XNetMon: Uma Arquitetura com Segurança para Redes Virtuais
Abstract
Isolation is essential to secure any virtualized environment sharing a common resource, and virtual networks are no different. Resource sharing with isolation prevents malicious virtual routers from consuming all physical resources and disturbing the performance of other virtual networks sharing the same machine. We propose a new architecture for Xen that provides isolation during the access of shared resources. A secure mechanism is designed to monitor the access of shared resources and to punish virtual routers that misbehave, guaranteeing an isolated operation of the virtual networks. In order to secure the control of virtual networks, we propose a communication protocol between the virtual routers and the administrative domain that prevents malicious virtual routers from affecting the forwarding table of other virtual routers. We developed a prototype and our experiments show that the proposed architecture guarantees the availability of the virtual-network control service, and provides a better resource sharing than known mechanisms, allowing complete isolation among virtual networks.References
Bhatia, S., Motiwala, M., Muhlbauer, W., Valancius, V., Bavier, A., Feamster, N., Peterson, L., and Rexford, J. (2008). Hosting virtual networks on commodity hardware. Technical Report GT-CS-07-10, Princeton University, Georgia Tech, and T-Labs/TU Berlim.
Egi, N., Greenhalgh, A., Handley, M., Hoerdt, M., Huici, F., and Mathy, L. (2008). Fairness issues in software virtual routers. In PRESTO ’08: Proceedings of the ACM workshop on Programmable routers for extensible services of tomorrow, pages 33–38.
Egi, N., Greenhalgh, A., Handley, M., Hoerdt, M., Mathy, L., and Schooley, T. (2007). Evaluating Xen for router virtualization. In ICCCN’07: International Conference on Computer Communications and Networks, pages 1256–1261.
Fernandes, N. C., Moreira, M. D. D., Moraes, I. M., Ferraz, L. H. G., Couto, R. S., Carvalho, H. E. T., Campista, M. E. M., Costa, L. H. M. K., and Duarte, O. C. M. B. (2010). Virtual networks: Isolation, performance, and trends. To be published in the Annals of Telecommunications.
Han, S.-M., Hassan, M. M., Yoon, C.-W., and Huh, E.-N. (2009). Efficient service recommendation system for cloud computing market. In ICIS’09: Proceedings of the 2nd International Conference on Interaction Sciences, pages 839–845.
Jin, X., Chen, H., Wang, X., Wang, Z., Wen, X., Luo, Y., and Li, X. (2009). A simple cache partitioning approach in a virtualized environment. In 2009 IEEE International Symposium on Parallel and Distributed Processing with Applications, pages 519–524.
Laureano, M. A. P. and Maziero, C. A. (2008). Virtualização: Conceitos e aplicações em segurança. In Minicursos do VIII Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais, pages 1–49.
McKeown, N., Anderson, T., Balakrishnan, H., Parulkar, G., Peterson, L., Rexford, J., Shenker, S., and Turner, J. (2008). OpenFlow: Enabling innovation in campus networks. ACM SIGCOMM Computer Communication Review, 38(2):69–74.
Pisa, P. S., Fernandes, N. C., Carvalho, H. E. T., Moreira, M. D. D., Campista, M. E. M., Costa, L. H. M. K., and Duarte, O. C. M. B. (2010). Openflow and Xen-based virtual network migration. In The World Computer Congress 2010 Network of the Future Conference (a ser publicado).
Sherwood, R. et al. (2010). Carving research slices out of your production networks with OpenFlow. ACM SIGCOMM Computer Communication Review, 40(1):129–130.
Wang, Y., Keller, E., Biskeborn, B., der Merwe, J. V., and Rexford, J. (2008). Virtual routers on the move: Live router migration as a network-management primitive. In ACM SIGCOMM, pages 231–242.
Zec, M. (2003). Implementing a clonable network stack in the FreeBSD kernel. In Proceedings of the 2003 USENIX Annual Technical Conference, pages 137–150.
Egi, N., Greenhalgh, A., Handley, M., Hoerdt, M., Huici, F., and Mathy, L. (2008). Fairness issues in software virtual routers. In PRESTO ’08: Proceedings of the ACM workshop on Programmable routers for extensible services of tomorrow, pages 33–38.
Egi, N., Greenhalgh, A., Handley, M., Hoerdt, M., Mathy, L., and Schooley, T. (2007). Evaluating Xen for router virtualization. In ICCCN’07: International Conference on Computer Communications and Networks, pages 1256–1261.
Fernandes, N. C., Moreira, M. D. D., Moraes, I. M., Ferraz, L. H. G., Couto, R. S., Carvalho, H. E. T., Campista, M. E. M., Costa, L. H. M. K., and Duarte, O. C. M. B. (2010). Virtual networks: Isolation, performance, and trends. To be published in the Annals of Telecommunications.
Han, S.-M., Hassan, M. M., Yoon, C.-W., and Huh, E.-N. (2009). Efficient service recommendation system for cloud computing market. In ICIS’09: Proceedings of the 2nd International Conference on Interaction Sciences, pages 839–845.
Jin, X., Chen, H., Wang, X., Wang, Z., Wen, X., Luo, Y., and Li, X. (2009). A simple cache partitioning approach in a virtualized environment. In 2009 IEEE International Symposium on Parallel and Distributed Processing with Applications, pages 519–524.
Laureano, M. A. P. and Maziero, C. A. (2008). Virtualização: Conceitos e aplicações em segurança. In Minicursos do VIII Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais, pages 1–49.
McKeown, N., Anderson, T., Balakrishnan, H., Parulkar, G., Peterson, L., Rexford, J., Shenker, S., and Turner, J. (2008). OpenFlow: Enabling innovation in campus networks. ACM SIGCOMM Computer Communication Review, 38(2):69–74.
Pisa, P. S., Fernandes, N. C., Carvalho, H. E. T., Moreira, M. D. D., Campista, M. E. M., Costa, L. H. M. K., and Duarte, O. C. M. B. (2010). Openflow and Xen-based virtual network migration. In The World Computer Congress 2010 Network of the Future Conference (a ser publicado).
Sherwood, R. et al. (2010). Carving research slices out of your production networks with OpenFlow. ACM SIGCOMM Computer Communication Review, 40(1):129–130.
Wang, Y., Keller, E., Biskeborn, B., der Merwe, J. V., and Rexford, J. (2008). Virtual routers on the move: Live router migration as a network-management primitive. In ACM SIGCOMM, pages 231–242.
Zec, M. (2003). Implementing a clonable network stack in the FreeBSD kernel. In Proceedings of the 2003 USENIX Annual Technical Conference, pages 137–150.
Published
2010-10-11
How to Cite
FERNANDES, Natalia Castro; DUARTE, Otto Carlos Muniz Bandeira.
XNetMon: Uma Arquitetura com Segurança para Redes Virtuais. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 10. , 2010, Fortaleza.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2010
.
p. 339-352.
DOI: https://doi.org/10.5753/sbseg.2010.20598.
