SECURITYVLANISOLATIONINMULTITENANCY(CLOUD) )wadekahn/Security_VLAN_ISOLATION_… · SECURITYVLANISOLATIONINMULTITENANCY(CLOUD) )!! Introduction:+ Intoday’scloudMscale!networks,!multiple!organizationsshare!the!same!physical!infrastructure.Utilizing!

SECURITY VLAN ISOLATION IN MULTITENANCY (CLOUD)

Project Name: SECURITY STUDY IN VLAN ISOLATION FOR MULTITENANCY (CLOUD)

Team Members:

Ronny Bull

David Schumann

Vinay Soni

Hitesh Wadekar


Introduction:

In today’s cloud-‐scale networks, multiple organizations share the same physical infrastructure. Utilizing common processing and networking resources on an as-‐needed basis has become a standard business practice. Some cloud networks support implementations with dedicated physical servers for each customer, while other cloud network implementations support dedicated virtual severs per customer (on a common physical server). A single network environment that hosts multiple customer (tenants) allows the customers to reduce upfront costs for processing or networking resources, yet provides them with the flexibility to increase or reduce the resources as needed. Such multitenant environments are increasingly using these new architectures due to the advantages of server virtualization.

Key requirements of Virtualized Cloud-‐scale Networks:

A virtualized, multitenant environment must allow the unlimited transparent migration of workload across physical servers, while controlling the cost and maintaining the quality of service the customer requires. Most importantly, virtualized data centers need the flexibility of provisioning resources that span multiple geographic locations. At the same time, the virtualized data centers must maintain isolation between tenants and still allow seamless management of multitenant environment.

Virtualized cloud network must also accomplish the following:

a. Handle MAC address growth in conjunction with the explosive growth of VMs in cloud data center

b. Accommodate a larger number of VLAN’s to handle VM traffic segregation. VLAN isolation enforces VLAN membership of a VM without the knowledge of the guest itself

c. Provide isolation of the physical L2 network.

Solutions for Virtualized Cloud-‐Scale Networks:

To provide workload mobility and migration across geographic locations, one cloud network solution is to decouple the physical and logical addressing schemas. The tenant uses the logical address while the network infrastructure sees the physical address. This decoupling enables the flexibility required by the virtualized cloud data center for creating faster, fatter and flatter network. Isolation of multitenant environments can be enabled through logical network configuration of multiple VLANs and IP subnets.

Security Issues:-‐

The virtual switch, which is the key part of VLAN isolation in the cloud environment, directs incoming traffic to the designated virtual address only. The vSwitch and VLAN are working at layer two in the

SECURITY VLAN ISOLATION IN MULTITENANCY (CLOUD) network stack. A lot of layer two attacks have been discovered already. What we looked into is whether this newly formed architecture is resistant to these attacks.

2 Sample Design, Architecture, Installation and Configuration

In order to execute these attacks we set up a test system. This test system should act as an environment similar to common public cloud services as these use VLAN extensively. There are a lot of different ways to design such an environment. We chose to use one physical machine running Citric XenServer Version 6.2 as the compute server (hypervisor). For our cloud orchestration we can use OpenStack HAVANA.

2.1 Sample OpenStack design with Quantum + XenServer + KVM as a compute server


a. VLAN manager in OpenStack Quantum:

b. VM’s with OpenVswitch:


c. Network Virtualization overview:

Installation Steps

1 Physical Host

Citrix XenServer 6.2 (has inbuilt openVswitch)

Dom0 on dedicated to eth0 and eth1

eth0 is the network access Ethernet

eth1 is the management interface

We are running three virtual machines with Ubuntu 12.10 desktop versions.

SECURITY VLAN ISOLATION IN MULTITENANCY (CLOUD) We followed the citric xenserver installation guide at the following location:

http://support.citrix.com/servlet/KbServlet/download/34970-‐102-‐704220/installation.pdf

Attack Idea

We have found extensive sources that describe attacks on the second layer in great detail. [3] In the following table we listed the attacks we found together with the respective tools that we can use to execute them.

No Attacks in Virtual Network Tools to execute the attacks References and Links 1 Malicious protocol

function to modify the normal functionality of the virtual network

• Security Issues in Network Virtualization for the Future Internet-‐

http://www.ecs.umass.edu/ece/wolf/pubs/icnc2012.pdf

• VLAN layer 2 attacks:-‐ http://www.defcon.org/images/defcon-‐16/dc16-‐presentations/defcon-‐16-‐figueroa-‐williams.pdf http://www.iaeng.org/publication/IMECS2008/IMECS2008_pp1143-‐1148.pdf

2 Sniff the state of the shared physical resources on the network infrastructure

3 Modify or selectively manipulate the data traffic associated with a particular VN

IP spoofing or MITM attack

4 Send arbitrary data and control packets to flood the network and bring down the NI

DoS attack, MAC Flooding Attack (This can be done using macof)

5 Asses the vulnerabilities of the infras-‐ tructure from the allocated resources

Maybe using scanning, recon?

6 Initiate remote based attacks

7 Send attack packets to compromise or modify a specific functionality on the end system

RST Attack

8 Vlan jumping or Hopping


Layer 2 Attacks list:-‐

No Layer 2 attack name Tools 1 ARP Attacks Scapy

Yersinia Macof TCPDump Cain & Abel EtterCap Ethereal

2 MAC Flooding Attack/ CAM Table Overflow Attacks

3 DHCP Starvation Attack 4 CDP Attack 5 Spanning-‐Tree Attack 6 Multicast Brute Force 7 VLAN Trunking

Protocol Attack 8 Private VLAN Attack 9 VLAN Hopping Attack 10 Double-‐Encapsulated

802.1Q/Nested VLAN Attack

11 VLAN Management Policy server VMPS/ VLAN Query Protocol VQP Attack

Attacks:

Out of these attacks we choose the mac flooding and arp attack.

Tools:

As tools we used macof, arpsend and wireshark

Execution:

We used 4 VMs to run this attack. 3 VMs on one VLAN (100) and one VM on a separate VLAN (200) connected with a virtual bridge. This virtual setup was created by XenServer and openVswitch

This is our setup:

4 linux guests (ubuntu)

VM3. VM4 and VM5 on VLAN 8

VM2 on VLAN 9


VM3: macof, wireshark

VM4: wireshark, arpsend

VM5: wireshark

a. Mac flood attack:

Without Attack:

VM3 machine:

-‐ open command line and started to ping to VM4


-‐ Checked wireshark trace on VM 4 and VM5


Performing Attack:

VM3 ubuntu machine:

-‐ started mac flood atttack using command -‐> macof –I eth0


-‐ observed the trace using wireshark.

Screen when macof utility was being executed on VM3.


Was able to view ICMP ping packets on VM5. This is because the switch table was flooded and it acted as a hub and broadcasted packets.


b. ARP attacks:

Without attack:

VM3 machine:


Observed network traces on VM4 and 5.


SECURITY VLAN ISOLATION IN MULTITENANCY (CLOUD) Performing attack:-‐

VM4 ubuntu machine:

-‐ Started arpsend atttack using command -‐> arpsend –U –i 10.4.4.7 eth0

(The above command will update the arp cache of the machines on the network with the given ip address. The ip address mentioned above is VM5 and we are using this command on VM4 which implies VM4 trying to impersonate VM5.)

VM3 ubuntu machine:

-‐ Open command line and start ping to VM5 and observed the traffic on both the machine (VM4 and 5).



We were able to view the traces on both machines.

After stopping arpsend process, we repeated the above experiment and observed the traces.



We observed that when arp cache was updated from attacker machine, that machine was able to view the packets directed to the victim. However, once we stop the arpsend process on the attacker machine, things went back to normal.

Conclusion:

Based on our experiments we conclude that openvswitch is susceptible to mac flooding and arp attacks. However, once the attacks are not active the network recovered back to normal state.

Explanation for mac flooding behaviour:

We believe that this is happening due to the bridge acting as a hub when faced with too much load to handle. Based on our observation we could say that openstack should implement further security mechanisms to prevent this attack. This attack poses first evidence that the VLAN isolation has been breached. We should run this mac flooding attack on more heterogeneous systems with higher security measures to validate this attack.


Individual work items:-‐

No Person Name Comments 1 David Schumann

([email protected]) Installation, configuration of CitrixXenServer and performing mac flooding and arp attacks.

2 Vinay Soni ([email protected])

3 Hitesh Wadekar ([email protected])

Possible venues for publication of future work:-‐

1. ACM SIGCOMM 2014:-‐ http://conferences.sigcomm.org/sigcomm/2014/cfp.php

Links and References:-‐

No Links and References comments 1 http://support.citrix.com/article/CTX121729

http://www.novell.com/support/kb/doc.php?id=7006600 http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1002934 http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=1023341 http://www.novell.com/support/kb/doc.php?id=7006600

2 Devstack tutorials for installing OpenStack

3 http://www.iaeng.org/publication/IMECS2008/IMECS2008_pp1143-‐1148.pdf http://althing.cs.dartmouth.edu/local/L2-‐security-‐Bootcamp-‐final.pdf http://www.defcon.org/images/defcon-‐16/dc16-‐presentations/defcon-‐16-‐figueroa-‐williams.pdf

Layer 2 network infrastructure attacks

4 http://openvswitch.org/support/ http://www.cloudcomp.ch/wp-‐content/uploads/2013/04/OpenStack-‐Quantum-‐SDN-‐with-‐Open-‐vSwitch.pdf http://events.linuxfoundation.org/sites/events/files/slides/OVS-‐LinuxCon%202013.pdf http://git.openvswitch.org/cgi-‐bin/gitweb.cgi?p=openvswitch;a=blob_plain;f=INSTALL.XenServer;hb=HEAD http://git.openvswitch.org/cgi-‐bin/gitweb.cgi?p=openvswitch;a=blob_plain;f=INSTALL.KVM;hb=HEAD

5 http://www.ecs.umass.edu/ece/wolf/pubs/icnc2012.pdf http://www.csc.villanova.edu/~nadi/csc8580/S11/DeeptiNune.pdf http://www.cs.cornell.edu/courses/cs6460/2011sp/papers/cloudsec-‐ccs09.pdf http://www.cs.princeton.edu/~jrex/papers/visa09.pdf http://rboutaba.cs.uwaterloo.ca/Papers/Journals/2010/Mosharaf10.pdf

Network Virtualization: State of the Art and Research Challenges Security Issues in Network Virtualization for the Future Internet

6 http://docs.openstack.org/network-‐admin/admin/content/under_the_hood_openvswitch.html http://www.gentoo.org/proj/en/virtualization/openstack/ http://forums.gentoo.org/viewtopic-‐t-‐871061.html http://web.cs.sunyit.edu/~bullr/CLOUDSEC1.stage4.20131030.tar.bz2 http://devstack.org/guides/ramdisk.html

7 Citrix Xen Server Installation guide -‐> http://support.citrix.com/servlet/KbServlet/download/34970-‐102-‐704220/installation.pdf

8 ARP send reference -‐> http://www.net.princeton.edu/software/arpsend/arpsend.8.html Macof reference -‐> http://manpages.ubuntu.com/manpages/hardy/man8/macof.8.html

Documents

SECURITYVLANISOLATIONINMULTITENANCY(CLOUD) )wadekahn/Security_VLAN_ISOLATION_… · SECURITYVLANISOLATIONINMULTITENANCY(CLOUD) )!! Introduction:+ Intoday’scloudMscale!networks,!multiple!organizationsshare!the!same!physical!infrastructure.Utilizing!