VMGuard: State-Based Proactive Verification of Virtual Network Isolation With Application to NFV

Network Functions Virtualization (NFV) leverages from clouds to simplify and automate the creation and deployment of network services on the fly in a multi-tenant environment. However, clouds may also bring issues leading to tenants' concerns over possible breaches violating the isolation of th...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:IEEE transactions on dependable and secure computing 2021-07, Vol.18 (4), p.1553-1567
Hauptverfasser: Chawla, Gagandeep Singh, Zhang, Mengyuan, Majumdar, Suryadipta, Jarraya, Yosr, Pourzandi, Makan, Wang, Lingyu, Debbabi, Mourad
Format: Artikel
Sprache:eng
Schlagworte:
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:Network Functions Virtualization (NFV) leverages from clouds to simplify and automate the creation and deployment of network services on the fly in a multi-tenant environment. However, clouds may also bring issues leading to tenants' concerns over possible breaches violating the isolation of their deployments. Verifying such network isolation breaches in cloud-enabled NFV environments faces unique challenges. The fine-grained and distributed network access control (e.g., per-function security group rules), which is typical to virtual cloud infrastructures, requires examining not only the events but also the states of all virtual resources using a state-based verification approach. However, verifying the state of a virtual infrastructure may become highly complex and non-scalable due to its sheer size paired with the self-serviced dynamic nature of clouds. In this article, we propose VMGuard, a state-based proactive approach for efficiently verifying large-scale virtual infrastructures in cloud and NFV against network isolation policies. Informally, our key idea is to proactively trigger the verification based on predicted events and their simulated impact upon the current state, such that we can have the best of both worlds, i.e., the efficiency of a proactive approach and the effectiveness of state-based verification. We implement and evaluate VMGuard based on OpenStack, and our experiments with both real and synthetic data demonstrate the performance and efficiency, e.g., less than five milliseconds to perform incremental verification on a dataset with more than 25, 000 VMs and less than two milliseconds with the proactive module enabled.
ISSN:1545-5971
1941-0018
DOI:10.1109/TDSC.2020.3041430