要使用基于状态的验证方法检查所有虚拟资源的状态。然而,由于其庞大的规模以及云的自助服务动态特性,验证虚拟基础架构的状态可能变得非常复杂且不可扩展。在本文中,我们提出了 VMGuard,这是一种基于状态的主动方法,用于根据网络隔离策略有效验证云和 NFV 中的大规模虚拟基础架构。非正式地,我们的关键思想是根据预测事件及其对当前状态的模拟影响主动触发验证,这样我们就可以两全其美,即主动方法的效率和基于状态的有效性确认。我们基于 OpenStack 实施和评估 VMGuard,我们对真实和合成数据的实验证明了性能和效率,例如,
更新日期:2020-11-30
中文翻译:
VMGuard:虚拟网络隔离的基于状态的主动验证与 NFV 应用
网络功能虚拟化 (NFV) 利用云来简化和自动化在多租户环境中动态创建和部署网络服务。然而,云也可能带来问题,导致租户担心可能违反其部署隔离的违规行为。在支持云的 NFV 环境中验证此类网络隔离漏洞面临着独特的挑战。细粒度和分布式网络访问控制(例如,每个功能的安全组规则)是虚拟云基础架构的典型特征,不仅需要检查事件,还需要使用基于状态的验证方法检查所有虚拟资源的状态。然而,由于其庞大的规模以及云的自助服务动态特性,验证虚拟基础架构的状态可能变得非常复杂且不可扩展。在本文中,我们提出了 VMGuard,这是一种基于状态的主动方法,用于根据网络隔离策略有效验证云和 NFV 中的大规模虚拟基础架构。非正式地,我们的关键思想是根据预测事件及其对当前状态的模拟影响主动触发验证,这样我们就可以两全其美,即主动方法的效率和基于状态的有效性确认。我们基于 OpenStack 实施和评估 VMGuard,我们对真实和合成数据的实验证明了性能和效率,例如,
京公网安备 11010802027423号