3/6/24

Terminology
• Vulnerability
Weakness that can be exploited in a system

Cloud Security • Attack

Method for exploiting vulnerability

• Threat / Threat model

The power of the attacker (characterizes possible attacks)
• E.g., attacker can act as an ordinary user, read any data on disk, and
monitor all network traffic.

• Trusted Computing Base

Set of system components that are depended on for security
• Usually includes hardware, OS, some software, …

1 2

Who are the attackers? What are the vulnerabilities?

• Poorly chosen passwords
• Operator/user blunders.
• Software bugs
• Hackers driven by intellectual challenge (or boredom).
– unchecked array access (buffer overflow attacks)
• Insiders: employees or customers seeking revenge or gain
• Automatically running active content: macros, scripts, Java
• Criminals seeking financial gain. programs
• Organized crime seeking gain or hiding criminal activities. • Open ports: telnet, mail
• Organized terrorist groups or nation states trying to influence • Incorrect configuration
national policy. – file permissions
• Foreign agents seeking information for economic, political, or – administrative privileges
military purposes. • Untrained users/system administrators
• Tactical countermeasures intended to disrupt military capability. • Trap doors (intentional security holes)
• Large organized terrorist groups or nation-states intent on • Unencrypted communication
overthrowing the US government.
• Limited Resources (i.e. TCP connections)

3 4

3 4

1
 3/6/24

What are the attacks? When to enforce security

• Password Crackers
• Viruses:
– ILoveYou (VBscript virus), Melissa (Word macro virus) Possible times to respond to security violations:
• Worms
– Code Red: Port 80 (HTTP), Buffer overflow in IIS (Internet/Indexing
• Before execution:
Service) analyze, reject, rewrite
• Trojan Horses
• During execution:
• Social Engineering:
– “Hi, this is Joe from systems, I need your password to do an monitor, log, halt, change
upgrade”
• After execution:
• Packet sniffers: Ethereal
roll back, restore, audit, sue, call police
• Denial of service: TCP SYN packet floods

5 6

5 6

Policy vs. mechanism What is being protected?

• What is being protected (and from what) vs. • Something with value
• How it is being protected • Information with (usually indirect) impact on
real world
(access control, cryptography, …)
• Different kinds of protection are needed for
different information : ensure different
• Want: security properties
– To know what we need to be protected from – Confidentiality
– Mechanisms that can implement many policies – Integrity
– Availability

7 8

7 8

2
 3/6/24

Standards Again ….
Ten Major Modules of Cyber Security
• Traditionally, it contains three goals to achieve adequate • Information Security and Risk Management
security • Access Control
• Security Architecture and Design
• Cryptography
• Network Security
• Applications Security (aka Data and Applications Security)
• Legal Regulations, Compliance and Investigations (aka Digital Forensics)
• Physical and Environmental Security
• Business Continuity Planning
• Operations Security
• Not included: Hardware security; Performance Analysis, Ethical Hacking
and Penetration Testing, - - -

9 10

Cloud Scenarios
Clouds
Public
Private
Cloud Security Challenges Hybrid

11 12

3
 3/6/24

Cloud Scenarios Cloud Scenarios

Clouds Multiple Clouds

13 14

Cloud Scenarios Cloud Scenarios

Hybrid Cloud Federated Cloud

Public Private Public Public Private Public
Cloud Cloud Cloud Cloud Cloud Cloud

15 16

4
 3/6/24

Cloud Scenarios Vulnerability Sources

Non-
Hardware Native
Native

Federated Cloud
Number of Number of Number of
Public Private Public Localization
Machines Processors Cores

SECURITY
Cloud Cloud Cloud
Common Network
Memory
Bus Bandwidth

Broker Storage Disks NAS

Programming Divide and

Sequential Other
Models Conquer

17 18

Requirement of security
Security is the Major Issue
• The end users of cloud computing usually not aware about
– Who has right to access your data?
– Are the backups encrypted? Where is the backup?
– How is the data transmitted and encrypted? How are users
authenticated?
– Has the service provider been tested by a reputable third party?
– How effectively your data segregated from other users?
– Is your data encrypted with good algorithm? Who holds the keys?
– Where is your data located? Which country? What about data
protection legislation?

20
19

19 20

5
 3/6/24

Trusted Zones for VM Insulation Cloud Service Models and Their Security Demands

Insulate Anti-malware
Federate
Identity
infrastructure from Cybercrime
identities with Malware, Trojans
federation public clouds intelligence
and cybercriminals
Strong
authentication
APP APP Tenant
OS OS #2

Control and Virtual Infrastructure Insulate

Virtual
network isolate VM in information Data loss
security the virtual from other prevention
infrastructure APP APP Tenant tenants
OS OS #1

Virtual Infrastructure
Insulate
Segregate and Encryption &
Access information
control user key mgmt
Mgmt from cloud
access providers’ Tokenization

Cloud Provider employees

PhysicalPhysical
Infrastructure
Infrastructure
Cloud computing will not be accepted by common users unless
Security Info. & the trust and dependability issues are resolved satisfactorily [1].
Nov.8, 2010
Enable end to end view of security events and
Kai Hwang, USC GRC 21 Nov.8, 2010 Kai Hwang, USC 22
Event Mgmt
compliance across infrastructures

21 22

Causes of Problems Associated

Loss of Control in the Cloud
with Cloud Computing
• Most security problems stem from: • Consumer’s loss of control
– Loss of control – Data, applications, resources are located with
provider
– Lack of trust (mechanisms)
– User identity management is handled by the cloud
– Multi-tenancy
– User access control rules, security policies and
• These problems exist mainly in 3rd party enforcement are managed by the cloud provider
management models – Consumer relies on provider to ensure
– Self-managed clouds still have security issues, but • Data security and privacy
not related to above • Resource availability
• Monitoring and repairing of services/resources

23 24

6
 3/6/24

Lack of Trust in the Cloud Multi-tenancy Issues in the Cloud

• Trusting a third party requires taking risks
• Defining trust and risk
– Opposite sides of the same coin
– People only trust when it pays (Economist’s view)
– Need for trust arises only in risky situations
• Tenants share a pool of resources
– How does multi-tenancy deal with conflict of interest?
– Can tenants get along together and ‘play nicely’ ?
– If they can’t, can we isolate them?
• How to provide separation between tenants?
• Cloud Computing brings new threats
– Multiple independent users share the same physical infrastructure
– Thus an attacker can legitimately be in the same physical machine as
the target

25 26

Taxonomy of Fear Taxonomy of Fear

• Confidentiality • Availability
– Fear of loss of control over data
• Will the sensitive data stored on a cloud remain
– Will critical systems go down at the client, if the
confidential? provider is attacked in a Denial of Service attack?
• Will cloud compromises leak confidential client data
– What happens if cloud provider goes out of
– Will the cloud provider itself be honest and won’t
peek into the data? business?
• Integrity
– How do I know that the cloud provider is doing the
computations correctly?
– How do I ensure that the cloud provider really stored
my data without tampering with it?
From www.cs.jhu.edu/~ragib/sp10/cs412 From www.cs.jhu.edu/~ragib/sp10/cs412
27 28

27 28

7
 3/6/24

Taxonomy of Fear Threat Model

• Privacy issues raised via massive data mining • A threat model helps in analyzing a security
– Cloud now stores data from a lot of clients, and problem, design mitigation strategies, and
can run data mining algorithms to get large evaluate solutions
amounts of information on clients
•Steps:
• Increased attack surface
– Entity outside the organization now stores and – Identify attackers, assets, threats and other
computes data, and so components
– Attackers can now target the communication link – Rank the threats
between cloud provider and client – Choose mitigation strategies
– Cloud provider employees can be phished – Build solutions based on the strategies
From www.cs.jhu.edu/~ragib/sp10/cs412 From www.cs.jhu.edu/~ragib/sp10/cs412
29 30

29 30

Threat Model What is the issue?

• Basic components • The core issue here is the levels of trust
– Attacker modeling – Many cloud computing providers trust their customers
• Choose what attacker to consider – Each customer is physically commingling its data with
– insider vs. outsider? data from anybody else using the cloud while logically
– single vs. collaborator? and virtually you have your own space
• Attacker motivation and capabilities – The way that the cloud provider implements security
– Attacker goals is typically focused on the fact that those outside of
– Vulnerabilities / threats their cloud are evil, and those inside are good.
• But what if those inside are also evil?
From www.cs.jhu.edu/~ragib/sp10/cs412 From www.cs.jhu.edu/~ragib/sp10/cs412
31 32

31 32

8
 3/6/24

Attacker Capability: Malicious Insiders Attacker Capability: Outside attacker

• At client • What?
– Learn passwords/authentication information
– Gain control of the VMs – Listen to network traffic (passive)
• At cloud provider – Insert malicious traffic (active)
– Log client communication – Probe cloud structure (active)
– Can read unencrypted data
– Launch DoS
– Can possibly peek into VMs, or make copies of VMs
– Can monitor network communication, application patterns • Goal?
– Why? – Intrusion
• Gain information about client data
• Gain information on client behavior – Network analysis
• Sell the information or use itself
– Man in the middle
– Cartography
From www.cs.jhu.edu/~ragib/sp10/cs412 From www.cs.jhu.edu/~ragib/sp10/cs412
33 34

33 34

Virtualization

Type 1

Cloud Security Approaches

Type 2

35 36

9
 3/6/24

Hyperjacking L VMM Trust Model

Alleviation of the Inherent Trust
• Trusted Platform Module (TPM)
• used in Trusted Boot
• measures the initial boot code and
commits to TPM chip

• Attestation Protocols

• A private key known only inside the TPM

Inherent Trust
• VMM is a single point of failure
• VM trusts the virtual hardware and VMM

37 38

VIRTUAL FIREWALL VIRTUAL FIREWALL

SCENARIO 1 : APPLICATION OF SAME TRUST LEVELS ON A SERVER
Traffic can be routed via the virtual switch (vSwitch) northbound to
Placed at the same points as it is done in physical the external switching fabric and external firewall
environment

• Within the virtual machines operating systems

• Introspective firewalls that are before each virtual
NIC
• The Edge of Security or Trust Zones

39 40

10
 3/6/24

VIRTUAL FIREWALL VIRTUAL FIREWALL

SCENARIO 2 : APPLICATION OF DIFFERENT TRUST SCENARIO 3 : APPLICATION OF DIFFERENT TRUST
LEVELS ON A SERVER LEVELS ON A SERVER

• Inefficient and Expensive

• The traffic is East-West
• Efficient
communications, and
forcing traffic Northbound • Virtualized firewall
through a physical would be preferable
firewall for intra-host
• Physical ports required to inspection
service the VM traffic

41 42

VIRTUAL FIREWALL VIRTUAL FIREWALL

Will Virtualized Firewalls Replace Physical Firewalls

• Strict and comprehensive

performance requirements in
the data center
• Can also defend against
hypervisor vulnerabilities.
• Carry out necessary
inspection for virtualization
platform vulnerabilities

43 44

11
 3/6/24

IDS and IPS IDS and IPS

• Defense in depth. SCENARIO 1:
• Should be specific and appropriate to the asset at risk. Traffic flow between a virtual switch (vSwitch) and one or
• Security enables agile business activities which lead to more guest VMs
cost effectiveness.
• The boundary firewalls will continue to provide basic
network protection and the individual systems and data
will need to be capable of protecting themselves
• It is easy to protect an asset that is closer the protection.

45 46

IDS and IPS IDS and IPS

SCENARIO 1:
SCENARIO 2:
Traffic flow between a virtual switch (vSwitch) and one or more guest
Functionality can be deployed on each Virtual Machine
VMs

LIMITATION
• Inter-VM traffic
• Mobility
• Non-transparency
• Bottlenecks in Performance

47 48

12
 3/6/24

IDS and IPS IDS and IPS

SCENARIO 5: A COORDINATED APPROACH
SCENARIO 3:
A Security Watchdog • The security watchdog VM is deployed to protect multiple
Removes the non-transparency and inter-VM limitations virtual machines.
of the virtual-security-appliance approach for IDS/IPS • VM-centric agent that can be deployed on individual
filtering virtual machine

Security
Security
watchdog
watchdog

49 50

IDS and IPS IDS and IPS

OpenV VM1 OpenV VM1
switch switch
br-int br-int
VM2
snort VM2
ext eth0 ext eth0
br-tun VM br-tun VM
n n

Com pute Node N Com pute Node N

External OpenV VM1

External OpenV VM1
Nw switch Nw switch
br-int snort br-int
VM2 VM2
ext eth0 ext eth0
br-tun VM br-tun VM
br-ex n
br-ex n

Com pute Node 1 Com pute Node 1

snort ext eth0 br-int eth1 ext eth0 br-int eth1
snort
br-tun br-tun

Netw ork Node

EXT Netw ork Node snort Internal
ext eth0 TRAFFIC ext eth0 Traffic

Controller Node Controller Node

51 52

13
 3/6/24

IDS and IPS IDS and IPS

snort
OpenV VM1
switch instance1 instance N
br-int
snort VM2 eth0 eth0
ext eth0

br-tun VM
n
eth0
Com pute Node N tap tap
SNORT unable to br-ex
snort detect intrusion
br-int Mgt Mgt br-int
External OpenV br-eth eth1 br-eth
Nw
VM1 eth1
switch
snort br-int
VM2
ext eth0

br-ex br-tun VM snort Patch br-tun Ext

br-tun Patch
n tun Eth0 tun
GRE eth
GRE
Com pute Node 1
ext eth0 br-int eth1
snort
br-tun Compute Node Nw Node
Netw ork Node snort
Local Vlan Link
Traffic
ext eth0
IP Link
Controller Node

53 54

IDS and IPS IDS and IPS

Component Name VCPU RAM Ethernet
(VM) (GB)
instance1 instance N
eth0 eth0 Network Node 1 4 3
• Create Dummy
Port (snooper) Controller Node 1 4 1
eth0
• Mirror the tap tap Compute Node 1 8 3
traffic. br-ex
br-int Mgt Mgt br-int
br-eth eth1 br-eth
eth1

snort Patch br-tun Ext

br-tun Patch
tun Eth0 tun
GRE eth GRE

Compute Node Nw Node

Vlan Link

IP Link

55 56

14
 3/6/24

HIGH LOW INTERACTION

INTERACTION HONEYPOTS O SSE C

HONEYPOT (VM) SE R V E R

(VM) GLASTOPF,DIONAEA,
HONEYNET HONEYD, KIPPO

O SSE C
SE R V E R

MHN Central Generate

Rules
Update the
Rule Files
Log
Server
Tenant
Nw

External OpenV VM1

Nw snort switch
br-int
snort VM2
ext eth0
br-tun VM
br-ex n

Com pute Node

snort ext eth0 br-int eth1

snort
br-tun

Netw ork Node

snort
ext eth0 snort
Expected SNORT
Placement Acknowledgements : Most of the slides are borrowed
IDS and IPS Controller Node from Internet. The credit goes to the concerned.

57 58

15