Abstract
Firewalls are a prerequisite for securing any communication network. In cloud computing environments, virtual machines are dynamically and frequently migrated across data centers. This frequent modification in the topology requires frequent reconfiguration of security appliances, particularly firewalls. In this paper, we address the issue of security policy preservation in a distributed firewall configuration within a highly dynamic context. Thus, we propose a systematic procedure to verify security compliance of firewall policies after VM migration. First, the distributed firewall configurations in the involved data centers are defined according to the network topology expressed using Cloud Calculus. Then, these configurations are expressed as propositional constraints and used to build a verification model based on the constraint satisfaction problem framework, which allows reasoning on security policy preservation. Finally, we present a case study inspired from Amazon EC2 to show the applicability and usefulness of our approach.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Malcolm, D.: The Five Pillars of Cloud Computing (2009), http://soa.sys-con.com/node/904780 ; SOA & WOA magazine, Cloud Expo article (last visited, April 2012)
Jarraya, Y., Eghtesadi, A., Debbabi, M., Zhang, Y., Pourzandi, M.: Cloud calculus: Security verification in elastic cloud computing platform. In: The Proceeding of the 2012 International Conference on Collaboration Technologies and Systems (CTS), pp. 447–454. IEEE (2012)
Biere, A., Cimatti, A., Clarke, E.M., Strichman, O., Zhu, Y.: Bounded Model Checking. Advances in Computers, vol. 58, pp. 117–148. Elsevier (2003)
Jeffrey, A., Samak, T.: Model Checking Firewall Policy Configurations. In: IEEE International Symposium on Policies for Distributed Systems and Networks, POLICY 2009, pp. 60–67 (July 2009)
Tamura, N., Banbara, M.: Sugar: A CSP to SAT Translator Based on Order Encoding. In: The Proceedings of the Second International CSP Solver Competition, pp. 65–69 (2008)
Yuan, L., Chen, H., Mai, J., Chuah, C.-N., Su, Z., Mohapatra, P.: Fireman: a toolkit for firewall modeling and analysis. In: IEEE Symposium on Security and Privacy, pp. 199–213 (May 2006)
Ben Youssef, N., Bouhoula, A.: Automatic Conformance Verification of Distributed Firewalls to Security Requirements. In: 2010 IEEE Second International Conference on Social Computing (SocialCom), pp. 834–841 (August 2010)
Gawanmeh, A., Tahar, S.: Modeling and Verification of Firewall Configurations Using Domain Restriction Method. In: 6th International Conference on Internet Technology and Secured Transactions (December 2011)
Al-Shaer, E., Marrero, W., El-Atawy, A., ElBadawi, K.: Network Configuration in a Box: Towards End-to-End Verification of Network Reachability and Security. In: 17th IEEE International Conference on Network Protocols, ICNP 2009, pp. 123–132 (October 2009)
Acharya, H., Gouda, M.: Firewall Verification and Redundancy Checking are Equivalent. In: 2011 Proceedings IEEE INFOCOM, pp. 2123–2128 (April 2011)
Kotenko, I., Polubelova, O.: Verification of Security Policy Filtering Rules by Model Checking. In: The Proceedings of the IEEE 6th International Conference on Intelligent Data Acquisition and Advanced Computing Systems (IDAACS), vol. 2, pp. 706–710 (September 2011)
Gouda, M., Liu, A., Jafry, M.: Verification of Distributed Firewalls. In: Global Telecommunications Conference, IEEE GLOBECOM 2008, pp. 1–5. IEEE (December 2008)
Yin, Y., Xu, J., Takahashi, N.: Verifying Consistency between Security Policy and Firewall Policy by Using a Constraint Satisfaction Problem Server. In: Zhang, Y. (ed.) Future Wireless Networks and Information Systems. LNEE, vol. 144, pp. 135–146. Springer, Heidelberg (2012)
Cardelli, L., Gordon, A.D.: Mobile Ambients. Theoretical Computer Science 240(1), 177–213 (2000)
Bugliesi, M., Crafa, S., Merro, M., Sassone, V.: Communication and Mobility Control in Boxed Ambients. Inf. Comput. 202(1), 39–86 (2005)
Syntax of sugar csp description (2010), http://bach.istc.kobe-u.ac.jp/sugar/sugar-v1-14-7/docs/syntax.html (last modified: Tuesday June 29, 13:09:26, 2010 JST)
Lu, L., Safavi-Naini, R., Horton, J., Susilo, W.: Comparing and debugging firewall rule tables. IET Information Security 1(4), 143–151 (2007)
Amazon.com, Amazon web services: Overview of security processes (May 2011), http://awsmedia.s3.amazonaws.com/pdf/AWS_Security_Whitepaper.pdf
van Harmelen, F., Lifschitz, V., Porter, B.: Handbook of Knowledge Representation. Elsevier Science (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Jarraya, Y., Eghtesadi, A., Debbabi, M., Zhang, Y., Pourzandi, M. (2012). Formal Verification of Security Preservation for Migrating Virtual Machines in the Cloud. In: Richa, A.W., Scheideler, C. (eds) Stabilization, Safety, and Security of Distributed Systems. SSS 2012. Lecture Notes in Computer Science, vol 7596. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33536-5_12
Download citation
DOI: https://doi.org/10.1007/978-3-642-33536-5_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-33535-8
Online ISBN: 978-3-642-33536-5
eBook Packages: Computer ScienceComputer Science (R0)