On-demand deployment and orchestration of Cyber Ranges in the Cloud

Research Team

Alessandro Placido Luise

Claudio Perrotta
Francesco Caturano
Gaetano Perrone
Simon Pietro Romano
 Requirements and contribution
A service-based platform for the dynamic deployment of cyber ranges in the
cloud has been developed. The work contributes to the research in the following
aspects :

- Environment isolation
- Remote access management
- Cyber ranges deploy automation
- Security
- Accountability
 System architecture
The system is composed of four main components :

- Cyber Range Environment : a dynamic environment in which virtual resources

reside (virtual machines and networks)

- Back-end Resource Manager : makes use of automation mechanisms for the

configuration of cyber ranges in the Cyber Range Environment

- Credential Manager : provides authentication and access control services

- Cluster Security Controller : carries out real-time checks on the resources of the
Cyber Range Environment and takes decisions in case of anomalies (e.g. resource
termination, access policy changes)
 Cyber Range Environment
The elements of the Cyber Range Environment set are divided in multiple
subsets.

Macro Range: is a set of virtual machines

including one and only one Remote Access
Controller.

Micro Range: an isolated environment of

virtual machines contained in the Macro
Range
 Cyber Range Environment -2
Logical rules and interactions between elements are formalised through sets
and mathematical relations (set theory).

Micro Range classification

- Virtual Micro Range

- Containerized Micro Range

- Hybrid Micro Range

- Shared Micro Range

 Docker Security Playground
A virtual machine hosting DSP is a possible implementation of a Containerized
Micro Range.

G. Perrone, S. P. Romano. The Docker Security Playground: A hands-on approach to the study of network security. 2017
Principles, Systems and Applications of IP Telecommunications (IPTComm), Chicago, IL, 2017, pp. 1-8.
 A reproducible Hybrid Micro Range

F. Caturano, G. Perrone, S.P. Romano. Capturing flags in a dynamically deployed microservices-based heterogeneus
environment. 2020 Principles, Systems and Applications of IP Telecommunications (IPTComm), Chicago, IL, 2020
 Remote Access Controller
User traffic is routed to the assigned Micro Ranges through client specific rules
and access policies of the OpenVPN Server

-A POSTROUTING -s 10.8.2.1 -o eth0 -d 172.31.89.138 -j MASQUERADE

Instances separation between virtual machines is achieved by using

Security Groups, virtual firewalls provided by AWS.
 Back-end Resource Manager
The Lambda function performs :

- Controls on user permissions

- Resource availability within the Cyber Range Environment

- Spawn of Macro and Micro Ranges

- Declaration of firewall rules in the OpenVPN Server with

AWS Systems Manager
 Cluster Security Controller and Credential Manager

AWS Cloudwatch triggers the

execution of the Step Function (Cluster
Security Controller), which performs
defensive actions within the
environment.

The Credential Manager is

implemented with Cognito, providing
authentication and access control
services.
 Conclusions and future work
The platform will be improved in many aspects with respect of both the general
architecture and its implementation.

- Deployment of comprehensive cyber arenas other than the classical cyber ranges, providing
internet protocols emulation functionality

- Deployment of cyber ranges (and cyber arenas) with orchestrators such as AWS
Cloudformation

- Hardening of the Cyber Range Environment