This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
In this report I'll explore the security strategy of Amazon EC2 (which is based on a customized version of Xen) and VMware vShpere in protecting their virtual infrastructure. Also, I'll explore the security solutions used to protect the traditional data centres (technologies, deployment model, detection mechanisms, and main characterises). Finally, I've made a comparison between traditional data centres and cloud, to find what's new in the cloud to can identify the security potential targets.
Amazon Elastic Compute Cloud (Amazon EC2)
Amazon EC2 is a web service that provides resizable compute capacity in the cloud (Infrastructure as a service - IaaS). You can bundle the operating system, application software and associated configuration settings into an Amazon Machine Image (AMI). You can purchase On-Demand Instances in which you pay for the instances by the hour or Reserved Instances in which you pay a low, one-time payment and receive a lower usage rate to run the instance than with an On-Demand Instance or Spot Instances where you can bid for unused capacity and further reduce your cost . Amazon utilizes a customized version of the Xen hypervisor.
Amazon EC2 uses the Virtual Private Network (VPN) Technology to create Virtual Private Cloud (VPC) that enables customers to connect their existing IaaS compute resources in an isolated environment, as shown in figure 1. The VPC enforces Amazon EC2 management capabilities such as security services, firewalls, intrusion detection systems to include its cloud resources.
Figure 1: Using a VPN connection to connect remote access client to Amazon EC2.
Amazon VPC is a secure seamless bridge between a company existing IT infrastructure and the Amazon EC2, based on the VPN Technology. A VPN enables you to send data between two computers across public internetwork (such as Internet) in a manner that emulates the properties of a point-to-point private link .
EC2 is vulnerable to the traditional security threats that can affect traditional data centers, beside the new threats that can affect the virtual layer that include the hypervisor and the virtual machines. On the other hand, EC2 doesn't have any security responsibility for the virtual machines workload.
Beside the VPC connectivity, Amazon EC2 applies different security technologies to ensure its reliability and security for customers. Security within Amazon EC2 is provided on multiple levels :
Host Operating System Security; any access to the physical server is bounded by multi-factor authentication mechanisms to get access to the administration host, and all access trials are logged and audited.
Guest Operating System (VM) Security; virtual instances are completely controlled by the customer, where customer have full root access over accounts, services and applications. Amazon EC2 doesn't have access rights to customer instances.
Firewall; Amazon EC2 provide an inbound firewall solution. This firewall is configured in a default deny mode, and Amazon EC2 customers must explicitly open all ports needed to allow inbound traffic. The firewall filters inbound traffic based on the used protocol, service port, and the source IP address. Modifications to the Amazon firewall require customer's X.509 certificate and key to authorize changes. This firewall resides inside the Xen hypervisor, between the physical network interface and the instance's virtual interface, as shown in figure 2. All packets must pass through this layer, where no direct access between VMs.
Signed API calls; calls to launch and terminate instances, change firewall parameters, or perform any other functions are all signed by an X.509 or the customer's Amazon secret key access.
Figure 2: EC2 firewall inside Xen Hypervisor.
EC2 has announced lately a partnership with security vendor called "Gemalto", to sell its Ezio Time Token onetime password devices for use with individual EC2 accounts, as a security solution for the EC2 clients. The devices sell for $12.99 and, once activated, generate a random password every 30 seconds for a user's AWS login. Once bought, Gemalto's devices and a user's AWS account login are linked through Gemalto's "Strong Authentication" server.
Amazon Security Evaluation
In general, in EC2 security goes just to protect Amazon's own infrastructure. And the protection of data and software inside the VMs falls solely on EC2 clients. Amazon mainly applies protection mechanisms to authorize access, whatever this access at the network level or the application level. And also Amazon relies at the trust of the Xen hypervisor as trusted computing base. Amazon protection mechanisms are not sufficient to cope with the current revolution in attack and malwares, as follow (my evaluation of EC2 security will be for the virtual infrastructures only, not all other security concerns - e.g. identify management):
EC2 Firewall; the firewall just apply access control filters according to the packets header information (service port, inbound IP address and the high level and network level protocols). And this is completely not sufficient to protect the entire infrastructure, because header information contain only how to deliver the packet, and the real threat exists in the payload contents. Where the payload contents as it received by the TCP/IP stack of the NIC, it become valuable data, and can be executed inside the running environment. Even if the firewall has been upgraded to not just filter packets based on header contents, but also, filter based on the payload contents, it will be a time wasting process and will cause a big delay in the performance of the security solution. Because hackers usually use hacker evasive techniques (Encryption, polymorphism, Obfuscation, etc) to hide their presence and to spoof the installed security solutions.
Xen Hypervisor; EC2 utilizes a customized version from the Xen hypervisor. Xen hypervisor itself is exposed to a wide range of security threats, because its Trust Computing Base (TCB). Xen is not just a thin layer of a special purpose, but it also relies on the Domain0 operating system (Linux usually). The domain0 is part of Xen architecture. This causing the trust TCB to be very larger according to the huge amount of code lines that developed the Xen hypervisor and the Linux OS. Code size is widely used as one of the important metrics to measure software reliability, where there exists a direct correlation between the source code size and the amount of bugs and vulnerabilities exist.
VMware vShpere is the first Cloud operating system that is specifically designed to large collections of infrastructure, as a seamless, flexible, and dynamic operating environment (VMware vShpere is the first Cloud OS). Unlike traditional operating systems that manage individual machines, the cloud operating system aggregates the infrastructure of an entire data centre infrastructure to create a single powerful compute plan, whose resources can be allocated very quickly and dynamically to any application that need the resources .
VMware basically relay on the vShield Zones, as the main security solution to protect the virtual infrastructure. vShield Zones is an applicationâ€aware firewall built for VMware vCenterâ„¢ Server. vShield Zones is a critical security component for protecting virtualized datacenters from attacks. vShield Zones includes components and services essential for analyzing traffic and protecting virtual machines. vShield provides applicationâ€aware traffic analysis and stateful firewall protection by inspecting network traffic and determining access based on a set of rules .
vShield Zones provides firewall protection by enforcing global and local access control policies across all deployed vShield instances (one instance for each zone - VLAN). vShield Zones enables you to build firewall rules based on general traffic direction, application protocols and ports, IP addresses.
Within the vShield Manager, the VM Wall tab presents the firewall function of vShield Zones. VM Wall is a centralized, hierarchical access control list. You can manage VM Wall access rules at the datacenter and cluster levels, providing a consistent set of rules across multiple vShield instances.
By default, the VM Wall enforces a set of rules allowing traffic to pass through all vShield instances. These rules appear in the default rules section of the VM Wall table. The default rules cannot be deleted or added to. However, you can change the Action element of each rule from Allow to Deny. By default, the VM Wall rules governing Layer 2 and Layer 3 allow all traffic to pass.
A vShield inspects each passing packet header to gather information about each session to and from your virtual machines. Session details include the source, destination, direction, and service being requested. The traffic data gathered by all deployed vShield instances is aggregated in the vShield Manager.
In the vShield Manager, the VM Flow tab presents traffic analysis data. This data includes the number of sessions, packets, and bytes transmitted. VM Flow is useful as a forensic tool to detect rogue services, examine inbound and outbound sessions, and create VM Wall access rules.
Virtual Machine Discovery
After installation, each vShield inspects all passing network traffic to build an inventory of the operating systems, applications, and open ports on each virtual machine. This inspecting process is called discovery. The vShield Manager presents discovered virtual machine inventory under the VM Inventory tab.
If traffic to an unprotected virtual machine is discovered by a vShield, that virtual machine is highlighted in red in the inventory panel of the vShield Manager user interface. This enables you to quickly identify vulnerable servers and protect them with a new or existing vShield. Each virtual machine that is identified as unprotected by the discovery process is outlined in red in the inventory panel of the vShield Manager. This enables you to identify and protect all of your virtual machines. The vShield discovery operation can also be used to scan virtual machines, identifying open applications which might present security risks.
Using vShield Zones, you can build secure zones for a variety of virtual machine deployments. You can isolate virtual machines based on specific applications, VLAN segmentation, or custom compliance factors. Once you determine zoning policies, you can deploy vShield Zones to enforce access rules to each of these zones.
Figure3; Securing Specific Zones in Your Virtual Network with vShield Zones 
VMware Security Evaluation
Also, VMware provide security for its infrastructure not the VM workload, by the vShield Zones that apply stateful firewall protection at the network level only. But the VMware enjoys its small TCB, because it just relies on the VMware ESX hypervisor, which is compared with Xen hypervisor is relatively small, as shown in figure 4.
Security for Traditional Data centres
Traditional Security Technologies
Network security protection technologies can generally be categorized into six categories as shown in the figure:
Packet-Level Protection; It determines whether a packet is allowed or not by comparing some pieces of information in the packet headers (source/destination IP, source/destination port and protocol) with a predefined access list. Securing network traffic based on packet filtering is not sufficient to protect networks for attacks and unauthorized access, because it can't filter packets for content and it process packets at the protocol layer, but cannot filter packets at an application layer. Also it may cause disrupting communication sessions, by blocking an association of incoming traffic, and hence the outgoing responses will be prevented. Packet-level protection thus can allow in malicious packets that appear to be part of existing sessions, causing damage to protected resources.
Session-Level Protection; Session-level protection controls the flow of traffic by tracking the state of active connection sessions, and dropping packets that are not a part of an authorized session based on a session state table. The most common systems for session-level protection are stateful inspection firewalls that are able to hold in memory significant attributes of each connection. Session-level protection is the next-generation of the packet-level protection. Stateful firewalls depend on the famous three-way handshake of the TCP protocol, as shown in the figure.
Figure; Three-way handshake TCP connection.
Application-Level Protection; Application level protection technology works on the application level of the TCP/IP protocol and dynamically analyse it for signs of attacks. Proxy firewall is a common example for this technology. Proxies are mostly used to control outbound and inbound traffic. Proxy firewall are installed on a proxy server to act as a barrier between internal and external networks and, thereby prevent unauthorized entities from gaining direct access to internal network resources and block internal users from gaining access to unauthorized external resources. A proxy firewall presents a single network address to the Internet, rather than exposing the true addresses of internal users. The client establishes a connection with the proxy server, and the proxy server establishes a connection with the destination server. The proxy then forwards the data between the parties.
Os-Level Protection; OS-level protection technology monitors operating system's activities and objects in the kernel and user modes to block malicious and abnormal activities. For better understand; let's discuss the network flow inside the OS. Network packet is composed of header and payload. As packets appear at the Network Interface Card (NIC) the header become meaningless and the payload follow the cycle shown in the figure. As network packets appear at the Network Interface Card (NIC), they are passed to the TCP/IP driver to be assembled. After that they are passed to the corresponding kernel services to interpret packets' payload.
OS level protection technology depends on installing system wide hook inside the operating system kernel; this hook controls all operations of the operating system, and hence performs the analysis techniques that help in detecting malicious activities before these malicious activities access the OS. This protection technology is a very effective one, unlike the previous technologies, because the previous technologies inspect only packet headers, and if they tried to inspect packets payload, they will face the problem of evasion techniques. But in OS level protection technology packets' payload are interpreted whether they are encrypted or not.
OS-level protection is the new trend in the network security technologies, and it's implemented in the Host Intrusion Prevention Systems. Researches and projects in this technology are still rare.
Network traffic flow inside the OS.
File-Level Protection; File level protection provides the ability to extract files within traffic and inspect them to detect some malware types such as viruses. A common technology for file level protection is antivirus systems. An antivirus system looks for virus signatures - a unique string of bytes that identifies a virus - and extracts the virus from the file. Antivirus systems scan files that are embedded in network traffic, including files in HTTP traffic (web downloads) and files in email traffic (attachments). If an infected file is detected, the antivirus system removes it from the traffic, so it does not affect other users. Since there are thousands of known viruses, antivirus systems must be able to conduct thorough scans. Constant updates to the virus pattern file are required for effective protection against new virus outbreaks. This protection technology is so costly due to the huge updates needed every day to be up-to-date with the new discovered viruses. Also it doesn't provide the real time protection for networks due to the huge virus signatures database, and can detect zero-day threats.
Execution-Level Protection; This level of protection provides the protection as the user applications are executed (in run-time), by monitoring applications' executables and system resources and objects, in both user and kernel modes. In other words; when an application is executed, it becomes a process in the system memory and loads into its memory space the DLLs and the executables that are needed to execute this process. Monitoring applications at the execution-level enable detecting any hacking trials that intend to alter the execution path of a process or to install a system local hook. As OS-level protection is new trend in the network security technologies, also this level of protection is a new trend in network security technologies, and it's implemented in the host intrusion prevention systems. The proposed system of this thesis knocks the door this technology, and introduce a system that are partially based on this technology.
Security Solutions Deployment Models
Security solutions deployed in traditional date centres falls into two categories according to the operating platform. There are two main models of security solutions deployment:
Network-Based Security Solutions (NBSS); is deployed as in-line device with the network segment being protected. All traffic that flow between outside or inside the protected segment must pass through it. NBSS inspects the network traffic to detect and prevent malicious packets, and to control misuse and abuse of the unauthorized access to network resources. Firewalls, Intrusion detection/prevention systems are NBSS, where they depend mainly on network traffic to detect threats.
NBSS has multiple advantages. First; single control point for traffic can protect thousands of hosts located on the protected networks. Second; protects non-computer based network devices. NBSS has some disadvantages. First; it becomes nearly unusable if network traffic payload data are encrypted (Hacker Evasive Techniques). Second; not effective against Malwares and insider attacks not using the network.
Host-Based Security Solutions (HBSS); designed to protect servers and hosts operating systems and workloads from the flowing traffic into the enterprise workload (OS, applications, services) that affect the behaviour of system applications and the operating system. HBSS install software agents between applications and OS's kernel, to protect them against Malwares not detected by NBSS. HBSS binds closely with the operating system kernel and services, by monitoring kernel and user modes activities, these activities like intercepting kernel and user mode interactions, third-party applications calls to system APIs, system processes, memory read/write attempts and registry keys, file activities, network activities, and so on.
Advantages of HBSS are so effective and solve the drawbacks of NBSS. First; independent on the network architecture and on the installed applications, new installed software are protected automatically without no need for upgrading the security solution roles, because it's not tight to a specific application characteristics, but it handle all applications by their behaviour inside their running environment (OS). Second; protect systems against encrypted payloads that may contain attacks and malwares, where the encrypted data stream terminates at the system being protected. The only disadvantage with this approach is that, future OS upgrades can't be added automatically in such systems; it should be analysed carefully and upgraded in the IPS.
Security Solutions Detection Techniques
There are multiple analysis and detection techniques that are used in the traditional security solutions:
Signature-Based Detection Techniques; Detect attacks based on database of attack signatures and patterns. This result in low rate of false positives (false positive means raising alarm for a non real attack trial), but has some drawbacks: First, the high rate of false negatives (false negative means that there are a true attack or threat and the security solution doesn't feel it), because all of zero-day attacks will not be detected. Second, attacks increase exponentially each year, and modeling patterns and signatures for these attacks are costly, so signature-based techniques are unable to keep with the situation.
Rule-Based Detection Techniques; this technique is similar to Signature-Based in focusing on attack behavior, but instead of relying on signatures database. They rely on an expert system of general predefined rules written by security experts that can characterize attack behaviors. This method has the advantages of: first, eliminate the huge amount of attack signatures. Second; detect new attacks, but in a low accuracy degree.  Discuss this technique in the intrusion detection systems.
Anomaly-Based Detection Techniques; Focus on system behaviour rather than attack behavior. They detect malicious behaviors based on deviations from statistical profiles built using learning techniques. These profiles describe the normal behavior of the protected system. Anomaly-Based techniques give the advantage of detecting new attacks, but have the following disadvantages: firstly, the high rate of false positives caused by unusual but authorized activities. Secondly, the huge amount of data needed to build an extensive normal profile.  and  explain the implementation of that technique in intrusion detection/prevention systems.
Behaviour-based Detection Techniques; This technique is similar to Anomaly in that they detect attacks based on system behaviour rather than attack behaviour, also in detecting attacks as deviations from a norm, but instead of relying on machine learning techniques to build the normal profile, they are based on manually developed security specifications profiles and criteria by security experts and network administrator. This technique eliminates the high rate of false positives, eliminates the huge amount of data needed to train and build the system normal profiles, and detect novel Malwares that targets the operating system, because it focuses on the operating system behaviour rather than Malwares behaviour.
Superior Characteristics of Traditional Security Solution
The adoption of security technologies in the traditional data centres requires main characteristics that should exist in the security solution to deliver accurate, pre-emptive protection against network threats:
Performance. Performance has main requirements:
In-Line Protection. Transparent and in-line, while also supporting the other critical areas of preemptive protection.
Reliability. 24/7 monitoring and no point of failure, where this will cause system outages, causing attacks flow into the system.
Low Latency. Security solution must introduce a minimal amount of latency to network traffic and OS activities. Blocking actions must occur in real time, and latencies must be in the range of milliseconds.
Scalability. Security solution must scale to a large number of user sessions and transactions without disrupting business continuity.
High-Level Protection. The ability to provide a high level of protection at different layers against threats at earlier stages. In addition to the ability of detecting zero-day threats before accessing the system.
Accuracy. To block malicious traffic and activities while allowing legitimate traffic to pass through. The security solution must be able to accurately distinguish between malicious events and normal events, to control the amount of false positives and false negatives. This requires deep understanding of the company's business, security requirements and measures, and network topology, as well as extensive experience in planning and deploying security technologies and strategies.
Conquer Hacker Evasive Techniques. The hacker community is aware of the various security technologies and has identified ways to evade them. Here are common evasive techniques :
Encryption. NBSS rely on the data being transmitted in clear text. When packets are encrypted, the sensor captures the data but is unable to decrypt it and cannot perform meaningful analysis.
Obfuscation. Obfuscation refers to encoding the data before it is sent. This technique helps to make attacks unfeasible, as it is difficult to determine the correct clear text, and define hacker presence.
Cloud Security vs. Traditional Data Centers Security
Traditional security solutions can't cope with the revolution in the cloud technology. The cloud needs new security paradigms to can protect the entire architecture of the cloud. Below is a comparison between the cloud and the traditional data centres:
Traditional Data Centers (TDC) contain a huge number of servers, each perform a specific task and run a specific application with a single or multiple instances of the application. Each server has slightly high computational resources to avoid overloading and less performance capabilities, so no efficient resource utilization where not all the servers will be highly utilized all the time.
Cloud contains an additional layer that can aggregate a collection of traditional server into one server using the technology of server virtualization. Virtualization adds new layer to the traditional infrastructure. This new layer consists of the hypervisor, and virtual switch that control the communications between to virtual machines.
Traditional Data Centers; The large number of interconnections in the traditional data centres architecture leads to network utilization inefficiencies. Fifty percent of links are used for switch-to-switch connectivity, and the Spanning Tree Protocol (STP) blocks half of those links. Thus resulting in only 25% active links are being available for inter-switch connectivity .
Cloud; the flexibility of network virtualization in the cloud improves link and network utilization, because virtualization provides transparency of the underplaying network infrastructure. In the cloud, inside a single physical server, there are many VMs, each of which has at least one virtual network interface card (VNIC), and the VNICs communicate with external networks through the physical NICs of the server. The traffic multiplexing between the VNICs and PNICs is achieved with a software layer in the host, called virtual switch (vSwitch). Inter-VM traffic on a host doesn't touch the physical network: it is invisible to traditional network monitoring tools and unprotected by physical network security devices. As a result, VMs are highly vulnerable to attack .
Network virtualization can logically separate different networks on the same hardware, and partition resources accordingly. This feature is useful for providing network-resource sharing among different users. It is possible to support multiple isolated networks in this architecture by using VLANs combined with virtual switches in hypervisors. Both virtual switches in hypervisors and physical layer 2 and 3 devices in data center can be configured to support VLANs for each customer, to extend VLANs across layer 3 networks, "VLAN trunking" can be used to tunnel packets across routers .
This huge number of VLANs on the same physical network may cause network management complications, and increase control overhead. For example, one physical link failure may trigger spanning tree computation on all VLANs that run on it. Another limitation is that it is not easy to enable user-specific security policy control. Security policies are enforced usually at the middle-boxes at aggregation layer, wher the middle-box solution is likely to be more secure since it is more difficult to be hacked by users, where no direct access from users to the aggregation layer. But to enforce security polices, packets has to traverse through the middle-boxes. The latest Cisco fiber extender solution addresses the problem of enforcing security polices in VLANs by forcing all traffic to go through the aggregation switch. But this creates unnecessary traffic load in aggregation switches since in many data centers majority internal traffic is between nodes within the same rack.
Figure; Virtual Switch in the Cloud: virtualization creates new Access Layer through vSwitch .
Server Workload and Network Topology
In the TDC the server workload is static, and its change over time is very slow and rare. But in the cloud the architecture is very dynamic and the existing workload change over time very quickly, according to creating new VMs, remove existing VMs, cloning VMs, pausing, restarting, etc. in addition to the mobile nature of the VMs that allow VMs to migrate from one server to another. The dynamic nature of the cloud leads to non predefined network topology environment.
No Physical Endpoints
Due to the server and network virtualization in the cloud, the number of physical endpoints such as switch and NIC are reduced to noticeably to nearly comparing with traditional data centers. N is the number of guest Oss running inside a single physical server, and P is the number of physical servers that exist in a cloud or data centre. This decrease in the physical endpoints leads to a complex virtual architecture, and protecting this virtual architecture is a real challenge.
The amount of workload and network traffic that run inside the cloud is duplicated many times comparing with the amount of workload and traffic that exist in a traditional data centre. Because multiple severs workloads are aggregated in a single physical server. Monitoring and analyzing this huge amount of activities and network traffic in a real time fashion is a real challenge.
Current cloud providers like Xen and VMware provide security for the cloud infrastructure based on stateful firewall protection that can't defend against Malwares and zero-day threats.
Cloud is more complex than traditional data centres due to many factors like dynamic and complex workload, and sever and network virtualization. Securing this ever changing dynamic environment requires new security solutions that can fit in the complex, dynamic nature of the cloud.