Abstract
Network Functions Virtualization (NFV) leverages from clouds to simplify and automate the creation and deployment of network services on the fly in a multi-tenant environment. However, clouds may also bring issues leading to tenants' concerns over possible breaches violating the isolation of their deployments. Verifying such network isolation breaches in cloud-enabled NFV environments faces unique challenges. The fine-grained and distributed network access control (e.g., per-function security group rules), which is typical to virtual cloud infrastructures, requires examining not only the events but also the states of all virtual resources using a state-based verification approach. However, verifying the state of a virtual infrastructure may become highly complex and non-scalable due to its sheer size paired with the self-serviced dynamic nature of clouds. In this article, we propose VMGuard, a state-based proactive approach for efficiently verifying large-scale virtual infrastructures in cloud and NFV against network isolation policies. Informally, our key idea is to proactively trigger the verification based on predicted events and their simulated impact upon the current state, such that we can have the best of both worlds, i.e., the efficiency of a proactive approach and the effectiveness of state-based verification. We implement and evaluate VMGuard based on OpenStack, and our experiments with both real and synthetic data demonstrate the performance and efficiency, e.g., less than five milliseconds to perform incremental verification on a dataset with more than 25, 000 VMs and less than two milliseconds with the proactive module enabled.
Original language | English |
---|---|
Article number | 9273224 |
Pages (from-to) | 1553-1567 |
Journal | IEEE Transactions on Dependable and Secure Computing |
Volume | 18 |
Issue number | 4 |
DOIs | |
Publication status | Published - 1 Jul 2021 |
Externally published | Yes |
Funding
The authors would like to thank the anonymous reviewers for their valuable comments and suggestions. This work was supported in part by the Natural Sciences and Engineering Research Council of Canada and Ericsson Canada under the Industrial Research Chair (IRC) in SDN/NFV Security.
Funders | Funder number |
---|---|
Ericsson Canada | |
Industrial Research Chair | |
Natural Sciences and Engineering Research Council of Canada |