We describe a secure network virtualization framework that helps realize the abstraction of Trusted Virtual Domains (TVDs), a security-enhanced variant of virtualized network zones. The framework allows groups of related virtual machines running on separate physical machines to be connected together as though there were on their own separate network fabric and, at the same time, helps enforce crossgroup security requirements such as isolation, confidentiality, security, and information flow control. The framework uses existing network virtualization technologies, such as Ethernet encapsulation, VLAN tagging, and VPNs, and combines and orchestrates them appropriately to implement TVDs. Our framework aims at automating the instantiation and deployment of the appropriate security mechanism and network virtualization technologies based on an input security model that specifies the required level of isolation and permitted network flows. We have implemented a prototype of the framework based on the Xen hypervisor. Experimental evaluation of the prototype shows that the performance of our virtual networking extensions is comparable to that of the standard Xen configuration.
Abstract. Grid applications have increasingly sophisticated functional and security requirements. However, current techniques mostly protect only the resource provider from attacks by the user, while leaving the user comparatively dependent on the well-behavior of the resource provider. In this paper, we take the first steps towards addressing the trust asymmetry by using a combination of trusted computing and virtualization technologies. We present the key components for a trustworthy Grid architecture and propose an implementation. By providing multilateral security, i.e., security for both the Grid user and the Grid provider, our architecture increases the confidence that can be placed on the correctness of a Grid computation and on the protection of user-provided assets. In order to maintain important scalability and performance aspects, our proposal aims to minimize overhead. Towards this end, we propose a scalable offline attestation protocol, which allows selection of partners in the Grid with minimal overhead.
Virtual data centers allow the hosting of virtualized infrastructures (networks, storage, machines) that belong to several customers on the same physical infrastructure. Virtualization theoretically provides the capability for sharing the infrastructure among different customers. In reality, however, this is rarely (if ever) done because of security concerns. A major challenge in allaying such concerns is the enforcement of appropriate customer isolation as specified by high-level security policies. At the core of this challenge is the correct configuration of all shared resources on multiple machines to achieve this overall security objective.To address this challenge, this paper presents a security architecture for virtual data centers based on virtualization and Trusted Computing technologies. Our architecture aims at automating the instantiation of a virtual infrastructure while automatically deploying the corresponding security mechanisms. This deployment is driven by a global isolation policy, and thus guarantees overall customer isolation across all resources. We have implemented a prototype of the architecture based on the Xen hypervisor.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.