An Approach for the Automated Analysis of Network Access Controls in Cloud Computing Infrastructures

Probst, Thibaut; Alata, Éric; Kaâniche, Mohamed; Nicomette, Vincent

doi:10.1007/978-3-319-11698-3_1

Cited by 4 publications

(2 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Second, TenantGuard is more scalable (e.g., verifying 100k VMs within 17mins). Finally, TenantGuard employs custom algorithms instead of relying on existing verification tools (e.g., [11], [27], [29], [28]), which enables TenantGuard to more efficiently deal with complexity factors specific to the cloud network infrastructure such as a large number of VMs, longer routing paths (number of hops), and increased number of security rules.…”

Section: Related Workmentioning

confidence: 99%

TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation

Wang

Madi

Majumdar

et al. 2017

Proceedings 2017 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Multi-tenancy in the cloud usually leads to security concerns over network isolation around each cloud tenant's virtual resources. However, verifying network isolation in cloud virtual networks poses several unique challenges. The sheer size of virtual networks implies a prohibitive complexity, whereas the constant changes in virtual resources demand a short response time. To make things worse, such networks typically allow fine-grained (e.g., VM-level) and distributed (e.g., security groups) network access control. Those challenges can either invalidate existing approaches or cause an unacceptable delay which prevents runtime applications. In this paper, we present TenantGuard, a scalable system for verifying cloud-wide, VMlevel network isolation at runtime. We take advantage of the hierarchical nature of virtual networks, efficient data structures, incremental verification, and parallel computation to reduce the performance overhead of security verification. We implement our approach based on OpenStack and evaluate its performance both in-house and on Amazon EC2, which confirms its scalability and efficiency (13 seconds for verifying 168 millions of VM pairs). We further integrate TenantGuard with Congress, an OpenStack policy service, to verify compliance with respect to isolation requirements based on tenant-specific high-level security policies. Permission to freely reproduce all or part of this paper for noncommercial purposes is granted provided that copies bear this notice and the full citation on the first page. Reproduction for commercial purposes is strictly prohibited without the prior written consent of the Internet Society, the first-named author (for reproduction of an entire paper only), and the author's employer if the paper was prepared within the scope of employment.

show abstract

Section: Related Workmentioning

confidence: 99%

TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation

Wang

Madi

Majumdar

et al. 2017

Proceedings 2017 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…Cloud providers are responsible for manually writing available and secure network policies that are thus error-prone. Existing works such as NoD [3], Plotkin et al [4], Cloud Radar [5], Probst et al, [6] and Tenant-Guard [7] proposed several methods for verifying policies formatted routing rules.…”

Section: Introductionmentioning

confidence: 99%

<i>Verikube</i>: Automatic and Efficient Verification for Container Network Policies

Kang

Shin

2022

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

Recently, Linux Container has been the de-facto standard for a cloud system, enabling cloud providers to create a virtual environment in a much more scaled manner. However, configuring container networks remains immature and requires automatic verification for efficient cloud management. We propose Verikube, which utilizes a novel graph structure representing policies to reduce memory consumption and accelerate verification. Moreover, unlike existing works, Verikube is compatible with the complex semantics of Cilium Policy which a cloud adopts from its advantage of performance. Our evaluation results show that Verikube performs at least seven times better for memory efficiency, at least 1.5 times faster for data structure management, and 20K times better for verification.

show abstract

A Multi-layer Virtual Network Isolation Detection Method for Cloud Platform

Zhao

Guo

Fan

et al. 2019

Communications in Computer and Information Science

View full text Add to dashboard Cite

An Approach for the Automated Analysis of Network Access Controls in Cloud Computing Infrastructures

Cited by 4 publications

References 4 publications

TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation

TenantGuard: Scalable Runtime Verification of Cloud-Wide VM-Level Network Isolation

<i>Verikube</i>: Automatic and Efficient Verification for Container Network Policies

A Multi-layer Virtual Network Isolation Detection Method for Cloud Platform

Contact Info

Product

Resources

About