Post on 25-Dec-2015
transcript
1
Integrating a Network IDS into an Open Integrating a Network IDS into an Open Source Cloud Computing Environment Source Cloud Computing Environment
1st International Workshop on 1st International Workshop on
Security and Performance in Emerging Distributed Security and Performance in Emerging Distributed Architectures (SPEDA2010)Architectures (SPEDA2010)
Claudio MazzarielloClaudio Mazzariello
Roberto BifulcoRoberto Bifulco
Roberto CanonicoRoberto Canonico
““Federico II”Federico II”
University of NapoliUniversity of Napoli
2
OutlineOutline
• Cloud computing security issues
• Examples of recent security incidents
• Securing a Cloud
• Implementation of a Cloud
• A network Intrusion Detection System
• Experimental evaluation
3
Cloud Computing peculiaritiesCloud Computing peculiarities
• Shared resources among several customers
• Highly dynamic infrastructures
• Cheap access to large scale computation/storage/communication facilities
• …
4
Cloud Computing security issuesCloud Computing security issues
• Shared resources among several customers
• New types of attacks (e.g. DoS over colocated VMs)
• Privacy infringement
• ...
• Highly dynamic infrastructures
• Users tracking and profiling
• Cheap access to large scale computation/storage/communication facilities
• Misuse of the CC model aimed at conducting illegal activities
5
Attack sourceAttack source
• External attackers
• Malicious users perform attacks targeting Cloud users
• Internal attackers
• Malicious users rent a share of Cloud resources
• Cheap, huge amounts of resources can be exploited to perform attacks against remote victims
6
Examples of CC-related security incidentsExamples of CC-related security incidents
• “We have several customers being attacked from the same EC2 instance on their network for 2 full days now...”
• http://seclists.org/nanog/2010/Apr/811
• “I discovered that several systems on the Amazon EC2 network were preforming brute force attacks, against our VoIP servers.”
• http://www.stuartsheldon.org/blog/2010/04/sip-brute-force-attack-originating-from-amazon-ec2-hosts/
• “Complaints of rampant SIP Brute Force Attacks coming from servers with Amazon EC2 IP Addresses cause many admins to simply drop all Amazon EC2 traffic.”
• http://www.voiptechchat.com/voip/457/amazon-ec2-sip-brute-force-attacks-on-rise/
7
Securing a Cloud by monitoring trafficSecuring a Cloud by monitoring traffic
• Cloud computing suffers from common network-related security threats
• Cloud computing, with its novel usage paradigm, introduces novel threats
• We evaluate effectiveness and impact of common, production level traffic monitoring tools
• Using different deployment strategies
• Centralized vs. Distributed
• By measuring
• Computational overhead
• Detection capability
8
IMPLEMENTING A CLOUD
9
Open Source Cloud ComputingOpen Source Cloud Computing
• Eucalyptus is an open source Cloud Computing system that reproduces all Amazon EC2's services
• It allows the management of multiple “Availability zones”.
Client-side API
Cloud Controller
Cluster Controller Node Controller
Amazon EC2 Interface
Database
10
Looking at a single clusterLooking at a single cluster
• Our focus is on a single cluster managed by Eucalyptus (One geographic location)
Client-side API
Cloud Controller
Amazon EC2 Interface
11
NETWORK SECURITY TOOL
12
Functionalities of an Intrusion Detection System
• Activity monitoring (sensor)
– Network traffic packets
• Recognize suspicious and
inappropriate activities (analyzer)
• Generate alerts (user interface)
Sensor
Analyzer
User Interface
13
Snort – an open source Intrusion Detection System
• Snort is a signature based IDS– Each detectable attack is described by a static rule– Each rule contains particular byte-patterns and values to
be sought for in both the packet header and payload
• Snort operates in real-time• Snort is open-source
– Flexible– Extendable
14
EXPERIMENTAL EVALUATION
15
Distribution of services in nodesDistribution of services in nodes
• Asterisk SIP server
• RTP user agents
• Apache web server
16
The overall pictureThe overall picture
• “Inviteflood” attack tool
• D-ITG background traffic generator
17
Two different IDS deployment scenarios
• One IDS close to the cluster controller– Monitors inbound/outbound traffic– Monitors traffic between different security groups– VLAN tags are removed
• Traffic related to different security groups becomes indistinguishable
• Several IDS’s, each close to a physical machine– Each IDS monitors traffic to/from virtual resources hosted on
the physical machine• In both scenarios, all attack instances are correctly detected
18
MONITORING AT THE CLUSTER CONTROLLER
19
50 %
100 %
Cluster Front-end CPU profileCluster Front-end CPU profile
Snort
Packet forwarding
20
MONITORING AT EACH PHYSICAL MACHINE
21
Attacked worker node CPU profileAttacked worker node CPU profile
50 %
100 % Attacked VM
Dom0
Non-attacked
VMs
22
Non-Attacked worker node CPU profileNon-Attacked worker node CPU profile
50 %
100 %
23
ConclusionsConclusions
• Monitoring traffic at the cluster controller– Privileged observation point– Look at all traffic– Misses internal attacks
• Monitoring traffic at each physical machine– Limited scope– Ligthweight– Increased cloud resilience
24
Thank you!Thank you!
Claudio Mazzariello – claudio.mazzariello@unina.it