Configuration Management Security in Data Center Environments

Chapter
Part of the Advances in Information Security book series (ADIS, volume 54)

Abstract

Modern data centers need to manage complex, multi-level hardware and software infrastructures in order to provide a wide array of services flexibly and reliably. The emerging trends of virtualization and outsourcing further increase the scale and complexity of this management. In this chapter, we focus on the configuration management issues and expose a variety of attack and misconfiguration scenarios, and discuss some approaches to making configuration management more robust. We also discuss a number of challenges in identifying the vulnerabilities in configurations, handling configuration management in the emerging cloud computing environments, and in hardening the configurations against hacker attacks.

Keywords

Virtual Machine Data Center Trust Platform Module Virtual Machine Migration Virtual Device 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    H. Ballani and P. Francis, “CONMan: taking the complexity out of network management”, Proc. of ACM SIGCOMM Workshop on Internet Network Management, Sept 2006, pp41-46Google Scholar
  2. 2.
    L. Bauer, S. Garriss, M.K. Reiter, “Detecting and resolving policy misconfigurations in accesscontrol systems”, In Proc. of 13th ACM Symposium on Access Control Models and Technologies, June 2008, pp185-194.Google Scholar
  3. 3.
    S. Berger, R. Cceres, D. Pendarakis, et al., “TVDc: managing security in the trusted virtual datacenter”, SIGOPS Oper. Syst. Rev. 42, 1 (Jan. 2008), pp 40–47.CrossRefGoogle Scholar
  4. 4.
    K. Biswas and A. Islam, “Hardware Virtualization Support In INTEL, AMD And IBM Power Processors”, available at arxiv.org/abs/0909.0099.Google Scholar
  5. 5.
    IEEE task group 802.3.az, “Energy Efficienct Ethernet”, http://www.ieee802.org/3/az/ public/nov07/hays_1_1107.pdf.
  6. 6.
    K. Butler, T. Farley, T. McDaniel, J. Rexford, “A Survey of BGP Security Issues and Solutions”, to appear in Proc. of IEEE, 2010.Google Scholar
  7. 7.
    “Common Information Model”, Available at http://www.wbemsolutions.com/tutorials/ CIM/cim-specification.html
  8. 8.
    S. Cabuk, C.I. Dalton, H. Ramasamy, M. Schunter, “Towards automated provisioning of secure virtualized networks”, Proc. of 14th ACM CCS conference, Oct 2007, pp 235–245.Google Scholar
  9. 9.
    C. Doccio, J. Sedayao, K. Kant and P. Mohapatra, “Quantifying and Improving DNSSEC Availability”, to appear in proc. of ICCCN conference, Aug 2011.Google Scholar
  10. 10.
    “Virtualization Management (VMAN) Initiative : DMTF Standards for Virtualization Management”, Available at http://www.dmtf.org/standards/vman
  11. 11.
    “Open Virtualization Format”, Available at dmtf.org/sites/default/files/ standards/documents/DSP2021_1.0.0.tarGoogle Scholar
  12. 12.
    J. Crandall, “DMTF Technologies Overview”, Available at http://www.snia.org/events/ storage-developer2008/presentations/wednesday/JohnCrandall_ DMTF_Profiles_for_Storage.pdf
  13. 13.
    W. Enk, T. Moyer, P. McDaniel, et.al., “Configuration management at massive scale: system design and experience”, IEEE Journal of Selected Areas in Communications, April 2009, Vol 27, No 3, pp323-335.CrossRefGoogle Scholar
  14. 14.
    Tal Garfinkel and Mendel Rosenblum, “When Virtual Is Harder than Real: Security Challenges in Virtual Machine Based Computing Environments”, USENIX Association, 2005Google Scholar
  15. 15.
    P. Goyal, R. Mikkilineni, M. Ganti, “FCAPS in the business services fabric management”, Proc. of 18th IEEE Intl. workshop on Enabling Technologies, 2009.Google Scholar
  16. 16.
    R.C. Merkle, “Protocols for Public Key Cryptosystems”, In Proc. of 1980 IEEE Symposium on Security and Privacy, 1980.Google Scholar
  17. 17.
    Intel Active Management Technology. Available at en.wikipedia.org/wiki/Intel_ Active_Management_TechnologyGoogle Scholar
  18. 18.
    K. Kant, ”Distributed Energy Adaptive Computing”, Proc. of International Conf. on Communications (ICC), May 2010.Google Scholar
  19. 19.
    K. Kant, “Data Center Evolution: A Tutorial on State of the Art, Issues, and Challenges”, Elsevier Computer Networks Journal, Dec 2009.Google Scholar
  20. 20.
    M.S. Lam, M. Martin, B. Livshits, J. Whaley, “Securing Web Applications with Static and Dynamic Information Flow Tracking”, Proc. of ACM sigplan symp. on partial evaluation and semantics based program manipulation (PEPM), 2008.Google Scholar
  21. 21.
    F. Le, S. Lee, T. Wong, et. al, “Detecting network-wide and router-specific misconfigurations through data mining”, IEEE/ACM Trans. on networking, vol 17, No 1, Feb 2009, pp 66–79.Google Scholar
  22. 22.
    C. E. Leiserson, “Fat-Trees: Universal Networks for Hardware-Efcient Supercomputing”, IEEE Trans. on Computers, Vol 34, No 10, pp892901, 1985.Google Scholar
  23. 23.
    I. Mastroeni and D. Zanardini, “Data Dependencies and program slicing: from syntax to abstract semantics”, Proc. of ACM sigplan symp. on partial evaluation and semantics based program manipulation (PEPM), 2008.Google Scholar
  24. 24.
    F. Palmieri and U. Fiore, “Enhanced security strategies for MPLS signaling”, Journal of Networks, Vol 2, No. 5, Sept 2007.Google Scholar
  25. 25.
    L. Pasquale, J. Laredo, H. Ludwig, et.al., “Distributed Cross-Domain Configuration Management”, Proc of ICSOC 2009, LNCS 5900, pp622-636.Google Scholar
  26. 26.
    J.S. Reuben. A Survey on Virtual Machine Security. Helsinki University of Technology, 2007. Available at http://www.tml.tkk.fi/Publications/C/25/chapters/ Reuben_final.pdf
  27. 27.
    S.A. Rouiller, “Virtual LAN security: weaknesses and countermeasures”, available at uploads.askapache.com/2006/12/vlan-security-3.pdfGoogle Scholar
  28. 28.
    R. Sailer, T. Jaeger, E. Valdez, et al, “Building a MAC-based Security Architecture for the Xen Opensource Hypervisor”, 21st Annual Computer Security Applications Conference (ACSAC), Dec 2005.Google Scholar
  29. 29.
    F.T. Sheldon and C. Vishik, “Moving toward trustworthy systems: R&D Essentials”, IEEE Computer magazine, Sept 2010, pp 31–40.Google Scholar
  30. 30.
    A. Stamos and S. Stender, “Attacking Web Services: The Next Generation of Vulnerable Enterprise Applications”, Proc. of Defcon XIII. Available at http://www.isecpartners.com/.../iSEC-Attacking-Web-Services.DefCon.pdf.
  31. 31.
    W. Stanley, J. Laski, “Program Dependencies”, in Software Verification and Analysis, springer-verlag, 2009, pp125-142.Google Scholar
  32. 32.
    A. Striegel, “Security Issues in a Differentiated Services Internet”, Proc. of HiPC workshop, 2002.Google Scholar
  33. 33.
    V. Talwar, K. Nahrstedt, S.K. Nath, “RSVP-SQOS : A SECURE RSVP PROTOCOL,” Proc. of IEEE Intl. conf. on Multimedia and Expo (ICME’01), 2001Google Scholar
  34. 34.
    Web service security specification, available at docs.oasis-open.org/wss/2004/ 01/oasis-200401-wss-soap-message-security-1.0.pdfGoogle Scholar
  35. 35.
    Web services secure conversation specification, available at specs.xmlsoap.org/ws/ 2005/02/sc/WS-SecureConversation.pdfGoogle Scholar

Copyright information

© Springer Science+Business Media, LLC 2011

Authors and Affiliations

  1. 1.Center for Secure Information SystemsGeorge Mason UniversityFairfaxUSA

Personalised recommendations