Network functions virtualization-based security proposals for cloud computing environments

Mauricio, Leopoldo Alexandre Freitas

Network functions virtualization-based security proposals for cloud computing environments

Detalhes bibliográficos
Ano de defesa:	2019
Autor(a) principal:	Mauricio, Leopoldo Alexandre Freitas
Orientador(a):	Não Informado pela instituição
Banca de defesa:	Não Informado pela instituição
Tipo de documento:	Tese
Tipo de acesso:	Acesso aberto
Idioma:	eng
Instituição de defesa:	Universidade Federal do Rio de Janeiro Brasil Instituto Alberto Luiz Coimbra de Pós-Graduação e Pesquisa de Engenharia Programa de Pós-Graduação em Engenharia Elétrica UFRJ
Programa de Pós-Graduação:	Não Informado pela instituição
Departamento:	Não Informado pela instituição
País:	Não Informado pela instituição
Palavras-chave em Português:	Ataques de segurança Rede definida por software Virtualização de funções de rede CNPQ::ENGENHARIAS::ENGENHARIA ELETRICA::ELETRONICA INDUSTRIAL, SISTEMAS E CONTROLES ELETRONICOS
Link de acesso:	http://hdl.handle.net/11422/20420
Resumo:	This thesis implements and evaluates Network Functions Virtualization-based security proposals for cloud computing environments. The following are the main contributions of this work: (i) We move a large number of security rules implemented in Top-of-Rack routers of a studied virtualized data center to virtual firewalls created in commodity hardware. Thus, we can reduce costs and release TCAM resources for accelerating routing operations. We evaluate an Iptables FireWall Virtual Se- curity Function (FW-VSF) performance against the demands encountered in the production data center studied. (ii) We propose and implement the ACLFLOW framework that is an NFV/SDN security framework that creates and manages dis- tributed OpenFlow FW-VSFs as an alternative to using router TCAMs or special- ized security middleboxes to control traffic from virtual machines in a cloud comput- ing environment. ACLFLOW translates regular security rules (source/destination IP, source/destination port, and protocol) into OpenFlow filtering rules. Besides, it creates and manages large amounts of OpenFlow rules on distributed firewall VSFs and implements mechanisms that orchestrate and accelerate the deployment of OpenFlow FW-VSF in production clouds. We also propose an algorithm that timely adapts FW-VSF rules to changes in the traffic conditions by dynamically prioritizing the most popular rules to improve performance. (iii) We propose and implement an NFV security architecture that provides automatic and efficient pro- tection against attacks, by chaining a Virtual Security Function to the data stream to dynamically block malicious traffic without stopping the benign one. We proto- type our security proposals into the Open Platform for NFV (OPNFV) and evaluate their performances.

Metadados do item

id	UFRJ_7c0b4a7db579ce4e5e425082726b5ee7
oai_identifier_str	oai:pantheon.ufrj.br:11422/20420
network_acronym_str	UFRJ
network_name_str	Repositório Institucional da UFRJ
repository_id_str
spelling	Network functions virtualization-based security proposals for cloud computing environmentsPropostas de segurança baseadas em virtualização de função de rede para ambientes de computação em nuvemAtaques de segurançaRede definida por softwareVirtualização de funções de redeCNPQ::ENGENHARIAS::ENGENHARIA ELETRICA::ELETRONICA INDUSTRIAL, SISTEMAS E CONTROLES ELETRONICOSThis thesis implements and evaluates Network Functions Virtualization-based security proposals for cloud computing environments. The following are the main contributions of this work: (i) We move a large number of security rules implemented in Top-of-Rack routers of a studied virtualized data center to virtual firewalls created in commodity hardware. Thus, we can reduce costs and release TCAM resources for accelerating routing operations. We evaluate an Iptables FireWall Virtual Se- curity Function (FW-VSF) performance against the demands encountered in the production data center studied. (ii) We propose and implement the ACLFLOW framework that is an NFV/SDN security framework that creates and manages dis- tributed OpenFlow FW-VSFs as an alternative to using router TCAMs or special- ized security middleboxes to control traffic from virtual machines in a cloud comput- ing environment. ACLFLOW translates regular security rules (source/destination IP, source/destination port, and protocol) into OpenFlow filtering rules. Besides, it creates and manages large amounts of OpenFlow rules on distributed firewall VSFs and implements mechanisms that orchestrate and accelerate the deployment of OpenFlow FW-VSF in production clouds. We also propose an algorithm that timely adapts FW-VSF rules to changes in the traffic conditions by dynamically prioritizing the most popular rules to improve performance. (iii) We propose and implement an NFV security architecture that provides automatic and efficient pro- tection against attacks, by chaining a Virtual Security Function to the data stream to dynamically block malicious traffic without stopping the benign one. We proto- type our security proposals into the Open Platform for NFV (OPNFV) and evaluate their performances.Esta tese implementa e avalia propostas de segurança baseadas em virtualização de funções de rede para ambientes de computação em nuvem. Suas principais contribuições são: (i) transferimos o grande número de regras de segurança tipicamente implementadas nos roteadores de topo de rack de um datacenter estudado para funções virtualizadas de segurança firewall (FW-VSF), criadas em hardware de prateleira. Assim, reduzimos custos e liberamos recursos de TCAM para acelerar as operações de roteamento. Avaliamos o desempenho de uma FW-VSF criada com o Iptables (Iptables FW-VSF) em função das demandas encontradas no datacenter estudado. (ii) propomos e implementamos o framework ACLFLOW, que é uma estrutura de segurança NFV/SDN que cria e gerencia firewalls OpenFlow (FW-VSFs) distribuídos, como uma alternativa ao uso de TCAMs de roteador ou middleboxes de segurança, para controlar o tráfego de máquinas virtuais em um ambiente de computação em nuvem. O ACLFLOW converte regras de segurança regulares (IP de origem/destino, porta de origem/destino e protocolo) em regras de filtragem OpenFlow, cria e gerencia grandes quantidades de regras em OpenFlow FW-VSFs distribuídos, além de orquestrar e acelerar sua implantação em nuvens de produção. Também propomos um algoritmo que adapta oportunamente as regras do FW-VSF às mudanças nas condições de tráfego, priorizando dinamicamente as mais populares para melhoria de desempenho. (iii) propomos e implementamos uma arquitetura de segurança NFV que fornece proteção automática e eficiente contra ataques, encadeando uma VSF ao fluxo de dados para bloquear dinamicamente o tráfego malicioso, sem interromper o benigno. Prototipamos as propostas na plataforma aberta para NFV (Open Platform for NFV - OPNFV) e avaliamos seus desempenhos.Universidade Federal do Rio de JaneiroBrasilInstituto Alberto Luiz Coimbra de Pós-Graduação e Pesquisa de EngenhariaPrograma de Pós-Graduação em Engenharia ElétricaUFRJDuarte, Otto Carlos Muniz Bandeirahttp://lattes.cnpq.br/9613695100589909Rubinstein, Marcelo GonçalvesFonseca, Mauro Sergio PereiraMadeira, Edmundo Roberto MauroCosta, Luís Henrique Maciel KosmalskiVelloso, Pedro BraconnotMauricio, Leopoldo Alexandre Freitas2023-05-09T21:45:11Z2023-12-21T03:00:25Z2019-04info:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/doctoralThesishttp://hdl.handle.net/11422/20420enginfo:eu-repo/semantics/openAccessreponame:Repositório Institucional da UFRJinstname:Universidade Federal do Rio de Janeiro (UFRJ)instacron:UFRJ2023-12-21T03:00:25Zoai:pantheon.ufrj.br:11422/20420Repositório InstitucionalPUBhttp://www.pantheon.ufrj.br/oai/requestpantheon@sibi.ufrj.bropendoar:2023-12-21T03:00:25Repositório Institucional da UFRJ - Universidade Federal do Rio de Janeiro (UFRJ)false
dc.title.none.fl_str_mv	Network functions virtualization-based security proposals for cloud computing environments Propostas de segurança baseadas em virtualização de função de rede para ambientes de computação em nuvem
title	Network functions virtualization-based security proposals for cloud computing environments
spellingShingle	Network functions virtualization-based security proposals for cloud computing environments Mauricio, Leopoldo Alexandre Freitas Ataques de segurança Rede definida por software Virtualização de funções de rede CNPQ::ENGENHARIAS::ENGENHARIA ELETRICA::ELETRONICA INDUSTRIAL, SISTEMAS E CONTROLES ELETRONICOS
title_short	Network functions virtualization-based security proposals for cloud computing environments
title_full	Network functions virtualization-based security proposals for cloud computing environments
title_fullStr	Network functions virtualization-based security proposals for cloud computing environments
title_full_unstemmed	Network functions virtualization-based security proposals for cloud computing environments
title_sort	Network functions virtualization-based security proposals for cloud computing environments
author	Mauricio, Leopoldo Alexandre Freitas
author_facet	Mauricio, Leopoldo Alexandre Freitas
author_role	author
dc.contributor.none.fl_str_mv	Duarte, Otto Carlos Muniz Bandeira http://lattes.cnpq.br/9613695100589909 Rubinstein, Marcelo Gonçalves Fonseca, Mauro Sergio Pereira Madeira, Edmundo Roberto Mauro Costa, Luís Henrique Maciel Kosmalski Velloso, Pedro Braconnot
dc.contributor.author.fl_str_mv	Mauricio, Leopoldo Alexandre Freitas
dc.subject.por.fl_str_mv	Ataques de segurança Rede definida por software Virtualização de funções de rede CNPQ::ENGENHARIAS::ENGENHARIA ELETRICA::ELETRONICA INDUSTRIAL, SISTEMAS E CONTROLES ELETRONICOS
topic	Ataques de segurança Rede definida por software Virtualização de funções de rede CNPQ::ENGENHARIAS::ENGENHARIA ELETRICA::ELETRONICA INDUSTRIAL, SISTEMAS E CONTROLES ELETRONICOS
description	This thesis implements and evaluates Network Functions Virtualization-based security proposals for cloud computing environments. The following are the main contributions of this work: (i) We move a large number of security rules implemented in Top-of-Rack routers of a studied virtualized data center to virtual firewalls created in commodity hardware. Thus, we can reduce costs and release TCAM resources for accelerating routing operations. We evaluate an Iptables FireWall Virtual Se- curity Function (FW-VSF) performance against the demands encountered in the production data center studied. (ii) We propose and implement the ACLFLOW framework that is an NFV/SDN security framework that creates and manages dis- tributed OpenFlow FW-VSFs as an alternative to using router TCAMs or special- ized security middleboxes to control traffic from virtual machines in a cloud comput- ing environment. ACLFLOW translates regular security rules (source/destination IP, source/destination port, and protocol) into OpenFlow filtering rules. Besides, it creates and manages large amounts of OpenFlow rules on distributed firewall VSFs and implements mechanisms that orchestrate and accelerate the deployment of OpenFlow FW-VSF in production clouds. We also propose an algorithm that timely adapts FW-VSF rules to changes in the traffic conditions by dynamically prioritizing the most popular rules to improve performance. (iii) We propose and implement an NFV security architecture that provides automatic and efficient pro- tection against attacks, by chaining a Virtual Security Function to the data stream to dynamically block malicious traffic without stopping the benign one. We proto- type our security proposals into the Open Platform for NFV (OPNFV) and evaluate their performances.
publishDate	2019
dc.date.none.fl_str_mv	2019-04 2023-05-09T21:45:11Z 2023-12-21T03:00:25Z
dc.type.status.fl_str_mv	info:eu-repo/semantics/publishedVersion
dc.type.driver.fl_str_mv	info:eu-repo/semantics/doctoralThesis
format	doctoralThesis
status_str	publishedVersion
dc.identifier.uri.fl_str_mv	http://hdl.handle.net/11422/20420
url	http://hdl.handle.net/11422/20420
dc.language.iso.fl_str_mv	eng
language	eng
dc.rights.driver.fl_str_mv	info:eu-repo/semantics/openAccess
eu_rights_str_mv	openAccess
dc.publisher.none.fl_str_mv	Universidade Federal do Rio de Janeiro Brasil Instituto Alberto Luiz Coimbra de Pós-Graduação e Pesquisa de Engenharia Programa de Pós-Graduação em Engenharia Elétrica UFRJ
publisher.none.fl_str_mv	Universidade Federal do Rio de Janeiro Brasil Instituto Alberto Luiz Coimbra de Pós-Graduação e Pesquisa de Engenharia Programa de Pós-Graduação em Engenharia Elétrica UFRJ
dc.source.none.fl_str_mv	reponame:Repositório Institucional da UFRJ instname:Universidade Federal do Rio de Janeiro (UFRJ) instacron:UFRJ
instname_str	Universidade Federal do Rio de Janeiro (UFRJ)
instacron_str	UFRJ
institution	UFRJ
reponame_str	Repositório Institucional da UFRJ
collection	Repositório Institucional da UFRJ
repository.name.fl_str_mv	Repositório Institucional da UFRJ - Universidade Federal do Rio de Janeiro (UFRJ)
repository.mail.fl_str_mv	pantheon@sibi.ufrj.br
_version_	1861279117956087808

Network functions virtualization-based security proposals for cloud computing environments

Registros relacionados