Network Security in Virtual Scenario Aditya Kumar 1, Umesh Gupta 2 1 M. Tech Student, Deptt. of ECE, MERI College of Engineering & Technology, Jhajjar, Haryana, India 2 Assistant Professor, Deptt. of ECE, MERI College of Engineering & Technology, Jhajjar, Haryana, India ABSTRACT Virtualization is the single most effective way to reduce IT expenses while boosting efficiency and agility not just for large enterprises, but for small and midsize businesses too. In this research paper, wehave discussed the implementation of cost effective security architecture with reduced hardware infrastructure for virtual environment. Virtualization scenario has been created on single PC using window 7 SP1 64-bit OS as a base machine, VMware workstation 10 as a hypervisor and Linux Kernel 2.6 for Endian Firewall. For virtual network inside VMware window 7, window server2008 used. Keywords: Virtualization, Hypervisor, VMware, Network Security, Firewall INTRODUCTION Today almost all the businesses use information technology infrastructure to improve their productivity and resource management. However, a lack of the proper technology to implement such systems will penalize businesses with increased cost and cause them to suffer technical difficulties. With virtualization, the cost of computer hardware will be reduced, as applications can run on a single machine without a need for multiple machines and constant hardware upgrades. Like we can create and configure several individual virtual machines as per our requirement by use of virtualization technology. Nowadays many enterprises are using the virtualization technologies to speed up their workload and promote scalability. There are threats on security side of the virtual networks. The virtual machines need to be monitored very carefully from the intruders. We have studied virtualization environment Concepts, implementation process, security issues in virtual environment in our research work. After this, we have discussed the implementation of cost effective security architecture with reduced hardware infrastructure for virtual environment. Virtualization scenario has been created by us on single PC using window 7 SP1 64-bit OS as a base machine, VMware workstation 10 as a hypervisor and Linux Kernel 2.6 for Endian Firewall. For virtual network inside VMware window 7, window server2008 used. LITERATUREREVIEW Marcos Laureano, Carlos Maziero, Edgard Jamhour, 2004 [1] this work presents a proposal to increase the trustworthiness of computing systems using virtual machine technology. It proposes the application of intrusion detection mechanisms to detect and block attacks against services running on virtual machines. The main benefit of this approach is to monitor the virtual machine from outside (from the real underlying system), thus keeping the intrusion detection system safe, out of reach from intruders. The proposal s main idea is to encapsulate the system to monitor inside a virtual machine, which is monitored from outside. The intrusion detection and response mechanisms are implemented outside the virtual machine, i.e. out of reach of intruders. Aaron Lanoy and Gordon W. Romney, 2006 [2] defines the purpose of the honey pot, the basic component of a honey net, as an information system resource whose value lies in unauthorized or illicit use of that resource. The objective of a honey net is to attract malicious attackers, study their offensive strategy, and track every movement they make. The honeynet becomes a useful tool as one analyzes the data gathered from it to build new security into their system. AVM ware environment was used to create a virtual honey net (Virtual) and compare its effectiveness to a network of physical computers (Real). 6
Stasiewicz, 2008 [3] argues that virtualization is no longer a new phenomenon but a mature technology. Virtualization is accepted and integrated by many enterprises and it has been used for network infrastructure for many years. Virtualization will provide security for network services by reducing the risk of host failure while reducing server resource consumption. Using virtualization and having a long-term commitment to it, enterprises can now save money through lower energy costs and fewer hardware upgrades. J.W. Rittingthouse, J.F. Ransome, 2010 [4] present a persuasive case for businesses to use cloud computing solutions, but a less persuasive case that the time to switch cloud computing is now. While acknowledging the vagueness and confusion surrounding the term cloud computing, the authors tentatively define it as "the delivery of computational resources form a location other than the one from which you are computing. After laying the basic framework of networking, the authors explain "virtualization," which is a method of cloud computing that enables one piece of hardware to run multiple virtual environments. Many types of cloud computing services are available because of massive presence of the internet. Josenilson Dias Araújo, Zair Abdelouahab, 2012 [5] have presented some of the main works on existing intrusion detection for cloud computing environments based on virtual machines. To effectively protect the cloud users, an IDS should have the abilityto expand, increase or rapidly decrease the quantity of sensors according to the quantity of resources, as well as the ability to isolate access to the system levels and infrastructures. For this purpose, characteristics of virtual machines as quick startup, fast recovery, stop, migration between different hosts and execution across multiple platforms can be exploited in VM-based IDS, making it a great alternative for monitoring intrusions in cloud computing environments. E. Chovancová, L.Vokorokos, M. Chovanec, 2015 [6] explain about using services through the Internet by a small and medium businesses based on cloud computing. First part of their study was focused on cloud computing principles and evaluates its advantages and disadvantages. The second part was focused on designing an own cloud computing. The goal of their work was to create an own cloud computing system for small and medium companies. In the implementation, they used VMware cloud platform to experimental verifying its functionality. Ku. Rupali D. Wankhade, 2016 [7] stated that to providing a security in a distributed system require user authentication password or digital certificates in data transmission. To handle large amount network accessing traffic and administrative control of data and application in cloud, so security has become a major issue for cloud environment. Intrusion Detection Systems have become a needful component in terms of network security. Cloud Computing environment is threatened by different types of cyber-attacks. The proposed architecture provides implementation of Suricata intrusion detection system to secure virtualized server in cloud platform and validated intrusion detection system in detecting DDOS attack against the virtualized environment and protect cloud efficiently from vulnerability. PURPOSED VIRTUALIZATIONENVIRONMENT Figure 1. shows the purposed security architecture for virtual network. Firewall is installed inside VMware. Internet is connected on base machine and virtual machines are accessing internet through firewall. We are using open source Endian Firewall in our experiment. We are using single PC (Laptop) for our complete research that makes is cost effective and a best learning-teaching platform also. Secondly, we are using open source OS also to make it more cost effective. Some propriety software s and OS are also used to represent the compatibility. Up to four different networks (dependent on the number of network cards installed in the virtual machine) are normally managed. Networks are configured through the web interface either on base machine or virtual network s machine. 7
Figure 1: Proposed Security Architecture Endian Firewall [8] is an open-source router, firewall and gateway security Linux distribution developed by the South Tyrolean Company Endian. With Endian these are differentiated by their color coding Red Network: connection to the insecure Internet. Green Network: Secure intranet e.g. file server. Orange Network: Part Safe Demilitarized Zone (DMZ). This includes devices that operate their own server and must be accessible over the Internet, such as Web or FTPservers. Blue Network: Secure wireless part, here on wireless devices can be connected. Thus, they are separated from the green network, which increases its security. RESEARCH ENVIRONMENT SETUP V. The experimental environment is organized into two different layers: the physical layer and the virtual layer. The physical layer consists of the physical hardware, the host OS and the virtualization programs. The virtual layer on the other hand consists of virtual hardware, guest OSs and third party applications. Table 1: Experimental Environment Layers VMware Workstation consists of four virtual machines with operating systems: Window 7 Professional SP 1 64-bit Edition and Linux Kernel 2.6 64-bit OS for Endian Firewall, Ubuntu and Window Server 2008. For implementation purposes, each guest operating system will be configured and allocated the same amount of virtual system resources. 8
Figure 2: Network Adapters connectivity for Linux Machine in VMware Security Implementation Figure 1.2 shows two Network Adapters connectivity for Linux Machine in VMware. One for Red Interface which is directly bridged with physical network and second, Green interface adapter which is used to connect inside local virtual network via VMnet 2 network virtual switch. The default security feature of Endian Firewall. Endian Firewall doesn t allow the ping through Red interface. When we tried to ping through Red Interface, we observed 00% ping loss. But at the same time we can access the management console through Red Interface. It shows that Firewall connectivity is working properly. RESULTS By introducing the three examples (ping from outside network is blocked, http blocked for green network, internet services disabled for particular machine inside virtual network via firewall security system), we can see that we can not only finish some simple experiments, but also can easily accomplish the complex experiments which are difficult to conduct in real environment. Proxy server, VPN, IPS, Log, Monitoring all can be implemented as per scenario. Comparing with actual environment, virtual environment has many advantages. Table 2 shows the comparisons of the two environments. Table 2: The comparisons of the experiment in two kinds of machine CONCLUSION AND FUTURE SCOPE From above setup and experiments we have created a cost-effective security system for virtual networks. Future scope is vast because Cloud computing provides with dynamically scalable infrastructure and virtualized resources that allow application to meet infinite demands, with cheap and reliable services to customers and assuring them with QoS despite unpredictable consumer behavior. 9
REFERENCES [1] M. Laureano, C. Maziero and E. Jamhour, "Intrusion detection in virtual machine environments," Proceedings. 30th Euromicro Conference, 2004., 2004, pp.520-525. [2] Vikram Kumar Kamboj, S.K. Bath, J. S. Dhillon, A Novel Hybrid DE-Random Search approach for Unit Commitment Problem, Neural Computing and Applications (ISSN: 1433-3058), Vol.28, No. 7, 2017, pp.1559 1581. DOI:10.1007/s00521-015-2124-4. [3] A. Lanoy and G. W. Romney, "A Virtual Honey Net as a Teaching Resource," 2006 7 th International Conference on Information Technology Based Higher Education and Training, Ultimo, NSW, 2006, pp. 666-669 [4] Stasiewicz, Worth Getting Hyped up over Hyper-V," presented at the Annual NACCQ, 2008. [5] Vikram Kumar Kamboj, S.K. Bath, J. S. Dhillon, Multiobjective multiarea unit commitment using hybrid differential evolution algorithm considering import/export and tie-line constraints, Neural Computing and Applications (ISSN: 1433-3058), Vol.28, No.11, 2017, pp. 3521 3536, DOI 10.1007/s00521-016-2240-9. [6] J.W. Rittingthouse, J.F. Ransome, Cloud computing implementation, Management and security, Florida: CRC Press, 2010, ISBN978-1-4398-0680-7. [7] Josenilson Dias Araújo and ZairAbdelouahab, Virtualization in Intrusion Detection Systems: A Study on Different Approaches for Cloud Computing Environments, IJCSNS International Journal of Computer Science and Network Security, VOL.12 No.11, November 2012,pp.9-16. [8] Navpreet Singh Tung, Amit Bhardwaj, Ashutosh Bhadoria, Kiranpreet Kaur, Simmi Bhadauria, Dynamic programming model based on cost minimization algorithms for thermal generating units, International Journal of Enhanced Research in Science Technology & Engineering, Volume 1, Issue 3, ISSN: 2319-7463, 2012. [9] E. Chovancová, L. Vokorokos and M. Chovanec, "Cloud computing system for small and medium corporations," 2015 IEEE 13th International Symposium on Applied Machine Intelligence and Informatics (SAMI), Herl'any, 2015, pp.171-174. [10] Ku. Rupali D. Wankhade, Virtualization Intrusion Detection System in Cloud Environment, International Journal of Scientific & Engineering Research, Volume 7, Issue 2, February-2016 ISSN 2229-5518, pp. 321-328. [11] Preet Khandelwal, Surya Prakash Ahirwar, Amit Bhardwaj, Image Processing Based Quality Analyzer and Controller, International Journal of Enhanced Research in Science Technology & Engineering, Volume 2, Issue 7, 2013. [12] https://en.wikipedia.org/wiki/endian_firewall 10