Abstract
In this chapter, taking into account the complexity factor and multi-layered nature of the cloud, we present an automated cross-layer approach that tackles the above issues for auditing isolation requirements between virtual networks in a multi-tenant cloud. We focus on isolation at layer 2 virtual networks and overlay, namely topology isolation, which is the basic building block for network communication and segregation for upper network layers. To the best of our knowledge, this is the first effort on auditing cloud infrastructure isolation at layer 2 virtual networks and overlay taking into account cross-layer consistency in the cloud stack.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Amazon, Amazon virtual private cloud. https://aws.amazon.com/vpc. Accessed 14 Feb 2018
M. Bellare, B. Yee, Forward integrity for secure audit logs. Technical report, Citeseer (1997)
M. Ben-Ari, Mathematical Logic for Computer Science (Springer, London, 2012)
Cloud Security Alliance, Cloud control matrix CCM v3.0.1 (2014). https://cloudsecurityalliance.org/research/ccm/. Accessed 14 Feb 2018
Cloud Security Alliance, Cloud computing top threats in 2016 (2016)
Crandall et al. Virtual networking management white paper. Technical report, DMTF (2012). DMTF Draft White Paper
V. Del Piccolo, A. Amamou, K. Haddadou, G. Pujolle, A survey of network isolation solutions for multi-tenant data centers. IEEE Commun. Surv. Tutorials 18(4), 2787–2821 (2016)
H.P. Enterprise, Hpe helion eucalyptus (2017). http://www8.hp.com/us/en/cloud/helion-eucalyptus.html
Google, Google cloud platform. https://cloud.google.com. Accessed 14 Feb 2018
ISO Std IEC, ISO 27002: 2005. Information technology-security techniques- code of practice for information security management. ISO (2005)
ISO Std IEC, ISO 27017. Information technology- security techniques- code of practice for information security controls based on ISO/IEC 27002 for cloud services (DRAFT) (2012). http://www.iso27001security.com/html/27017.html. Accessed 14 Feb 2018
R. Martins, V. Manquinho, I. Lynce, An overview of parallel sat solving. Constraints 17(3), 304–347 (2012)
Microsoft, Microsoft Azure virtual network. https://azure.microsoft.com. Accessed 14 Feb 2018
Midokura, Run midonet at scale (2017). http://www.midokura.com/midonet/
H. Moraes, M.A.M. Vieira, I Cunha, D. Guedes, Efficient virtual network isolation in multi-tenant data centers on commodity ethernet switches, in 2016 IFIP Networking Conference (IFIP Networking) and Workshops, Vienna (IEEE, Piscataway, 2016), pp. 100–108
NIST, SP 800-53. Recommended security controls for federal information systems (2003)
ONF, Openflow switch specification (2013). http://www.gesetze-im-internet.de/englisch_bdsg
OpenStack, Ossa-2014-008: routers can be cross plugged by other tenants (2014). https://security.openstack.org/ossa/OSSA-2014-008.html
OpenStack, OpenStack congress (2015). https://wiki.openstack.org/wiki/Congress. Accessed 14 Feb 2018
OpenStack, OpenStack open source cloud computing software (2015). http://www.openstack.org. Accessed 14 Feb 2018
D. Perez-Botero, J. Szefer, R.B. Lee, Characterizing hypervisor vulnerabilities in cloud computing servers, in Proceedings of the 2013 International Workshop on Security in Cloud Computing, Cloud Computing ’13 (ACM, New York, 2013), pp. 3–10
B. Pfaff, J. Pettit, T. Koponen, K. Amidon, M. Casado, S. Shenker, Extending networking into the virtualization layer, in HotNets, YorkCity (ACM, New York, 2009), pp. 598–603
P. Pritzker, P.D. Gallagher, NIST cloud computing standards roadmap. Technical Report, NIST, Gaithersburg (2013). NIST Special Publication 500-291
K. Ren, C. Wang, Q. Wang, Security challenges for the public cloud. IEEE Internet Comput. 16(1), 69–73 (2012)
T. Ristenpart, E. Tromer, H. Shacham, S. Savage, Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds, in Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS ’09 (ACM, New York, 2009), pp. 199–212
C.S. Sean Convery, Hacking layer 2: Fun with ethernet switches (2002). BlackHat Briefings
N. Tamura, M. Banbara, Sugar: a CSP to SAT translator based on order encoding, in Proceedings of the Second International CSP Solver Competition (2008), pp. 65–69
N. Tamura, M. Banbara, Syntax of Sugar CSP description. http://bach.istc.kobe-u.ac.jp/sugar (2010)
VMware, VMware vCloud director. https://www.vmware.com. Accessed 14 Feb (2018)
S. Zhang, S. Malik, Sat based verification of network data planes, in ed. by D. Van Hung, M. Ogawa. Automated Technology for Verification and Analysis. Lecture Notes in Computer Science, vol. 8172 (Springer, Cham, 2013), pp. 496–505
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Majumdar, S. et al. (2019). Auditing Virtual Network Isolation Across Cloud Layers. In: Cloud Security Auditing. Advances in Information Security, vol 76. Springer, Cham. https://doi.org/10.1007/978-3-030-23128-6_4
Download citation
DOI: https://doi.org/10.1007/978-3-030-23128-6_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-23127-9
Online ISBN: 978-3-030-23128-6
eBook Packages: Computer ScienceComputer Science (R0)