Cloud Networking Security Threats

Damilola Yusuph 0817125 University of Bedfordshire Department Of Computer Science and Technology. Luton, United Kingdom Damilola.yusuph@study.beds.ac.uk

Abstract Cloud computing is an emerging technology paradigm that has turned the technology world on its head and is becoming increasingly one of the most attractive technologies areas due to at least in part, to its flexibility, efficiency, data availability and cost-savings. Conversely, despite the surge in activity and interest, there is little focus on the networking aspects for distributed clouds and its relevance is often undervalued. Cloud networking is the management of computing and vital connectivity capabilities in the network between distributed cloud resources. This paper is aimed at developing an understanding on cloud networking security and discusses the multifarious security challenges involved for ensuring legitimate usage of cloud networking resources and for preventing abuse and nefarious use. Keywords - cloud computing; network virtualisation; security; cloud networking.

optimized will empower the full advantage of the cloud environment and is the envisioned concept of cloud networking. This article presents the vulnerabilities, challenges and security threats of providing a cloud network system. Also, the research challenges of the project SAIL (Scalable Adaptive Internet Solutions) will be explored, along with their advantages and shortcomings. The European project SAIL[1] whose consortium comprises 25 operators from industry, academia and institutions aims at designing technology to enhance the limitations of the current internet architecture. For cloud networking, the objective in SAIL is to develop scalable and adaptive networking functions for applications with highly variable demands that will facilitate on-demand management and security of computing, storage and connectivity resources in the network. Besides cloud networking security challenges, more vital security aspects of cloud computing would be considered. Because cloud computing is founded on a virtual environment, new exploits and threats avenue are introduced that can enable criminals/attackers to steal confidential data from cloud user, impersonate a legitimate cloud user after stealing their credentials, interrupt services, penetrate the cloud network infrastructure or obtain computing services. Example of these attacks exploiting the vulnerabilities of accessibility, virtualization and web applications includes drive by downloads, SQL injections, data-stealing malware, VoIP free calls and DDos attacks[2]. Cloud networking will not change the continuity of unwitting security vulnerabilities and the exploitation of it by attackers. II. FROM CLOUD COMPUTING TO CLOUD NETWORKING

I.

INTRODUCTION

Cloud computing is a major computing trend in the present day scenario with large scale adoption across many enterprises. This is primarily due to its simplification of quick provisioning and deployment of IT applications, influencing economy of scale and multi-tenancy. Running applications in the cloud offers a number of benefits such as lower cost through shared computing resources, accessibility around the globe, flexibility, no upfront infrastructure requirement and highly automated process, thus applications with a highly variable workload are well matched for the cloud. Virtualization has played a key role to the notion of the cloud. Indeed, as the main enabler of data center optimization allowing dynamically provisioning of computing resources on demand to become a reality. Cloud computing solutions typically necessitate adequate access network solutions to be in place and rich interactive applications are good examples of applications that rely heavily on automatic network bandwidth provisioning since these solutions involves getting more from less hardware which requires more data transfers between database, storage and application servers. Networking aspects for distributed clouds is becoming a priority for the reason that, as the movement of these applications into cloud becomes prevalent, more will be demanded from existing networks in terms of capacity, availability and quality therefore any limitations to the network infrastructure will directly affect the application leading to latency issues and poor performance due to speed. Hence, efficient networks that can be expeditiously reconfigured and

Since its inception, cloud computing has now become the current paradigm gaining considerable attention across the computing, academia and communication industries but the history of cloud computing still remains as intricate and fuzzy as ever. The underlying concept of cloud computing dates back to 1961, when computing pioneer Prof John McCarthy first publicly proposed the idea of a computer time-sharing technology whereby computing power and specific applications would be sold through the utility business model i.e water or electricity[3]. The key factors that have enabled the current realization of the cloud computing vision includes the introduction of infrastructure virtualization, existence of

internet/webs technologies and the development of universal high-speed bandwidth. Separation of duties between software service providers and infrastructure service providers makes it easier generating services online and facilitates the scalability of the services rapidly as demand dictates. This helps reduce financial risks, operational expenditure and capital expenditure for service providers since they pay for the services used on an as needed basis. On the other hand, it gives infrastructure services providers the opportunity to build large infrastructure that benefits from economies of scale, efficiency and improved productivity [4]. A. Virtualisation Technology Supporting Cloud Computing Current Infrastructure as a service (Iaas) delivers computing resources as a service using virtual machine hypervisors and server virtualization such as VMware[5], Xen[6], and network storage virtualization which is implemented in networking equipment (switches and routers) e.g Hyper-V[7]. The interconnection between data centers owned by enterprises is typically implemented using leased lines to interconnect routers for a point-point virtual network providing guaranteed, but scalable, flexible and static quality of service while the connectivity to the data center by the Iaas user is mainly handled by the internet or virtual private networks. This elucidates that the cloud provider lacks control over the quality of an end-users network experience which is based on access to a shared medium. Batch processing applications such as image rendering, transactional web services and hosted IT systems are examples of currently deployed applications in the cloud infrastructure that is well suited for the Iaas architecture. Despite network latency and performance issues like content delivery[8], service providers will still enter into, and comply with obligations and conditions of contractual terms with infrastructure providers because the network components and topology of these services are still largely static[9]. B. Virtualization Technology Supporting Cloud Networking Network virtualization promotes innovation and reliability by displacing proprietary networking hardware, specifying and instantiating networks on demand in useful time. This is seen as the missing link to attaining the maximum benefits of virtualization and the broad traction of cloud computing. In the literature, pioneering initiatives have proposed several network virtualization frameworks and architectures such as Global Environments For Network Innovation GENI[10], Federal Einfrastructure dedicated to European Researchers Innovating in Computing Network Architecture FREDERICA[11], and Concurrent Architectures are Better than One CABO[12] that will enable the facilitation of customized virtual end-end control and data planes. Network virtualization offers a simpler technology that enables the configuring of overlay networks without losing service continuity, changing of physical path and migration of virtual machines from one or more place to another [13]. Cloud networking plays a key role in extending network virtualization beyond data centers by bringing two new remarkable features to cloud computing; it allows the interconnection of geographically dispersed services across cloud infrastructures

and connects users and devices to the services in the cloud. This provides cloud networking users the facility to specify their desired virtual infrastructure, network properties to access these resources and how their infrastructure should be distributed and interconnected. Deploying storage and process functions across a network that is close to the end-user as possible is more appropriate as it helps achieve optimal performance of applications and services as oppose to centralizing processing and storage functions in a single location which can lead to poor network conditions like latency; this severely impacts the real time execution of certain cloud applications in a centralized infrastructure. A geographically dispersed cloud enables better control over the end-users experience although more servers may be needed depending on the needs and usage patterns. Examples of applications that are deployed on geographically distributed clouds are content distribution and virtual desktop services. III. SECURTITY THREATS

Security is a leading barrier affecting the broad traction of cloud computing in practical application domains; most especially when information technology governance necessitates robust information security governance and control concerning the accountability of cloud services and sensitive information that is brought to the cloud [14]. From an end-users viewpoint, the security issues in cloud distinguish cloud infrastructure security, compliance issues, management processes security, governance, application and platform security [14]. These security topics amass a great deal of confidentiality, integrity and availability problems areas that covers how content and system components are protected, who a user is and what the user is allowed to do i.e. authentication and authorization, how can cloud service providers prevent abuse and how can the fulfillment of system properties be verified and audited. Cloud networking introduces new categories of threats and risks to cloud computing security issues as a result of its associated networking capabilities. Although, there is also evidence of the prospect of cloud networking improving the productivity and control over the cloud computing deployment; thus solving the security issues that most influence the adoption of cloud computing. The security challenges involved are explained below A. Information Security Threats Information security refers to the confidentiality, integrity and availability of data (CIA TRAID). These are the key basic principles of information. All information threat, risk, vulnerabilities, security processes; security controls and measures for all organizations rely on the CIA Traid to empower their security strategy [15] 1. Confidentiality of information and processes; this refers to preventing the disclosure of information to unauthorized users. To enhance confidentiality in information necessitates encryption; this is used to

prevent data processing. Other security controls that ensure confidentiality by restricting access to sensitive information includes cryptography, security controls, network authentication, and network authentication service. A Homomorphc cryptography scheme in [16] meets the encryption challenge by proving that sending sensitive encrypted data to cloud providers for processing is not sufficient instead it ensures that operations performed on an encrypted data results in an encrypted version of the processed data. This indicates that when cloud user sends code and data to an arbitrary cloud, they will not have a cryptography mechanism solution that enables users to be sure of the confidentiality of the information sent. 2. Integrity: refers to the guarantee of data nonalteration. Integrity is compromised when information sent is willfully or accidentally modified in transit. Firewalls, intrusion detection, digital signatures and communication security are mechanisms used to provide data integrity. Cloud users must be indisputable certain that the data retrieved is consistent and correct with the one stored. Though, it may be difficult to determine integrity where data and application are stored over volumes of hardware and the check sum mechanisms in place prevents us to ascertain that the data hasnt been altered. Availability: For any information to serve its purpose, the information must be readily accessible to authorized users. It means cloud infrastructure, software, networks connecting clients to the service provider, data and security controls should always be available. Availability is an important and necessary component of information security therefore poses a high threat. Attacks against the availability of information are denial of service attacks(DDos). Authentication, fault tolerance through redundancy and network security ensures information reliability and robustness. Cloud systems are business oriented in which sharing of resources and exchange of data is central, therefore the risk of data breach through denial of service attacks will increase substantially.

when brought back online. It is also possible for dormant VM to store sensitive data such as encryption keys, authentication credentials e.t.c Furthermore, because dormant VM are not actively used, monitoring access to data is impossible and this creates a security risk through the loss of or access to the virtual machine. 2. Unsecure Network Transfer: Migration of virtual machines from one physical node to another node using tradition or new protocols through the network can be exploited to attack the system. Privilege Escalation: A hacker can acquire the virtual system rights of another user and then attempt to elevate his/her level of access rights in order to attack another virtual system with a higher level of access rights using the hypervisor. Poor Access Controls: The hypervisor is the backbone of virtualized infrastructure and mediates hardware resources to virtual machines. This creates an attack surface for the hypervisor as it provides a single point of access to the virtual environment and may expose any trusted network through poorly designed access controls system, poor monitoring tools and poor patching allowing attackers to gain access to individual virtual machines. Configuration flaw: The convergence of multiple technologies and accumulation of several layers of networks and systems in the virtual system introduces a considerable amount of complexity for virtualized configuration. This increased complexity can lead to accidentally creating security vulnerabilities and threats through improper configuration of virtual machines. In addition, the presence of these vulnerabilities in a virtualized environment impacts significantly on the security of other replicated virtual components and consequently affects the entire cloud environment.

3.

4.

5. 3.

C. Communication Threats It is paramount to secure all network communication between virtual machines and distribution of virtual infrastructures as it can potentially be exposed to malicious users and network traffic. Due to the integration and combined access to physical and virtual network infrastructure, new attacks arise and will need to be handled. One significant challenge is to define rules that manage the cloud networking access to the physical infrastructure, network properties and also enforcing these rules will prove difficult due to the complexities of these environments. In addition, policy based control should be distributed to virtual infrastructures moving within the virtual environment.

B. Virtualization Environment Threats Virtualization provides the ability to run multiple operating systems and applications concurrently on the same physical board and the sharing of their underlying hardware resources. Cloud virtualization environment threats are elucidated below [15] 1. Dormant virtual machines: Inactive virtual machines poses viable threat as they dont have up to date security patches, leaving them vulnerable to attack

In doing so, it reduces risk as virtual infrastructures can be moved between physical host based on assigned policies e.g a policy might specify which legal space a virtual infrastructure is allowed to be placed or migrated, as legal restrictions on movement applies [17] D. Abuse and Nefarious use of Cloud Networking Capabilities The great amount of computational and communication resources made effortlessly available by cloud networking and cloud computing can be exploited and misused e.g for denial of service attacks, spamming, large scale hacking, providing illegal content and brute force password cracking. Auditing can help detect and remediate this kind of malicious attacks by looking in the DNS traffic for domain names being served by a fast flux service. However, distinguishing legitimate usage from misuse during the automated detection of these attacks is in itself a challenge. Cloud network hackers may take advantage of vulnerabilities that result of these threats by using well known techniques. For example, an external attacker can mount an attack on the cloud infrastructure in order to gain access to resources by eavesdropping on incoming and outgoing communication using existing vulnerabilities on the system. However for a malicious insider, their impact on the cloud system is considerable given their level of access; could gain total control of the cloud services, harvest confidential data, or even attack other cloud users with little or no detection. When analyzing cloud computing, insider and external attackers are often used interchangeably however in the case of cloud networking, legal aspects and lawful intercepts applies. The legal space is to be taken into consideration when distributing virtual components because they may pass legal restrictions when moving to arbitrary physical cloud networking infrastructures. While lawful intercepts are not examples of traditional malicious attacks, it is a violation of the cloud networking customer security goals. IV. THREATS TO INFRASTRUCTURE AND DATA

access to information or services that the user is entitled to and also carry out a wide range of malicious activity. 2. Eavesdropping Attack: This threat poses a major threat to cloud infrastructure and data as communication channel between service provider and cloud user may be monitored, intercepted or modified by unauthorized parties. Example of network transmission method vulnerable to eavesdropping attacks includes mobile and wireless communication. Denial of Service Attack (DDos): The risk is that an external attacker may launch a DDos attack by flooding the cloud service providers network with thousands of requests with the aim of exhausting network resources and interrupting services which as a result will make both cloud providers and individual users to become handicap to provide or receive services. Network Intrusion Attack: The risk associated with network intrusion is that an attacker may penetrate and damage or steal the users data by remotely exploiting vulnerabilities in the cloud service providers system or applications. Malware Injection Attack: This is a type of security threat where an attacker creates a malicious virtual machine instance and adds it to the cloud system in order to redirect valid cloud users request to the malicious instance. Such attack could solve any particular purpose the attacker is interested in e.g exploit privileged access capabilities, gain access to resources or make data modifications. CONCLUSION Cloud networking surpasses traditional networks to redefine scalability of resources, management processes and administration. It promises to provide a flexible network infrastructure, guaranteed delivery, reduced latency, selfhealing resilience and extensible management. Although the benefits associated with cloud networking are numerous, it still struggles in gaining recognition for its merits due to the security deficiencies that exists. Organizations will not only need to have an accurate understanding of cloud computing and cloud networking security risks but also understand the applicable rules, practices, laws and regulations governing the cloud environment to ensure that they choose a suitable cloud service provider in order to effectively safeguard security of customers information. The cloud environment abounds with sensitive information therefore cloud service providers and organizations both have a role to play in the security responsibilities in cloud networking as responsibility for the delivery of security service cannot be entirely outsourced to the cloud provider alone. As cloud networking becomes more complex, dynamic

3.

4.

5.

A threat is any circumstance or event with the potential to adversely affect a system by exploiting security vulnerabilities in the system. A threat to cloud networking and computing can either be intentional (deliberate and malicious) or accidental (human error) which can result in a partial loss of confidentiality, integrity and availability. The threats to the cloud network infrastructure and computing are summarized and listed below [[15]18[19] 1. TCP Session Hijacking Attack: This is a method whereby an attacker takes over a web session by stealing a session id between a trusted client and network server and then masquerades as the legitimate user. Once the attacker has managed to gain control of the session, he or she can do anything on the network e.g. gain unauthorized

and distributed, gaining comprehensive network security and visibility will be challenging. This security challenges can be grouped into virtualization security, cloud data protection, cloud control with distribution transparency and secure operations. With the continuous growth of cloud computing, one can expect to see security incidents and new vulnerabilities that will make cloud networking susceptible to attack. Threats to the network may become sophisticated, stealth and targeted however, cloud networking can mitigate its security threats and misuse by adapting the security management tools and countermeasures in cloud computing. REFERENCES
[1] [2] SAIL project website (2010). URL http://www.sail-project.eu/ S. Subashini and V. Kavitha, A survey on security issues in service delivery models of cloud computing, Journal of Network and Computer Applications, Vol. 34 , Issue 1, 2011, pp. 1-11 McCarthy, J.: MIT Centennial Speech of 1961 cited in Architects of the Information Society: Thirty-five Years of the Laboratory for Computer Science at MIT. SL Garfinkel Ed (1999) Fox. A., Joseph, Konwinski, Armbrust, Katz, R.H, A., Grith, R., Lee, G., Patterson, D.A., Rabkin, A., Stoica, I, Zaharia, M.: Above the clouds: A berke- ley view of cloud computing. Tech. Rep. UCB/EECS-2009-28, EECS Department, University of California, Berkeley (2009) VMware (2010). URL http://www.vmware.com Tejas P. Bhatt, Pinall.J.Patel Survey on Vitulization with Xen Hypervior. International journal of Engineering Research & Technology, Vol. 1, Issue 8, 2012. Ram, Kaushik Kumar, Jose Renato Santos, Yoshio Turner, Alan L. Cox, and Scott Rixner. "Achieving 10 Gb/s using safe and transparent network interface virtualization.; International conference on Virtual execution environments, pp. 61-70. March 2009. Suman. Srinivasan Lee, Jae Woo Batni, Dhruva L, Henning Chulvrinne. ActiveCDN: Cloud Computing meets Content Delivery Networks, Computer Science Department, Colombia, 2011. Schoo, Peter, Volker Fusenig, Victor Souza, Mrcio Melo, Paul Murray, Herv Debar, Houssem Medhioub, and Djamal Zeghlache. "Challenges for Cloud Networking Security." 2011. Bannazadeh, Hadi, Albert Leon-Garcia, K. Redmond, G. Tam, A. Khan, M. Ma, S. Dani, and P. Chow. "Virtualized Application Networking Infrastructure." In Proc. of the 6th International Conference on Testbeds and Research Infrastructures for the Development of Networks and Communities, 2010. Chowdhury, M. K., and Boutaba, R. A Survey of Network Virtualization. Elsevier Computer Networks 54, Vol. 5 (2010). N. Feamster, L. Gao, and J. Rexford, \How to lease the internet in your spare time," SIGCOMM ,Vol 31, Issue 1, pp. 61-64. 2008 F. Hao, T.V. Lakshman, S. Mukherjee, and H. Song, Enhancing Dynamic Cloud-based Services using Network Virtualization, SIGCOMM Comput. Commun. Rev. 40, 1 pp, 6774. (2010). Cloud Security Alliance Security Guidance For Critical Arees of Focus in Cloud Computing V2.1. (Dec 2009) URL .https://mail.google.com/mail/?ui=2&view=bsp&v, R.L.Krutz and R.D.Vines, Cloud Computing Software Security Fundamentals in Cloud Security: A Comprehensive Guide to Secure Cloud Computing, New York City, NY, Wiley, 2010 Van Dijk, Marten, Craig Gentry, Shai Halevi, and Vinod Vaikuntanathan. "Fully homomorphic encryption over the integers." Advances in CryptologyEUROCRYPT . pp. 24-43. 2010

[17] C. Basescu, A. Carpen-Amarie, C. Leordeanu, A. Costan, and G. Antoniu,Managing data access on clouds: A generic framework for enforcing security policies, in AINA. IEEE Computer Society, 2011, pp. 459466. [18] Sara Qalsar, Kausar FiazK hawaja.Cloud Computing: Network security threats and countermeasures Interdisplinary Journal of Contempoary Research in Business , Vol. 3, No 9, January 2012 [19] M.Yildiz, J.Abawajy, T.Ercan and A.Bernoth, A Layered Security Approach for Cloud Computing Infrastructure 10th International Symposium on Pervasive Systems, Algorithms, and Networks, pp.763767, doi: 10.1109/I-SPAN.2009.157 .

[3]

[4]

[5] [6]

[7]

[8]

[9]

[10]

[11] [12] [13]

[14]

[15]

[16]