Virtualization and Cloud Security

Abdelmajid Lakbabi, Said El hajji, Ghizlane Orhanou,

Laboratoire Mathématiques, Informatique et Applications
Université Mohammed V – Agdal
Faculté des Sciences - Rabat
[email protected], [email protected], [email protected]

Abstract— Dynamic approach to defend next generation In this paper, we are more interested in the Next Generation
networks, leads to deal with new concepts, like cloud and IPS/IDS (NGIPS/IDS). Indeed, the NGIPS should support a
virtualization, that change the definition of an endpoint; comprehensive selection of inline and passive deployment
Virtualized systems are no longer systems, they become choices. Both passive IDS and inline IPS implementations are
resources, data and applications available on the cloud as
supported on the same physical/virtual NGIPS sensor. By
services; In such context, NGIPS [1] comes to help, by its deep
inspection and automation capabilities to monitor and assess using separate detection engines on the same sensor, each one
network traffic, then stop new threats. The perspective of this can be operating as passive IDS or blocking IPS concurrently.
paper is to propose a solution to secure the virtual environment Furthermore, the Virtual Sensor supports passive IDS
through the use of intrusion prevention system NGIPS, present implementations. When operating in the inline mode, the
its architecture, then integrate NAC [2] capabilities to protect the sensor can be configured as a transparent link, bridged, or
hypervisor and the inter-virtual machines communications in routed.
perspective to provide more security for the virtualized and cloud As an added advantage, NGNIPS supports bypass mode
environment. that allow traffic to continue to pass in case the sensor or
detection engine process fails for any reason.
Keywords: Hypervisor, NGIPS, Virtual network, Virtual
machine, vSwitch, Vnic, vulnerability, exploit, pattern, inline, II. OVERVIEW OF THE IPS/IDS USE IN A PHYSICAL
NAC, cloud . ARCHITECTURE

I. INTRODUCTION Intrusion Prevention Systems can be configured for

Network IPS/IDS systems are platforms capable of different modes, in the following subsections we will cover
performing real-time traffic analysis, stopping intrusions and the main modesIPS/IDS implementation that an Intrusion
packet logging on IP networks. Before going any further, a Prevention System offers.
definition of NIPS/NIDS is required in order to clearly
describe what we will examine:
A. IPS (Intrusion Prevention System) mode
• Network-Based IDS (NIDSs), are placed in key areas of
network infrastructure and monitor traffic as it flows to
other hosts. There are considered passives and the best IPS mode is good to block attacks, if we can identify a
reaction NIDS can do is to send a TCP Reset / ICMP clear threat path, for example, traffic from an Internet attacker
Unreachable to the attacker [3]. to DMZ segment as shown in “Fig. 1” below.
• Network-Based IPS (NIPS), are placed in inline mode to
stop attacks, but can act like NIDSs when there are not
inline and ordered to receive a copy of the traffic from the
switches via a given mechanism (like the port mirroring)
[4].
As defined in IT security literature: Security = visibility +
control, in this perspective the IPS/IDS solutions allow:
o protection against external attacks, Figure 1. Implementation of the IPS mode in a network.
o a higher security level,
B. IDS (Intrusion Detection System) mode
o a shorter time of response to security breach attempts,
o risk manageability,
o minimized business risk, The IDS mode is used for aggregating network traffic from
o consistent security management, multiple physical and virtual traffic sources, such as switches
o Resource orientation: the ability to focus on mission and Wire TAPs, into one centralized IDS sensor or IDS
critical systems. cluster. In such case IDS are able to restrict traffic by sending
resets or requesting a firewall or Inline IPS to isolate the
segment from other networks using a blacklisting mechanism.
This mode is useful when we have to protect large Local Area detail it below. But first, we will begin by defining the cloud
Network (LAN) segments. The Figure “Fig. 2” below presents computing and the virtualization concepts.
the use of the IDS mode to protect a network.
A. Cloud computing and Virtualisation concept
a. Cloud Computing definition
Cloud Computing refers to both the applications delivered as
services over the Internet and the hardware and systems
software in the datacenters that provide those services. Services
themselves have been referred to as Software as a Service
(SaaS), while datacenter hardware and software is what we will
call a Cloud. Figure “Fig. 4” below presents the different parts
involved in the Cloud Computing.
Figure 2. Implementation of the IDS mode in a network.

Moreover, the IDS engines are able to detect hostile machines

even if the devices would not communicate to the other
network segments.

C. IPS/IDS (Intrusion Prevention/Detection System) Hybride

mode

Figure 3. The use of the IPS/IDS hybride mode.

Figure 4. Presentation of the Cloud Computing concept.
In the hybrid mode, the same device can be configured to
function in both IPS and IPS modes for different network In addition, the Cloud Computing concerns the
zones as shown in figure “Fig. 3” above. provisioning of services in a timely, on-demand manner, to
allow the scaling up and down of resources
After presenting the different IPS/IDS modes used in the
b. Virtualization concept
physical architectures, we will be interested, in the following
subsection, in the security of the virtual environment. The virtualization consists of the creation of many virtual
resources from one physical resource. It materializes the use of
virtual machines to let multiple network subscribers maintain
III. IPS/IDS FOR VIRTUALIZED ENVIRONNEMENT individualized desktops and servers on a single, centrally
With the increasing use of the virtualization and the cloud located hardware machine that is generally located at a data
computing concepts, it becomes necessary to think about center. Users may be geographically scattered but are all
efficient solutions to ensure the virtual environment security. connected to the central machine by a proprietary local area
In this section, we will propose our vision to securing the network (LAN) or wide area network (WAN) or the Internet.
virtual networks by using the IPS/ IDS systems.
Such security systems for virtual platforms work in the From an IT point of view, it is the ability to run multiple
same way as previously described for the physical platforms. operating systems on a single physical system and share the
Indeed, in the virtual environment, the IPS/ IDS systems underlying hardware resources.
capture packets and hands them off to the detection engine for
analysis and handling by adapting the network architecture Virtualization components are:
dependently if we are working in IPS or IDS mode as we will
• Host: Host is the machine that hosts other virtual between virtual images, and nd allow VMs to run in a separate
machines using virtualization software. It can run virtual security context, with the appropriate policy.
machines whose operating systems differ from that of the
host machine. At this point, we will study, in the following subsection,
• Hypervisor: It is a software program that manages virtual network architecture to understand the security issues
multiple operating systems (or multiple instances of the inside such environment. We will then propose an
samee operating system) on a single computer system.
system The implementation of an IPS/ IDS system in order to secure the
hypervisor manages the system's processor,, memory, and communication inter-VMs.
other resources to allocate what each operating system
requires. B. Virtual Network Architecture
• vNetwork: Virtual Network that contains all the VMs,
vswitchs, and virtual systems connected all together using
virtual network interfaces. The following schema,, presented in “Fig. 5”, illustrates the
different virtual platform components:
• Virtual appliances: A virtual appliance is a virtual
machine image file consisting of a ppreconfigured
operating system environment and a single application.
The purpose of a virtual appliance is to simplify delivery
and operation of the application. To this end, only
necessary operating system components are included.
• VMs: A virtual machine (VM) M) is a software
implementation of a computing environment in which an
operating system (OS) or program can be installed and
run.
• Virtual switch (vSwitch): A virtual switch is simply a
core L2 forwarding engine that does VLAN tagging,
stripping, filtering, L2 security, checksum, segmentation
offload units, and many other tasks that are done by
pSwitches (Physical Switchs) in pNetworks (Physical
networks), essentielly:
o Models a physical Ethernet switch
o Connects VMs (Virtual machines )
o Uplink adapters
o Combiness the bandwidth of multiples network
Figure 5. Virtualized platform components.
adapters and balances traffic among them and handles
physical NIC failover.
o Forward traffic between VMs and links to external There are some security guidelines that should be respected
networks. in the virtual platforms. These principals are presented
There are two types of vSwitches: below:

vSphere Standard Switch: A software software-based switch
that resides in the virtualized host kernel and provides a. Network isolation
traffic management for VMs; Administrators must To configure a virtual machine to have complete network
manage vSwitchss independently on each virtualized isolation, each virtual machine must be assigned to only one
host. internal virtual network. The virtual network must be

vSphere Distributed Switch: A software-based
software switch configured so that it does not use a physical network adapter.
that resides in the virtualized hosts host kernel and Once a virtual network ork is attached to a physical network
provides traffic
affic management for VMs.VMs Distributed adapter, it is exposed to the same security risks as that physical
vSwitches are shared by and managed naged across entire network adapter.
cluster of virtualized hosts. b. Network packet isolation
Although the virtualization
irtualization offers many benefits, there can Virtual machines cannot intercept network packets from
also be increased security risk. Consider
onsider a system running the host operating system. Similarly, the host operating system
some hundred virtual images, all ll those images are at risk if cannot intercept network packets from a virtual machine. This
vulnerability in the hypervisor (or configuration) allows any isolation is enforced by the virtual machine network services
virtual guest to “break out” into the host environment and driver, which determines whether a network packet is routed to
affect other virtual guests. the host operating system or to a virtual machine
machine.
For that reason, a mandatory
andatory Access Control (MAC)
features should be implemented to strengthen the isolation c. Inter-VM traffic control
Virtual security appliances placed in front of a
vSwitch cannot prevent attacks between VMs on the same In inline mode, the NGIPS allows to stop an attack instantly
vSwitch. Therefore the separation is the key to secure virtual before it can reach its target by simply placing a Virtual IPS in
platform. front of the virtual machines. Another alternative is to segment
out network using techniques like:
Based on the different principals described bellow, we will
VLAN tagging
present below a proposition to secure the communication in a
virtual network.
separate vswitchs

C. Virtual network security ici une petite explication des deux points cites ci-dessus
serait souhaitable.
Virtual networks can be configured to be completely
isolated from all other virtual and physical networks. Or they and then control the inter-communication when traffic flows
can be configured to have limited isolation on the network from one side to the other.
until the point of connection to the physical network. In the following section, we will present the different steps
followed to implement SNORT[5], which is an open source
Below; we present a proposition to secure Virtualized NGIPS/IDS for both physical and virtual networks.
Network using a NGIPS system.
IV. IMPLEMENTATION OF AN IPS/IDS IN VIRTUALIZED
NETWORKS
In this section, we will explore a common free Intrusion
Detection System called Snort and understand its
functionalities. We will present in details how to setup and use
it in Linux environnement in both IPS mode (where the trafic
pass through snort machine) and IDS mode (which is the
capturing mode, all traffic is analyzed on a virtual switch by
the port mirroring functionality).
It is important to mention that this implementation can be
done either in a physical network or in a virtual environment
where virtual machines and v-Switches are used.
A. Presentation of IPS role in virtualized network
We choose the open source IPS snort that is composed of
different components; each one is responsible for a particular
task in the prevention and detection process:

1. Sniffer: Packet Sniffer Taps into network;

2. Preprocessor: Snort's preprocessors fall into two
categories. They can be used to either examine
packets for suspicious activity or modify packets so
that the detection engine can properly interpret them.
3. Checks against plug-ins
4. RPC plug-in
Figure 6. Proposition of a secure Virtual Network.
5. Port scanner plug-in
The main target in this hybrid platform is to isolate co- 6. Detection Engine: the snort intrusion detection
resident virtual machines and network intensive applications, process is based on different detection methods:
such as web services or database applications that are being • Snort is a signature-based IDS
consolidated onto a single physical platform. The isolation • Implemented via rule-sets
properties of virtualization, however, demand a strict • Rules: the rules header contain some important
separation of the shared resources. information like “Action to take”, “Type of
packet”, “Source, destination IP address”, etc.
One of the outstanding properties of virtualization is its 7. Alert Logging: this module is responsible to trigger
ability to isolate co-resident Operating Systems (OS) on the warning and alert to administrators
same physical platform. While isolation is an important
B. NAC extension forVirtualized network
property from a security perspective, co-resident virtual
machines (VMs) often need to communicate and exchange a Access controls and proper network segmentation are key
considerable amount of data. requirements in many compliance mandates, creating network
boundaries and enforcing traffic flow among distinct network
segments is a security best practice that should be considered
fundamental to securing both physical and virtual
environments.
Specific threat vectors include exposure of traffic to attackers technology, we count extend our future work to cover new
and sniffers, as well as common network-based attacks such as advanced threats.
spoofing and man-inthe- middle. We intend to virtual network .
components within virtualized network and a number of REFERENCES
security settings impacting traffic flows among the host and [1] Securing virtual environments for VMware, Citrix, and
virtual guests; In addition, we propose to add NAC mechanism Microsoft hypervisors, by Dave Shackleford, 2012
to protect the hypervisor itself and the VMs from network [2] IJCNS, Vol.5 No.8, by Abdelmajid Lakbabi, August 2012
attacks like:
• MAC address spoofing in a virtual environment [3] Snort IDS and IPS Toolkit (Jay Beale's Open Source
• Man-in-the-middle attacks Security) by Brian Caswell, Jay Beal and Andrew Baker,
February 2007
• Abuse of unnecessary ports and services
[4] Snort 2.1 Intrusion Detection, Second Edition, by Jay
V. ONCLUSION
Beale and Caswell, May 2004
our proposition reduce significantly the risk and the attack
surface but it doesn't fix all security issues, some evasion
techniques still represent a serious threat for this emerging [5] http://www.sourcefire.com/: Snort Web Site