Security Aspects

Isolation is to keep a partition of a network separated from another part. Hence, confidentiality is hiding information of one slice from another and integrity is the act of separating the network traffic from another network or the entire system [22].

Security is the ultimate concern in cloud computing despite its inordinate benefits. Due to the nature of multi-tenancy and resources sharing, lack or weakness of isolation is the most alarming threat in the cloud. Based on some public studies [105]it has been acknowledged that the greatest risk raised by cloud tenants is leaking sensitive information as well as being exposed by neighboring VMs. Data leakage is the unauthorized transmission of information, be it customer data, machine addresses or labels, to outwith the system or organization. Hence, tenants have been demanding physical isolation with resource detection to reduce the security risks.

Virtual platforms require a Security as Service (SecaaS) mechanism above the management operation, where management actions should be logged and audited, as the management level with administrator privileges has the power to provision resources to multi-tenants, manage infrastructure functionality and control resource separation which could cause data leakage with misconfiguration [106].

In 2013, Kloti et al [58] used theSTRIDEvulnerability assessment guidance to uncover some issues in an OpenFlow/SDN network setup. They concluded with discovering two vulnerabilities: Denial of Service and Information Disclosure [58]. However, OpenFlow has since been updated and these security issues have been addressed in the new versions, yet there is concern about whether OpenFlow is secure against network information and configuration data leakage. There is no evidence or research performed on data leakage especially when it is embedded in a large

scale distributed system such as a cloud system[58].These concerns led to our research into data leakage in cloud systems.

Chau and Wang [107] pointed out that most cloud research was on Virtual Network Embedding (VNE) but neglected security aspects. The authors discussed issues of security aware network embedding but did not themselves note the issue of VN information and configuration data leakage in cloud computing.

With regard to security research on OpenFlow, there are papers on exploiting the OpenFlow visibility and attacks of the end system [108][109]. Solutions are proposed using a dynamic virtual IP for the inner side to be translated to an actual IP for outer communication [58]. Clouds perceive basic security by using network isolation, while the resource provisioning is done via the Internet. Security Groupsare a supporting mechanism for Network Isolation in OpenStack Neutron, where the admin and users have the ability to configure security policies for VN traffic categorizing and routing [41].

New network technologies such as SDNs have brought newer security and privacy challenges. Due to the vast difference between traditional networks and the dynamic, programmable elastic SDN, the old security aspects are more complex with more targets to protect such as components in the both the data plane and the controller (switches, controllers) and the connections between them. Moreover, the introduction of data centres and clouds having the responsibility of protecting shared environments with isolated tenant resources and services provided to them, raises even more concerns.

Isolation of a VN affects the security of the network positively, as DCPortalsNg proved in the experiment of a DoS attack which reduced lost traffic by 90% in the isolated VN compared to the result found in a non isolated network [17].

Isolation failure is one of the defined potential security risks in cloud services and applications. Such risks may lead to critical data and system acquisition, especially in an environment where multiple tenants share resources. Moreover, it is even more hazardous when similar businesses use the same service in a cloud, as isolation of all the resources, compute, storage and networks should not be broken [32].

With SDN controllers, isolation functions become a vital part of the network security due to the controller functions of assessment and communication rebuilding for the entire network. Some controllers showed weaknesses with OpenFlow applications, which leads to vulnerabilities in controlling the whole network [111].

A case of SDN data leakage was caused by a security isolation failure of the logical network and credentials, which ended in VN deterioration. Due to the structured nature of SDN and the data and control plane decoupling, the data modification issue is one of the VN security concerns, easily targeted if the isolation methodology showed weakness, as with FlowVisor [27].

Even with isolation that helps to contain any security threats in a multi-tenancy structure, there is the risk of compromising the hypervisor and breaking the isolation [102].

Modi and Patel [114] considered Cloud Virtual Network Security,similar to our research, except that they differed in the research aim. While they approached the cloud virtual network security challenge by introducing an intrusion detection system (IDS) solution,our research aimed to investigate CVNI security for data leakage. Modi and Patel claimed that it is the first research to tackle IDS detection of external and internal attacks while other researchers tend to focus on the internal. We used a similar approach (external and internal attacks for security detection) to investigate our research question except that we used a penetration testing methodology while Modi and Patel used DOS/DDOS attack detection whereas we investigated data leakage. Lopez et al [115] proposed a security real-time threat detection via machine learning for an NFV challenge in an Open Source platform. Lopez et al worked on NFV with the use of an Open Source platform (OpenStack) as a testing environment. This is similar to the research presented here where we considered NFV as part of a cloud network and we also used OpenStack as one of two testbeds. Lopez et al also used Kali Linux distribution to launch their attacks.

There are several works in progress on Virtual Networking, cloud Networking, NFV and SDN security researchthat intersect with our research but do not cover the same gaps:

1. Multi-tenant isolation in a cloud environment using Software Defined Networking [116]: • Multi-tenancy and isolation between the tenants using vSwitch, should handle more

control in terms of the isolation compared to current configurations. Control allows the vSwitch to save and utilize the tenants ID and handle the isolation from within the vSwitch itself.

2. Virtual Network Function (VNF) hardware trust in a network function virtualization (NFV) software defined network (SDN)[117]:

• To sustain communication trust between the Source and Targeted NFV SDN, the source and targeted controller and source and targeted vSwitch is created via a Hardware trust verification.

provider[118]:

• This research is intended to expand the current facilitation of VNF provisioning provided services and functionalities flexibly beyond the provider service location and to activate the service in WAN and beyond. That is, providing NFV in any location with any deployment environment and communication paths.