YR 2: A Secure Mobile Cloud Networking Infrastructure To Support Enterprise Mobile Applications

YR 2: A Secure Mobile Cloud Networking Infrastructure To Support Enterprise Mobile Applications A Secure Mobile Cloud Networking Infrastructure to Support Enterprise Mobile Applications A Secure Mobile Cloud Networking Infrastructure To Support Enterprise Mobile Applications In the past year, we have developed the control functions of NOX controller to control both physical OpenFlow switch and software-based Open vSwitch (OVS). We utilized the port-mirroring feature of OVS to create a secure isolated virtual network segment and mirror network traffic at the port, VLAN or switch level. Additionally, we proposed a new security framework including NIDS, attack analyzer and attack graph module to establish a multi-phase NIDS solution, so that detection process can be conducted by a mirroring-based NIDS for preliminary scan or a proxy-based NIDS for deep packet inspection based on the severity level of suspicious malicious traffic from attack analyzer and attack graph. In the following year, our research will focus on the research challenges encountered in the first project year and extend our solution to model a security as a service provisioning scheme for a cloud system. We try to solve two research problems in this area: (a) how to construct a flexible and reconfigurable secure programmable networking environment based on the security requirements from customer and the current system security situations; (b) how to establish a manageable secure virtual networking system that integrates with sophisticated security analysis models to manage and coordinate different virtual security devices in each private virtual network segment. To address these two research challenges, respectively, we propose to conduct the following two approaches: First, we plan to integrate the Security-as-a-Service (SaaS) into existing Network-as-a-Service (NaaS) model. Our approach is to package security appliances in the virtual networking system, in which a security appliance is a security service component incorporating one or multiple security countermeasures that can be customized and deployed through allocating VMs and virtual networks. Based on our NIDS implementation in cloud system, we plan to provide the ability for users to create multi-level mirroringbased NIDS and dynamically allocate security appliance based on users security requests. In this way, a user is not only able to dynamically allocate virtual network resources from cloud controller and network controller, such as network devices, topologies, and isolated channel (private VLAN or GRE tunnel), but also can create different level of port-mirroring NIDS (at different levels of details, such as at port level, VLAN level, or switch level) and dynamically deploy security appliances for their own private virtual networks. Besides the security resource provision, a user is also able to define their own security policies to enable different levels of security protections, such as from intrusion detection protection to intrusion prevention protection. Second, from the cloud providers point of view, it is highly desirable to design and develop a Security Monitor and Controller (SMC) to manage security appliances in a virtual networking environment. The SMC is not only in charge of security related resources provisioning, but also monitor the security status in the virtual network of a cloud system. In order to improve the cloud system performance, the SMC is able to allocate and withdraw security appliances according to the utilization of the cloud system and severity of the encountered security issues. To build a multi-phase NIDS, SMC will interface to the attack graph based security analytical models. For example, collected security alerts from security appliances will correlate with attackers security explorative paths, and thus, the NIDS can decide what countermeasures that are controlled by SMC will be deployed.