Course Name- CSc 8320 Advanced Operating Systems Instructor- Dr. Yanqing Zhang Presented By- Sunny Shakya Latest AOS techniques, applications and future.

Slides:

Advertisements

Similar presentations

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.1 Firewalls.

Advertisements

Access Control List (ACL)

VCRIB: Virtual Cloud Rule Information Base Masoud Moshref, Minlan Yu, Abhishek Sharma, Ramesh Govindan HotCloud 2012.

Jennifer Rexford Princeton University MW 11:00am-12:20pm Network Virtualization COS 597E: Software Defined Networking.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Lucian Popa Minlan Yu Steven Y. Ko UC Berkeley/ICSI Princeton Univ. Princeton Univ. Sylvia Ratnasamy Ion Stoica Intel Labs Berkeley UC Berkeley CloudPolice:

PARIS: ProActive Routing In Scalable Data Centers Dushyant Arora, Theophilus Benson, Jennifer Rexford Princeton University.

Applying NOX to the Datacenter Arsalan Tavakoli, Martin Casado, Teemu Koponen, and Scott Shenker 10/22/2009Hot Topics in Networks Workshop 2009.

Take your CMS to the cloud to lighten the load Brett Pollak Campus Web Office UC San Diego.

Alan Shieh Cornell University Srikanth Kandula Microsoft Research Emin Gün Sirer Cornell University Sidecar: Building Programmable Datacenter Networks.

PROMISE: Peer-to-Peer Media Streaming Using CollectCast Mohamed Hafeeda, Ahsan Habib et al. Presented By: Abhishek Gupta.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Trusted End Host Monitors for Securing Cloud Datacenters Alan Shieh †‡ Srikanth Kandula ‡ Albert Greenberg ‡ †‡

Policy Based Routing using ACL & Route Map By Group 7 Nischal ( ) Pranali ( )

Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey

1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)

Data Center Virtualization: Open vSwitch Hakim Weatherspoon Assistant Professor, Dept of Computer Science CS 5413: High Performance Systems and Networking.

Institute of Technology, Sligo Dept of Computing Semester 3, version Semester 3 Chapter 3 VLANs.

Virtualization for Cloud Computing

Microsoft delivers a complete datacenter solution with Windows Server 2012 R2 out-of-the-box Cloud OS Development Management Identity Virtualization.

Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.

Toward Software-Defined Middlebox Networking Aaron Gember, Prathmesh Prabhu, Zainab Ghadiyali, Aditya Akella University of Wisconsin-Madison 1.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

A Brief Taxonomy of Firewalls

1 Integrating a Network IDS into an Open Source Cloud Computing Environment 1st International Workshop on Security and Performance in Emerging Distributed.

Data Center Network Redesign using SDN

Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Networking Virtualization Using FPGAs Russell Tessier, Deepak Unnikrishnan, Dong Yin, and Lixin Gao Reconfigurable Computing Group Department of Electrical.

Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.

Intranet, Extranet, Firewall. Intranet and Extranet.

Networking in the cloud: An SDN primer Ben Cherian Chief Strategy Midokura.

Network Sharing Issues Lecture 15 Aditya Akella. Is this the biggest problem in cloud resource allocation? Why? Why not? How does the problem differ wrt.

January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.

Architecting for Innovation ACM SIGCOMM Computer Communication Review 2011 July Presenter ：許耀中

11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.

Access Control List (ACL) W.lilakiatsakun. ACL Fundamental ► Introduction to ACLs ► How ACLs work ► Creating ACLs ► The function of a wildcard mask.

Cloud Scale Performance & Diagnosability Comprehensive SDN Core Infrastructure Enhancements vRSS Remote Live Monitoring NIC Teaming Hyper-V Network.

Cisco 3 - LAN Perrine. J Page 110/20/2015 Chapter 8 VLAN VLAN: is a logical grouping grouped by: function department application VLAN configuration is.

Department of Computer Science A Scalable, Commodity Data Center Network Architecture Mohammad Al-Fares Alexander Loukissas Amin Vahdat SIGCOMM’08 Reporter:

Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy, Tom Anderson Affiliates Day, 2007.

Chapter 11 Extending LANs 1. Distance limitations of LANs 2. Connecting multiple LANs together 3. Repeaters 4. Bridges 5. Filtering frame 6. Bridged network.

SECURING SELF-VIRTUALIZING ETHERNET DEVICES IGOR SMOLYAR, MULI BEN-YEHUDA, AND DAN TSAFRIR PRESENTED BY LUREN WANG.

Security Vulnerabilities in A Virtual Environment

High-Speed Policy-Based Packet Forwarding Using Efficient Multi-dimensional Range Matching Lakshman and Stiliadis ACM SIGCOMM 98.

SOFTWARE DEFINED NETWORKING/OPENFLOW: A PATH TO PROGRAMMABLE NETWORKS April 23, 2012 © Brocade Communications Systems, Inc.

SecondNet: A Data Center Network Virtualization Architecture with Bandwidth Guarantees Chuanxiong Guo 1, Guohan Lu 1, Helen J. Wang 2, Shuang Yang 3, Chao.

Firewall Technology and InterCell Communication Peter T. Dinsmore Trusted Information Systems Network Associates Inc 3060 Washington Rd (Rt. 97) Glenwood,

Slide 1/20 "PerfSight: Performance Diagnosis for Software Dataplanes." Wu, Wenfei, Keqiang He, and Aditya Akella ACM ICM, Presented by: Ayush Patwari.

Level 300 Windows Server 2012 Networking Marin Franković, Visoko učilište Algebra.

Central Management of 300 Firewalls and Access-Lists Fabian Mauchle TNC 2012 Reykjavík, 21-May-2012.

S ECURITY APPLIANCES Module 2 Unit 2. S ECURE NETWORK TOPOLOGIES A topology is a description of how a computer network is physically or logically organized.

Canaries in the Network

CIS 700-5: The Design and Implementation of Cloud Networks

The DPIaaS Controller Prototype

Heitor Moraes, Marcos Vieira, Italo Cunha, Dorgival Guedes

Martin Casado, Nate Foster, and Arjun Guha CACM, October 2014

Container-based Operating System Virtualization: A scalable, High-performance Alternative to Hypervisors Stephen Soltesz, Herbert Potzl, Marc E. Fiuczynski,

ETHANE: TAKING CONTROL OF THE ENTERPRISE

StratusLab Final Periodic Review

StratusLab Final Periodic Review

Computer Data Security & Privacy

NOX: Towards an Operating System for Networks

Aled Edwards, Anna Fischer, Antonio Lain HP Labs

湖南大学-信息科学与工程学院-计算机与科学系

Network Virtualization

NTHU CS5421 Cloud Computing

Chapter 3 VLANs Chaffee County Academy

Elmo Muhammad Shahbaz Lalith Suresh, Jennifer Rexford, Nick Feamster,

Presentation transcript:

Course Name- CSc 8320 Advanced Operating Systems Instructor- Dr. Yanqing Zhang Presented By- Sunny Shakya Latest AOS techniques, applications and future work : CLOUDPOLICE

Outline Part 1 – Context and Motivation Access control for clouds: why and what? Limitations of traditional mechanisms Part 2 – CloudPolice Approach Operation Future Work

Context Infrastructure as a Service virtualized clouds Traffic internal to cloud Hypervisor VM

Context Cloud computing requires network access control Access control policy of tenant X - what network traffic is tenant X willing to accept Tenant X Y can talk to me Tenant Y

Why Access Control in Clouds? For isolation Policy: deny incoming traffic from any other tenant Tenant 2 Tenant 1

Why Access Control in Clouds? For inter-tenant & tenant-provider communication Policy: weighted bandwidth allocation between tenants Tenant 1 Tenant 2 Ad Network 1 Ad Network 2 Database Share bandwidth fairly among tenants regardless of #VM sources Tenant 3

Why Access Control in Clouds? DoS protection One tenant can attack another tenant Reduce bandwidth and slow down machines Attackers more powerful: higher bandwidths Barrier is lower: pay for attacking hosts Tenant 1 Ad Network 1 Ad Network 2 Database Tenant 3 Tenant 2 DoS

Hence, the problem Want access control in clouds that Is resilient to DoS Supports rich inter-tenant policies Scales 100k servers 10k tenants Tolerates high dynamicity 100k VMs started per day, more than one per second Traditional access control mechanisms not well suited to meeting these requirements

Hence, the problem Want access control in clouds that Is resilient to DoS Supports rich inter-tenant policies Scales 100k servers 10k tenants Tolerates high dynamicity 100k VMs started per day, more than one per second Traditional access control mechanisms not well suited to meeting these requirements

Existing Access Control Access control in Cloud is provided using VLANs Firewalls Originally designed for enterprise environments But clouds != enterprises

Clouds != Enterprises Enterprises are not multi-tenant Few DoS concerns between departments Typically simpler policies Clouds have different network designs High bisection bandwidths, multiple paths, different L2/L3 mix Many new topologies: FatTree, BCube, DCell, etc. Limited Scalability

Goal Network Access Control for Clouds that is: 1. Independent of network topology and addressing 2. Scalable (millions hosts, high churn) 3. Flexible (rated access, fair access) 4. Robust to (internal) DoS attacks

CloudPolice Hypervisor VM Sufficient and advantageous to implement access control only within hypervisors Trusted Network independent Full software programmability  flexible Close to VMs  block unwanted traffic before network and help DoS Easy deployability

CloudPolice Sufficient and advantageous to implement access control only within hypervisors Hypervisor VM CloudPolice Policy Model Group = set of tenant VMs with same access control policy

CloudPolice Sufficient and advantageous to implement access control only within hypervisors Hypervisor VM Policy = set of Rules Rule = IF Condition THEN Action CloudPolice Policy Model

CloudPolice Sufficient and advantageous to implement access control only within hypervisors Hypervisor VM Condition = logical expression with predicates based on: Group of sender Packet header Current time History of traffic CloudPolice Policy Model

CloudPolice Hypervisor VM Action: Allow Block Rate-limit (token bucket) CloudPolice Policy Model

CloudPolice Sufficient and advantageous to implement access control only within hypervisors Hypervisor VM Action: Allow Block Rate-limit (token bucket) CloudPolice Policy Model Applied per flow source VM source group

CloudPolice Hypervisor XYZ Policies for X, Y and Z CloudPolice Each hypervisor needs to know for hosted VMs: group and policy X’s group policy: IF group = A  allow IF group = B  block IF group = C & port = 80  rate-limit to 100Mbps Y’s group policy: Z’s group policy: IF … Policy could also be specified / updated by VM Installed by provider service that starts VMs

CloudPolice Hypervisor XYZ Filter for incoming/outgoing flows

CloudPolice Hypervisor XYZ ABC Start flow to C Control Packet CloudPolice inserts control packet before the flow

CloudPolice Hypervisor XYZ ABC CloudPolice verifies policy of destination VM If allowed, packets are forwarded to destination VM Block/rate-limit If blocked or rate limited, send control packet to source hypervisor to block or rate-limit source (flow/VM)

Future Work Extend CloudPolice Policies with application-level semantics (dynamic policies) Policies based on group-wide state Beyond access control? More flexible actions, e.g., send to middlebox Performance isolation framework

References Popa et. al “CloudPolice: Taking Access Control out of the Network,” Hotnets 10, October 20-21, 2010, Monterey, CA, USA. X. Yang, D. J. Wetherall, and T. Anderson. “A DoS-limiting Network Architecture,” In ACM SIGCOMM, 2005