Bypass Network Security Detection Model for Virtual Machine Intranet

Bypass Network Security Detection Model for Virtual Machine Intranet 1 Jiao Guo, 2 Hang Wei, 2 Donghui Liu,* 2 Qinqun Chen, 2 Yuan Zheng, 2 Hongmin Cai, 2 Hao Chen 1 Guangzhou university of chinese medicie,guangzhou,guojiao@gzucm.edu.cn 2 School of Medical Information Engineering,Guangzhou university of chinese medicie, crwei@gzucm.edu.cn,liudonghui@gzucm.edu.cn,chenqq@gzucm.edu.cn,zy@gzucm.edu.cn,ch m@gzucm.edu.cn,chenhao@gzucm.edu.cn Abstract. Virtual intranet performance of virtual machine manager is important factor to keep the whole virtual platform works efficiently. This paper offer a bypass model to detect network attack in virtual machine intranet. Compare with filter model, bypass model expend very low performance of virtual machine manager. The model also allow efficient and advance detection by an external security device. 1. Introduction Keywords: Cloud, Virtual Machine, Security With the rapid development of could, its security problems emerge in large numbers. Gartner Inc. has drawn seven conclusions about the security risk of could computing[1], and Dengguo Feng, etc. have summarized three kinds of could security challenges on the research about could computing security[2]. The safety guidelines provided by Cloud Security Alliance (CSA) specified the could security theme from thirteen aspects, in which particularly point that virtualization is an important theoretical basis of the three reference model of cloud, namely Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS) respectively[3]. Meanwhile virtualization also brings security and management issues of the virtual machine. Xen is the representative of virtualization project for open source. However, its network transfer among virtual machines is based on the mechanism of shared pages and event channel, thus it is difficult to utilize usually method for security detection. In this paper, intranet communication of virtual machines is detected by an outer security device through mirror the virtual bridged packets to physical NIC, which is a good solution to bottlenecks of performance caused by the security detection in server. Meanwhile, an application of security agent module achieved to restrain dangerous network behaviors. 2. The Feature of the Security and Firewall Work on Cloud. Deference to physical mode, feature of the cloud security mainly includes as follows[4]: (1) Providing the safeguards. There are some aspects of risk evaluation for data integrity, datarecovery and privacy protection. The data is centrally stored in different data centers, which carry outunified management and maintenance, take charge of resource allocation and deployment, safetycontrol and execute further safe and reliable realtime monitoring. (2) Unique mechanism of anticipating control. It is the most special mechanism in the cloudcomputing platform, can greatly improve users work environment and the settings of safe anticipatingcontrol, and realizes real time security prevention based on specific requirement. (3) The cloud environment realtime monitoring. It indexes and monitors the log recordingdynamic information according to real requirement, supports extending log record usingsystem s special C2 pattern of audit tracking, and may monitor unusual access attempts todatabase. (4) Safety performance test. It regularly carries out SAAS safety performance and password strengthtest for the cloud platform to guarantee system security and the reliability of password strength in time. (5) Updating traditional antivirus patterns. The most feature of the cloud security structure is becoming previous killing virus patterns into network cooperative ones, greatly enhances the efficiency of virus samples extraction and software update. Users neither need entirely setup and frequently upgrade antivirus software, nor occupy massive internal memory and network bandwidth. Advances in information Sciences and Service Sciences(AISS) Volume5, Number3, Feb 2013 doi: 10.4156/AISS.vol5.issue3.15 116

To cope with the new security problem, cloud firewall possesses some characteristics as follows[5]: (1) SensorBase-based dynamic updating polices. The cloud database-sensorbase deployed in internet is the core of the cloud firewall, which can around the world collect some kind of malicious URL, the websites inserted by Trojan horse and the features of detected s and viruses, and timely sends dynamic update to world wide client side users. This is the most characteristic of the cloud firewall. (2) Building reputation-associated cooperation with IPS. The cloud firewall records the operating actions reputation value of users threatening network security, and when the value decrease to fixed threshold, the reputation link is automatically closed. The users having good reputaion once in a while are ed by viruses or misoperation, they only are given a warning prompt. (3) The virtual cloud sides mobile safety access. Presently, mobile network security access has aroused significant attention. The cloud security can realize the safeguard of mobile access through SSL VPN technology. (4) Real time monitoring the netflow in the cloud. The one of import means of the cloud security and network protection is monitoring the abnormal netflow. In the cloud firewall, such as Netflow V9 technology adopted by Cisco, not only is the netflow detected by it, but the network administrators make use of it to manage network. Some researchers have presented such as user authentication, device authentication, and the establishment of secure communication channel to solve the new problem[6]. 2. Xen and Its Network Communication Model in Virtualized Environment At present, Xen become extensive research platform for virtualization technology, such as OVS introduced by Oracle that is based on Xen with linux kernel[7]. The integral structure of Xen is depicted as Fig.1, Xen Hypervisor is the virtualized platform, domain0 acts as the management agent of Xen Hypervisor and domainu is the actual business virtual machine. Thus Xen supports both para-virtualization and fully-virtualization at the same time. PV provides efficient performance and HVM supports for almost all operating systems including Windows by hardware virtualization technology[8]. Figure 1. Structure of Virtual Machine Run on Single Node Xen implement the network transfer among domainus and between domainu and external through the shared page and event channel. Firstly, all network communication data of domainu is transferred to netback of domain0 through its netfront, then domain0 handle. The default Xen configuration uses bridging within domain0 to allow all domains to appear on the network as individual hosts, virtual machine manager acts like a switch. It works in the rout model well, while virtual machine manager acts like a route. 3. Security Issues and Plight of Virtual Machine Intranet To protect physical servers, internet data center(idc) use external security devices such as Intrusion Detection System(IDS) and so on, these devices provide security service through the bypass or filter mode outside of the physical servers. However, network transfer within Domains entirely does not pass external hardware infrastructure, so the current network security devices have no use to these security problem. 2/8 rule of thumbs tell us that 80% of the risks will come from interior, that include the attack 117

of the intranet denial of service(dos), the spoofing attack of intranet and the vulnerability attack of intranet so on. The current detection ideas are chiefly as that security strategy is deployed in virtual machine manager to detect and protect the virtual intranet communication, which expend a lot of CPU of virtual machine manager. Tiejun Jia, etc. design an intelligent IPS model based on dynamic cloud firewall linkage which can seamlessly integrate intelligent defensive system with software of killing virus, and greatly decreased the occupation of computer s resources[9]. This model work well to the data which pass through the data switch but do nothing to the data pass in a single node. Figure 2. Model of Intranet IPS Liangliang Huang, etc. put forward network security model based on virtual secure server [10], the main idea of the model is that virtual secure server is carried out in domain0, which is responsible for the overall deployment of security strategy, after that an agent module filter all data passed through the domain vif, so that the secure deploymentis realize. In practice, we found that the model is suitable in a virtual environment for compute-intensive, while it would result in severe performance degradation in the IO-intensive virtual environments. When the utilization rate of domain0 Vcpu reached 100%, the increase of the number of virtual machines would lead to a gradual decline in network throughput[11]. When the virtual machine technology was applied in the field such as server consolidation, the communication within virtual machines would be quite frequent, thus the communication mechanism of virtual machine would be bottleneck[12]. Figure 3. Model of Virtual Security Server The virtualization technology attracts attention again latest to improve the utilization of the hardwareresource and overcome the limitation of standalone system. This technology allows us to enableto consolidate several isolated virtual machines into one physical hardware system. If server spend too much performance to protect the virtual network, it can hardly improve its utilization. So how to realize network security communication by cost the performance of server as little as possible is the key to ensure availability of the security model. 118

4. Bypass detection model 4.1 Requirement analysis of security model Since the feature of cloud security and we need to take virtual machine managers performace consuming into account, the model must have these feature: (1)Model allow use professional and efficiently security devices. Today, many efficiently security devices base on ASIC and network processor are used to detect the packets which transferd in physical network. How to use these professional device to detect the packets which transfered in virtual network is an import job. (2) In order to keep high efficiency of the physical server, model comsume very little performance of virtual machine manager which used for security detection. So the model just handle packets in low layer, and almost do not participate in security detection. (3)Model can restrain attack in short time. In cloud system, each server deploy many virtual machines and virtual machines can be migrated to other server. So restrain attack in short time is very an import thing to prevent system crash. (4)System is based on modularize method. Model can combine different security detection and be replaced expediently. (5)Model must designed as distributed detection node and centralized management architecture. In the cloud, each virtual machine manager run as detection nodes to protect the virtual network which run on the server, so network administrators need a center to manager all virtual network and detection nodes. 4.2 Bypass Detection Model design Main mentality of model is to release security detection from the Xen server by send the virtual bridged packets to the external security devicen, and then enforce complex and efficient detection. Because the detection do by the external devicen, we call it bypass model. Just like other virtual machine system, model have two kind of physical nic, one is linked to outside network and the other is linked to management network. Beyond that, the model set up an extra physical interface which call security nic is linked to security network. Security device can be an IDS, or more than two IDS run on cluster mode which server security detection. Serurity center act as a manager center, the first job is to receive alarm from security device and deploy restrain policy to virtual machine manager, the other is to provide an unified management interface. In this model, virtual machine manager do not analyse datas, it just make sure that the packets are sent with its own source mac adress and mirror packets to the physical nic. So that it cost very little performance of server.figure 2 show structure of the whole model. 119

4.3 Single Server Security Model Figure 4. Structure of the Bypass Detection Model There are three key points in the model :Mirror the packets from the virtual bridge in data link layer; detect packets by the external device; restrain virtual machine attacker by security agent deployed on domain0. Figure 2 show structure of bypass model. Figure 5. Structure of a Single Server Model works as the following processes : (1)Domain0 provides Xen network access for guests each referred to as a domainu. When packets transferred in bridge, domain0 can make copys just like port mirror, and send the copys to a physical eth which is connected to an external security device. (2)Security device detect net flows as usual. When it get security event, it send warning info to the security agent which working on domain0. (3)Security agent choose reaction base on security policy for the warning info. (4)Security agent restrain VM attacker by call the xm tools. Following operations can be use to achieve restraint : reduce vcpu Cap of the attacker;remove attacker s network connection from bridge; shutdown the attacker and so on. There are three Reasons that the model use mirror mode to transfer datas which will be detected: (1)The model are designed to detect attack and restrain it, not blocking-up attack. Many cloud system use cluster mode to deploy one application, one virtual machine failure will not cause whole application crash, redeploy a new virtual machine will cost little time, and the most important of all is 120

the virtual machine attacker is absolutely controled by virtual machine manager. So all we need is to find the attacker as fast as we can, not to blocking-up attack. (2)Mirror mode can support higher data speed but cost little detection delay. (3)Mirror mode cost lesser performance for manager, because the virtual machine manager do not need to deal with the packets sent from security device. 4.2 Implementation of Packets Mirror. We call skb_copy function which in linux kernel to copy packets as new sk_buff struct, but when to call skb_copy has different result. As we know, all bridged packets pass through the BROUTING, PREROUTING, and then distribute to INPUT, FORWARD OUTPUT and POSTROUTING chains. In this case, core concerns are the packets which are sent to domain0 or other domainus. So we have following choices : (1)Before mirror packet, we checkout the packet s source mac address in INPUT chain. If the packet do not have a correct mac address, virtual machine manager will drop it. (2)After source mac address check, if we want to mirror packets which are sent to domain0, we call skb_copy in INPUT chain. (3)If we want to mirror packets which are sent to other domainus, we call skb_copy in FORWARD chain. (4)IF we want to mirror packets which are sent to either domain0 or other domainus, we call skb_copy in PREROUTING chian. 4.3 Implementation of Attack Restrain Attack restrain processes are implemented by security center and security agent.there are four processes by security center: (1)Security center receive s-event from security device. S-event is a http post from security device. Http post method has following parameters: S-id means id of external security device,event-id means type id of warning info,srcmac means source mac address of attacker,srcip means source ip address of attacker After that,receiver will generate a security event object include above attributes and transfer it to controler. (2)Security center check attacker s source mac address, and find out that which virtual machine own the mac address. (3)Security center find the reaction for the event-id by query security policy database which has a list of reactions that maps the event-id. Database manager we use mysql. (4)security center send c-event contains restrain policy to the security agent which running in the virtual machine manager. C-event is a http post method has following parameters: C-id means id of the event, operation-id means type id of restrain operation,srcmac means source mac address of attacker, srcip means source ip address of attacker. (5)Security agent receive c-event from security center and restrain attacker by calling xm tools or by calling xen API. Figure 6. Process of Attack Restrain 121

5. Testing and Result Testing simulate a vm infect Virus and send a large number of arp packet,it cause the domain0 be in high Vcpu usage state. The security device detect this attack and send warning info to security agent, the agent reduce the vm s Vcpu Cap to rehabilitate the domain0. Environment of our testing: two server with couple cpu(2 core 1.8Ghz), one for Xen server and the other act as security device. Xen version use oracle ovs, domain0 domain0 kernel is ovs3 2.6.18-128.2.1.4.37.el5xen. Security device run a program name checkarp to detect illegal arp packets on fedora16. Guest run anysent in unlimited mode on win2003 to simulate arp attack. Domain0 run xm tools to monitoring the vm state. Guest simulate arp attack when Cap no limit, and then bypass model how to work Table 1. Xen Domains Vcpu set Name Vcpu Weight Cap Domain0 4 512 0 Guest 2 256 0 Table 2. Testing result. rate (pps) dom0vcpu (%) domuvcpu (%) domu-cap (%) 824 88.4 80.3 no limit 753 78.1 73.2 90 703 70.6 69.2 80 631 63.3 61.5 70 524 55.9 53.7 60 426 45.4 44.7 50 286 36.0 36.7 40 214 33.5 28.2 30 113 21.4 19.1 20 37 13.3 9.4 10 At the beginning, guest s packets sending rate is 824pps, it cause domain0 works on 88.4% Vcpu usage,after detecting attack, security agent reduce VM attacker s Vcpu Cap by 10% per step. When the Cap reduce to 10%, attacker just can send packets at 37pps rate, then domain0 works on 13.3% Vcpu usage.for The Results, There three answers : (1)Deploy packets mirror on the bridge have very little influence on domain0 s Vcup usage. (2)Reduce Vcpu Cap of the VM attacker can restrain its attacker and rehabilitate the domain0. (3)Bypass model is feasible. 6. Discussion Because of packets analysis expend far more cpu performance than packets mirror, bypass model is more efficient than filter model. And as we know, bypass model is weaker in controllability, so bypass model can t works well on internet which hardly control the attacker. But in the case of virtual machine intranet, all attackers are whole control by the virtual machine manager, bypass model can be a good solution for the virtual machine structure. At present, our bypass model just in its infancy, there are far more research need to do,such as how it works in large pps status, how to improve its controllability and so on. But we consider that bypass model will prove to be effective and feasible solution for increase security of virtual machine intranet. 122

7. Acknowledgement This paper was supported by the special financial fund projects of Guangdong province, Building up the Information-Technology Platform and Comprehensive Management System for the Inheritage and Innovation of TCM Culture, 2011.This paper is also supported by GuangDong Natural Science Fund under grant No. S2012010008123. References [1] Jon Brodkin Gartner, "seven cloud-computing security risks", http://www.networkworld.com /news /2008 /070208-cloud.html. [2] Deng-Guo Feng, Min Zhang, Yan Zhang, Zhen Xu, "Study on Cloud Computing Security ", Journal of Software,vol.22,no.1,pp. 22 71-83,2011. [3] Do-Yoon Ha, Chang-Yong Lee, Hyun-Cheol Jeong, Bong-Nam Noh, "Design and Implementation of SIP-aware DDoS Attack Detection System", AISS, Vol. 2, No. 4, pp. 25-32, 2010. [4] Chang-Lung Tsai, Uei-Chin Lin, "Information Security of Cloud Computing for Enterprises", AISS: Advances in Information Sciences and Service Sciences, Vol. 3, No. 1, pp. 132 ~ 142, 2011 [5] Tiejun Jia, Xiaogang Wang, "The Research and Design of Intelligent IPS Model Based on Dynamic Cloud Firewall Linkage", JDCTA: International Journal of Digital Content Technology and its Applications, Vol. 5, No. 3, pp. 304 ~ 309, 2011. [6] Liang-liang Huang, Jun Han, Lun-wei Wang, " Research on Secure-communication Mechanism Based Xen Hardware Virtual Machine",Computer Security,vol. 3,pp.30-46 2010. [7] FU Sai-ping, Guo-lin Ren, "Research on Scalability of XEN Network I/O Full-virtualization Mechanism", Computer Engineering,vol34,no.23,pp.102-104,2008. [8] Tuan-jie Zhu; Li-rong Ai, "Research on Xen Inter Domain Communication Based on Shared Memory", Computer Technology and Development,vol.21,no.7,pp.5-8,2011. [9] R. Buyya, C. S. Yeo, S. Venugopal, J. Broberg, I. Brandic, "Cloud Computing and Emerging IT Platforms: Vision, Hype, and Reality for Delivering Computing as the 5th Utility", Future Generation Computer Systems, vol.25, no.6, pp.599-616, 2009. [10] M. Naghshineh, R. Ratnaparkhi, D. Dillenberger, J. R. Doran, C. Dorai, L. Anderson, G. Pacifici, J. L. Snowdon, A. Azagury, M. VanderWiele, Y. Wolfsthal, "IBM research division cloud computing initiative", IBM Journal of Research and Development, vol.53, no.4, pp.1:1-1:10, 2009. 123