Architecture Comparisons

In this section we look at the overarching view of all the architectures and shortly describe how they compare to each other in certain aspects. Each

architecture has similar use cases, mainly in data centers and cloud computing, and each has its own trade-offs. No architecture is necessarily better overall than any other, but rather each is better in different areas such as flexibility or management. Table 1 shows an overview.

For flexibility of implementation, the VMware vSphere Distributed Switch Architecture, the PAN VM-Series Architecture, and the OpenStack Architectures allow for diverse choice in architectures based on different virtual network

components. However, OpenStack’s architectures vary and once one is picked, the whole system is set. VMware and the PAN architectures, however, allow for flexibility in choice of virtual switch, virtual security components, etc while also

Architecture Implementation Flexibility

Management Security and Management Virtual Component Flexibility VMware vSphere + PAN Good, multiple options for vSwitch/security Good management of virtual network, lacks physical network management

Good, has many distributed/centrally managed security features

None, must use VMware virtual components

Juniper Contrail Some, has only one architecture, must use vRouter

Manages both virtual and physical, Others manage virtual better

Relies on outside virtual security components

Very, allows different hypervisors and virtual components OpenStack Good, has multiple

architecture and virtual component options Same as VMware, virtual management slightly worse Relies on outside virtual security components

None, must use OpenStack virtual components

CloudStack Some, has different architectures based on network division

Same as Juniper Relies on outside virtual security components

Very, can use different hypervisors and VMware vCenter

Table 1: Architecture Comparison Overview

allowing for them to be implemented at any point in time. CloudStack allows for the use of VMware network virtualization, so through that capability it also allows for some flexibility of architecture. The Contrail Architecture has some flexibility, but not as much as the other architectures, being limited by its lack of options for virtual switch (vRouter must be used) and virtual security components.

For management of a network, each architecture has its strengths and

weaknesses. Juniper Contrail and CloudStack allow for management of both virtual and physical resources, while VMware and OpenStack don’t. However, VMware and OpenStack allow for better management of virtual components and both allow for the distribution and central management of switches and subnets. This allows for the management of a VM’s network configurations even as it moves around the physical network. For integration of security and easy management of it, VMware has the clear edge with its Distributed Switch Architecture, along with NSX and the PAN architecture. The vast options for virtual security through NSX and PAN puts the VMware and PAN architectures above the rest. The other architectures all rely on outside security components and don’t provide centrally managed Virtual

CloudStack and Contrail allow for the most flexibility in type of hypervisors and virtual components used, with CloudStack being a little more flexible in this regard due to the Contrail Architecture needing to use its own virtual router. CloudStack is also flexible in that it allows for the use of VMware’s vCenter to manage the VMware virtual components. Juniper also allows for the choice between CloudStack and OpenStack for managing virtual resources. VMware/PAN and OpenStack are not flexible in this category as they require use of their own virtual components.

Chapter 3 SYSTEM DESIGN

To test the idea that dynamic topology changes can be used to secure a Virtual Network, we must set up a system to show the potential effects. An important part of that system is creating a Virtual Network environment for testing. To do this we use VMware’s virtual technology, which we explain in detail in section 2.3.1.1. VMware allows for a vast amount of options for virtualized network and security components, making the creation of a viable environment easier. It is flexible and, since we won’t need to manage physical devices, it makes the most sense for creating our Virtual Network environment. Besides setting up a virtual environment, it is also necessary to simulate situations in which our dynamic defenses could be used as protection. We accomplish this through the use of Kali Linux and its many attack tools, which we use to run network attacks. We also set up a detection system, using the open source Snort IDS, to alert when an attack is happening. The alert is used to initiate our dynamic defenses. Finally, we

implement virtual security components that are used in the dynamic defenses for securing the Virtual Network, which leverages VMware’s NSX. In this chapter, we detail how our system is built by describing our Virtual Network environment, the security components utilized for our dynamic defenses and how they are set up, how we run the network attacks, and how we detect those attacks. In section 3.1, we describe how we created all the hypervisors, VMs, and other virtual components in our environment and how they are set up. In section 3.2, we discuss the creation and setup of NSX and our virtual security components, which we utilize for our dynamic defenses. In section 3.3, we discuss our network attacks and how they are run using Kali Linux. Finally, in section 3.4, we look at the setup of the Snort IDS, which is used to detect the network attacks in our experiments.

Figure 19: Topology of Host Virtual Network