How to Secure Cloud System using High Perfomance Virtual Firewalls
Alexey Lukashin, Vladimir Zaborovsky and Sergey Kupreenko
Saint-Peterburg State Polytechnical University, Polytechnicheskaya street 29, Saint-Petersburg, Russia
Keywords: Security, Firewall, Cloud system, Virtualization, Virtual connection.
Abstract: The paper describes the access isolation model based on virtual connection management and proposes the
mechanism of traffic filtering in transparent mode, invisible to other components. New level of complexity
of information security tasks was observed in the distributed virtualized systems. The paper proposes a
specialized firewall solution for implementing access isolation and information security in hypervisors and
entire distributed cloud system.
Virtualization of distributed computational resources
and development of heterogeneous virtual machine
environments are a very popular and fast growing
area in information technologies. Various
components belonging to this area are usually
denoted by the term “cloud computing”. A lot of
service providers offer such solutions, from IaaS to
SaaS layers. There are not only public cloud
providers such as Amazon, Google, and others.
Private clouds are becoming very popular and there
are a lot of solutions based on Eucalyptus, Open
Nebula, VmWare, or Microsoft technologies.
Therefore, ensuring information security of cloud
systems is a vital problem (Cloud Security Alliance,
2010). The present paper introduces a virtual
connection as an emergence essence and describes
the access isolation in virtual networks based on the
virtual connection management. The network traffic
is described as an aggregation of virtual connections.
The distributed virtual environment (cloud system)
provides heterogeneous computing resources;
therefore, it would be reasonable to use these
resources to protect the information security of the
system. Virtual connections function separately of
each other and do not have any shared resources, so
it is possible to establish parallel traffic filtering
within the security domain. This security domain
would exist in the hypervisor, would use the amount
of resources (cores, memory) that is required for
current information security tasks, and would be
scalable and adaptable to different situations. The
paper highlights the promising (perspective)
approaches to information protection in the
distributed computing environments. These
approaches use the high-performance virtual
firewalls, that operate in stealth mode in the
virtualization nodes of the computing environment
and provide consistency of security policies through
a centralized management. Applying the methods of
formalizing security to automate the generation of
filtering rules in combination with hardware and
software platforms based on multicore
microprocessors can deliver high performance
firewall. This firewall implements the filtering
functions in the operating system kernel based on
the application network management models in the
Netgraph subsystem.
Today, many companies, including leading
universities and government institutions, are
transferring their computing resources to the virtual
infrastructures, using both open systems
(Eucalyptus, Open Nebula) and commercial
solutions (VmWare, Citrix, IBM). Due to this trend,
the information security of cloud systems becomes
an acute problem. The major differences between
Lukashin A., Zaborovsky V. and Kupreenko S..
High Perfomance Virtual Firewalls.
DOI: 10.5220/0003433803710375
In Proceedings of the 13th International Conference on Enterprise Information Systems (ICEIS-2011), pages 371-375
ISBN: 978-989-8425-55-3
2011 SCITEPRESS (Science and Technology Publications, Lda.)
the cloud systems and the distributed networks are
the following:
o Information processing takes place on the
virtual machines under full hypervisor’s control;
the hypervisor has access to all data processed by
its virtual machines;
o Cloud software controls the resource planning
and provision; it is a new entity in the information
environment which has to be protected from the
information security threats;
o Traditional information security components
such as hardware firewalls cannot control the
internal virtual traffic between virtual machines in
one hypervisor;
o In virtualized environments, files serve as
virtual storage devices; these files are located in
the network storages and are more exposed to
threats than hard disks;
o Transfer of instance memory occurs when
migrating virtual machines between hypervisors;
this memory may contain confidential
Therefore, due to the above-listed specifics, new
information security threats appear, including:
o Attacks against the virtual machines
management tools, controllers of the computing
environment (cloud controller), or cluster and data
storage, where the virtual machine images and
user data are located;
o Unauthorized access to the virtualization node;
o Using virtual network for data transfer not
allowed by the information security policy.
The major specifics of the virtual infrastructure
is that an attack or an attempt of unauthorized access
can come from the virtual network, where such
devices as switches, hardware firewalls, and
physical connections are absent. This specifics
hampers applying the exiting methods and tools for
ensuring information security in computer networks
and GRID systems to the information security
protection of cloud systems.
The distributed and virtual computing environments
do not have effective methods of information
security protection. One of the problems is the lack
of firewalls, which can operate in virtual
environment as efficiently as the existing on the
market software and hardware solutions for
protection of information resources and reflection of
cyber attacks. For a number of cloud solutions, for
example, free and open source cloud environment
Eucalyptus, based on hypervisors XEN or KVM,
there are no efficient solutions for the virtual
machines’ protection, despite of the rapidly growing
popularity of this environment due to its
compatibility with the interfaces of Amazon
(Amazon EC2, Amazon S3) products.
Virtual connection (VC) is a logically ordered
exchange of messages between the network nodes.
(Silinenko, 2009). Computer network is a set of
virtual connections. Virtual connections are
classified as technological virtual connections
(TVC) and information virtual connections (IVC).
(Figure 1).
Figure 1: Layers of access control policies.
To implement the policy of access control, the
filtering rules are decomposed in the form of TVC
and the IVC. These filtering rules can be configured
for different levels of data flows description based
on the network packet fields on the levels of
channel, transport, and application protocols. In
terms of the access control, the TVC model can be
defined as a stream of packets generated by the
network applications during communication. The
TVC model is presented in the form of potentially
countable subset of the Cartesian product set of
packets P and timestamp T (1).
This model is characterized by a finite set of
parameters that describes the access subject and the
access object, as well as action between them in the
form of packet stream within the interconnection.
The model parameters are the identifiers of the
subject and the object, such as addresses, ports, and
other characteristics of network protocols. For
efficient traffic classification, the IVC model is used
along with the TVC model. The IVC model
describes the interaction between the access object
and the access subject at the application services
ICEIS 2011 - 13th International Conference on Enterprise Information Systems
level. The IVC model is a set of technical virtual
connections (TVC); the number and characteristics
of these TVCs are determined by the Cartesian
product of the information interaction access model
(IIM), the access subject model (IMS), and the
access object model(IMO) (2).
This formalization allows representing the access
IIM as a finite subset. The size of this subset is
determined based on the description of
interconnection subjects permitted within the given
access control policy. IMO is characterized by a
finite subset of information and network resources,
the access to which is This formalization allows
representing the access IIM as a finite subset. The
size of this subset is determined based on the
description of interconnection subjects permitted
within the given access control policy. IMO is
characterized by a finite subset of information and
network resources, the access to which is permitted
in accordance with the access control policies. IMS
describes the operations performed by the access
subject within the bounds of IMO. In accordance
with the access control policies, IMS describes the
operations performed by the access subject within
the bounds of IMO.
Virtual connection (VC), as some abstract, exists in
parallel to and independently from other virtual
connections. Virtual connections do not share any
resources, which allows parallel processing of
virtual connections. (Zaborovsky, Lukashin,
Kupreenko, 2010). The suggested approach to the
network traffic filtering is based on the concept of a
virtual connection and allows extracting the
connection context. The connection context can be
represented as a vector Y
, of parameters, for
example, source and destination addresses, port,
connection status (for TCP protocol), etc.
Controlling the virtual connection is calculating the
indicator function F, which requires resources such
as computing processors and operating memory (3).
,*}0,1{}( =
The indicator function F takes the following
values: 1 – if VC is allowed, 0 – if VC is forbidden,
* – if at the current moment it is impossible to
clearly determine whether connection is prohibited
or not, the decision is postponed and VC is
temporarily allowed.
Computing problems could be divided into two
1. Stream-related tasks that can be calculated with
SIMD processing elements (for example, using
graphic processors and CUDA technology).
2. Computational problems solved on the standard
multicore computers MIMD.
Because the distributed environment is
heterogeneous with respect to the available
processing elements, both the streaming SIMD
processors and the classic MIMD multicore
processors can be used for the firewall tasks in the
cloud systems. Firewalls that protect the hypervisor
operate in the virtualized environment; thus, the
configuration (computing cores, memory, streaming
processing elements) of the protection device can be
changed depending on the loading options, access
policies, and the amount of available resources.
Calculation of the indicator function F can be
decomposed into multiple computing processes –
}. In this case, the problem of VC control can be
described using the graph G(Q,X), which is called
the VC control information graph (you can find the
detailed description of stream tasks by graph in
(Kaliaev, Levin, Semernikov and Shmoylov, 2008)).
The VC control information graph consists of the set
of nodes; each of these nodes is attributed with the
operation F
. If two nodes q
and q
are connected
with an arc, then result of operation F
is the input
for the operation F
. Each node has an arc, which
corresponds to the case when F
= 0. Then VC is
considered as prohibited and no further analysis is
The multiprocessor computing system that solves
the firewall problems can be presented as a full mesh
computation system graph with MIMD and stream
computers as its nodes. This graph is a full mesh,
because the communications between CPUs are
provided by hardware and operating system, and
there is no predefined path between the cores, data
can pass directly from one node to another. Usually
the computation system graph and the control
information graph do not match each other, because
of amount of computing resources is limited and is
less than the amount of computational processes.
We can split the VC control graph in N non-
crossing subgraphs and, thus, build a VC operating
pipeline. Because the virtual connections exist
separately from each other, we can process them in
parallel. With the C compute nodes of MIMD type,
the operating time of VC processing would be
limited by (4).
- How to Secure Cloud System using High Perfomance Virtual Firewalls
) – number of CPU clocks, required for
calculation, τ
– real time of CPU clock.
The inequality appears in the given formula
because the decision on the VC classification
(allowed/forbidden) can be made before the passing
all nodes of the graph.
Due to the heterogeneity and reconfigurability of
the computing environments, in some cases the
configuration of the firewall can be adapted to the
access control tasks being solved at the current
moment of time. This can be achieved by using the
graph models for network traffic processing and
Netgraph (Cobbs, 2003) technology. This
technology allows organizing the network traffic
processing in the context of the operating system
kernel (Zaborovsky, Lukashin, Kupreenko, 2010).
Figure 2: Information graph of the virtual connection
Figure 2
shows an example of the virtual
connections information control graph with
decomposition of the indicator control function into
components. The presented approach, in the
combination with using the virtualization resources
technology, allows improving performance of the
network traffic monitoring and using only those
computing components that are required to solve
current access control problems.
A distributed computing environment (cloud system)
consists of the following software and hardware
o virtualization nodes;
o storage of virtual machines and user data;
o cluster controller; and
o cloud controller.
The distributed computing environment intended
for solving scientific and engineering problems is a
set of various computing resources such as virtual
machines, and has the following features (Lukashin
and Roshupkin, 2010):
o The environment is used by a wide range of
users, who are solving problems of different
o Virtual machines of different user groups can
operate within one hypervisor;
o Wide range of software components
(CAD/CAE applications, development tools) and
operating systems is used;
o Different hardware configurations are used,
including virtual multicore computing machines
and virtual machines, that allow performing
computations using the streaming technology
Virtualization node is powerful multicore system
with hypervisor installed, on which the domain level
0 (dom0 in terms of hypervisor XEN or service
console in terms of other hypervisors) and virtual
computing machines (domain level U, domU)
Figure 3: Secure cloud architectrure.
For information security and access control (AC)
between the virtual machines that operate under a
single hypervisor, the internal (“virtual”) traffic and
the external traffic (incoming from other hypervisors
and from public networks) must be controlled. The
solution of the access control problem could be
achieved through the integration of a virtual firewall
into the hypervisor; this firewall would functions
under the hypervisor, but separately from the user
virtual machines. The virtual firewall domain can be
defined as “security domain” (domS). Invisible
traffic filtering is an important aspect of the network
monitoring; the firewall must not change the
topology of the hypervisor network subsystem. This
can be achieved by using “Stealth” (Zaborovsky and
Titov, 2009) technology – a packet traffic control
ICEIS 2011 - 13th International Conference on Enterprise Information Systems
(Figure 3) invisible to other network components.
Figure 3 shows the common architecture of a
distributed cloud system with integrated AC
components. Abbreviations: FW – hardware
firewall; VFW – virtual firewall; FSCS – the central
control system of all firewalls in the cloud VM –
virtual machine; ClC – cloud controller; CC
cluster controller SC – storage controller.
The FSCS distributes the access control policies
to all firewalls in the system. When the information
security policy changes, new access rules are
replicated to all components. The security domain
isolates virtual machines from the hypervisor, which
prevents the possibility of attack against the
hypervisor inside the cloud. The hardware firewall
isolates the private cloud components from the
external threats.
The presented architecture is a distributed
heterogeneous computing environment that provides
computing resources of different configurations; this
allows arranging the information protection for this
system in the form of a dedicated security domain
(domS). The security domain can be quickly adapted
to the current situation in the cloud. The traffic
filtering process in kernel shows good scalability
and can be linearly scaled up to eight cores. A secure
cloud prototype, based on Eucalyptus and adopted
for CAD/CAE computation tasks (Lukashin and
Roshupkin, 2010), was created and is currently
functioning at the Telematics department of the
Saint-Petersburg Polytechnical University.
Cloud Security Alliance, Top Threats to Cloud
Computing, 2010. URL: http://www.cloudsecurity
Silinenko A., 2010. Access control in IP networks based
on virtual connection control models: phd thesis
05.13.19: / Saint-Petersburg, Russia.
Zaborovsky V., Lukashin A., Kupreenko S., 2010.
Multicore platform for high performance firewalls.
High performance systems // Materials of VII
International conference – Taganrog, Russia.
Kaliaev A., Levin I., Semernikov E., Shmoylov I., 2008.
Reconfigurable multipipe computation systems. –
Rostov-na-Donu, Russia.
Cobbs A., 2003. All about Netgraph URL:
Lukashin A., Roshupking I., 2010. Methods and strategies
of developing distributed computation systems for
CAD/CAE problems solving // ХХХIX week of science
SPbSTU, Materials of Russian conference for
students, Part XV, p. 13-15. – Saint-Petersburg,
Zaborovsky V., Titov A., 2009. Specialized Solutions for
Improvement of Firewall Performance and Conformity
to Security Policy. Proceedings of the 2009
International Conference on Security & Management.
v. 2. p. 603-608. July 13-16, 2009.
- How to Secure Cloud System using High Perfomance Virtual Firewalls