Transcript ppt and audio 10MB - PARSeC Research Group

Integrating a Network IDS into an Open
Source Cloud Computing Environment
1st International Workshop on
Security and Performance in Emerging Distributed
Architectures (SPEDA2010)
Claudio Mazzariello
Roberto Bifulco
Roberto Canonico
“Federico II”
University of Napoli
1
Outline
• Cloud computing security issues
• Examples of recent security incidents
• Securing a Cloud
• Implementation of a Cloud
• A network Intrusion Detection System
• Experimental evaluation
2
Cloud Computing peculiarities
• Shared resources among several customers
• Highly dynamic infrastructures
• Cheap access to large scale
computation/storage/communication facilities
• …
3
Cloud Computing security issues
• Shared resources among several customers
• New types of attacks (e.g. DoS over colocated VMs)
• Privacy infringement
• ...
• Highly dynamic infrastructures
• Users tracking and profiling
• Cheap access to large scale
computation/storage/communication facilities
• Misuse of the CC model aimed at conducting illegal
activities
4
Attack source
• External attackers
• Malicious users perform attacks targeting Cloud users
• Internal attackers
• Malicious users rent a share of Cloud resources
• Cheap, huge amounts of resources can be exploited
to perform attacks against remote victims
5
Examples of CC-related security incidents
• “We have several customers being attacked from the
same EC2 instance on their network for 2 full days now...”
• http://seclists.org/nanog/2010/Apr/811
• “I discovered that several systems on the Amazon EC2
network were preforming brute force attacks, against our
VoIP servers.”
• http://www.stuartsheldon.org/blog/2010/04/sip-brute-forceattack-originating-from-amazon-ec2-hosts/
• “Complaints of rampant SIP Brute Force Attacks coming
from servers with Amazon EC2 IP Addresses cause many
admins to simply drop all Amazon EC2 traffic.”
• http://www.voiptechchat.com/voip/457/amazon-ec2-sipbrute-force-attacks-on-rise/
6
Securing a Cloud by monitoring traffic
• Cloud computing suffers from common network-related
security threats
• Cloud computing, with its novel usage paradigm, introduces
novel threats
• We evaluate effectiveness and impact of common, production
level traffic monitoring tools
• Using different deployment strategies
• Centralized vs. Distributed
• By measuring
• Computational overhead
• Detection capability
7
IMPLEMENTING A CLOUD
8
Open Source Cloud Computing
Amazon EC2 Interface
Client-side API
Database
Cloud Controller
Cluster Controller
Node Controller
• Eucalyptus is an open source Cloud Computing system
that reproduces all Amazon EC2's services
• It allows the management of multiple “Availability zones”.
9
Looking at a single cluster
Amazon EC2 Interface
Client-side API
Cloud Controller
• Our focus is on a single cluster managed by Eucalyptus
(One geographic location)
10
NETWORK SECURITY TOOL
11
Functionalities of an Intrusion Detection System
User Interface
• Activity monitoring (sensor)
– Network traffic packets
• Recognize suspicious and
inappropriate activities (analyzer)
Analyzer
• Generate alerts (user interface)
Sensor
12
Snort – an open source Intrusion Detection System
• Snort is a signature based IDS
– Each detectable attack is described by a static rule
– Each rule contains particular byte-patterns and values to
be sought for in both the packet header and payload
• Snort operates in real-time
• Snort is open-source
– Flexible
– Extendable
13
EXPERIMENTAL EVALUATION
14
Distribution of services in nodes
• Asterisk SIP server
• RTP user agents
• Apache web server
15
The overall picture
• “Inviteflood” attack tool
• D-ITG background traffic generator
16
Two different IDS deployment scenarios
• One IDS close to the cluster controller
– Monitors inbound/outbound traffic
– Monitors traffic between different security groups
– VLAN tags are removed
• Traffic related to different security groups becomes
indistinguishable
• Several IDS’s, each close to a physical machine
– Each IDS monitors traffic to/from virtual resources hosted on
the physical machine
• In both scenarios, all attack instances are correctly detected
17
MONITORING AT THE CLUSTER
CONTROLLER
18
Cluster Front-end CPU profile
100 %
50 %
Snort
Packet forwarding
19
MONITORING AT EACH PHYSICAL
MACHINE
20
Attacked worker node CPU profile
100 %
50 %
Attacked VM
Dom0
Non-attacked
VMs
21
Non-Attacked worker node CPU profile
100 %
50 %
22
Conclusions
• Monitoring traffic at the cluster controller
– Privileged observation point
– Look at all traffic
– Misses internal attacks
• Monitoring traffic at each physical machine
– Limited scope
– Ligthweight
– Increased cloud resilience
23
Thank you!
Claudio Mazzariello – [email protected]
24