Virtual Firewalling For Migrating Virtual Machines In Cloud Computing
Independent thesis Advanced level (degree of Master (Two Years))Student thesis
Context. Cloud Computing (CC) uses virtualization to provide computing resources on demand via Internet. Small and large organizations benefit from CC because of reduced operating costs and increase in business agility. The migrating Virtual Machine (VM) is vulnerable from attacks such as fake migration initiations, service interruptions, manipulation of data or other network attacks. During live migration any security lax in VM firewall policy can put the VM data, OS and the applications on it at risk. A malicious VM can pose threat to other VMs in its host and consequently for VMs in LAN. Hardware firewalls only protect VM before and after migration. Plus, they are blind to virtual traffic. Hence, virtual firewalls (VFs) are used to secure VMs. Mostly; they are deployed at Virtual Machine Monitor-level (VMM) under Cloud provider’s control. Source VMM-level VF provides security to VM before the migration incurs and the destination VMM-level VF starts securing VM after migration is completed. It thus, becomes possible for attacker to use the intermediate migrating window to launch attacks on VM. Considering the potential of VFs there should be a great value in using open source VFs at VM-level for protecting VMs during migration, thereby, reducing the attacker’s slot to gain access to VM. It would enable hardened security for overall VM migration. Objectives. The aim is to investigate VM-level firewalling using open source firewall as a complementary security layer to VMM-level firewalling, to secure migrating VM in the CC domain. The first objective is to identify how virtual firewalls secure migrating VM in CC and to propose VM-level open-source virtual firewalling for protecting VM during migration. Later the VF is implemented to validate and evaluate its intactness or activeness during migration in real Cloud data center. Methods. In the literary review 9 electronic libraries are used, which include IEEE Xplore, ACM Digital Library, SCOPUS, Engineering Village and Web of Knowledge. Studies are selected after querying libraries for 2 key terms ‘virtual machine’ and ‘migration’ (along with other variations/synonyms), in the abstract. Relevant papers on the subject are read and analyzed. Finally, the information gaps are identified. Using a lacuna the experimental solution is designed. To test the potential of VF at VM-level for migrating VM’s security the experimental validation is performed using stratification samples of firewall rules. The VF evaluation is done using continuous ICMP echo packet transmission. The packets are analyzed to determine firewall behavior during migration. To evaluate the validity, the VM migration is performed 8 times in City Network data center. Results. The literary review identified the widespread use of VMM-level firewalling for migrating VM’s security in CC. The VM-level VFs were not researched nor evaluated for intactness during migration. The experiment performed at City Network demonstrated that the VM-level VF secures VM during migration (on average) for 96% of migration time, thereby reducing attack window for attacker during VM mobility. According to the results the average total migration time (TMT) was 16.6 s and average downtime (DT) of firewall was as low as 0.47 s, which means that VF at VM-level protects VM during entire migration span except when VM’s down (4% of migration time). Conclusions. The research concludes that VM-level firewalling using open source VF as an additional security layer in CC for VM migrations is feasible to employ and will enhance the migrating machine’s security by providing hardened firewall service during migration process, thus, reducing the potential attack window. VMM-level VF provides security in post and pre migration phase. Using VM-level VF as a complementary measure to VMM-level VF enables additional protection for VM migration process, thereby reducing the chances for attacker to attack VM during transition.
Place, publisher, year, edition, pages
2013. , 50 p.
virtual machine, migration, firewall
IdentifiersURN: urn:nbn:se:bth-6080Local ID: oai:bth.se:arkivex8BABAA824CA6D717C1257B81001FF18FOAI: oai:DiVA.org:bth-6080DiVA: diva2:833499
Email: firstname.lastname@example.org Twitter: Mah__Wish2015-04-222013-06-052015-06-30Bibliographically approved