Font Size: a A A

Research And Analysis Of Forensic Collection Of Multi-Tenant Network Isolation In Openstack Cloud Platform

Posted on:2018-05-30Degree:MasterType:Thesis
Country:ChinaCandidate:X WangFull Text:PDF
GTID:2348330563452296Subject:Computer Science and Technology
Abstract/Summary:PDF Full Text Request
In recent years,cloud-computing technology is in large-scale,intensive and professional development,which has brought profound changes to the field of information technology.As the core technology of cloud computing,virtualization is the most important feature that makes cloud computing different from traditional computing model.In the cloud-computing environment,users deploy their own business system to the cloud platform,requiring the cloud platform for isolation protection at the same time.Moreover,the most important aspect of providing multitenant isolation protection is to provide tenants with a good network isolation environment.At present,for the cloud platform multi-tenant network isolation problem,most cloud platforms,such as Openstack,are using network virtualization technology to build a separate isolation network for tenants.On the other hand,different from the traditional network,virtual network equipments distribute in various nodes of the cloud platform,which breaks the original trusted boundaries,resulting in virtualization-based network facing more security risks.Therefore,users cannot fully trust the network isolation environment of the cloud platform.Aiming at providing users with a cloud platform multi-tenant network isolation report,this paper studies how to collect forensic of the cloud platform multi-tenant network isolation status based on Openstack.Based on the research,this paper proposed a cloud platform multi-tenant network isolation credibility forensic collection analysis method.The method first analyzes security risks that multi-tenant network isolation faced under the Openstack multi-tenant network isolation scene,and forms the cloud system multi-tenant network isolation forensic collection tree system.The forensic collection tree divided those forensic to be collected into two categories: layer-2 network isolation forensic and layer-3 network isolation evidence.In addition,the paper proposes different collection method for each type of forensic: for layer-2 network isolation forensic collection,the paper proposes a topology reconstruction method to reconstruct the multi-tenant network topology on each physical node of the cloud platform in realtime,thus,users can judge whether their layer-2 network has been maliciously penetrated from the bottom.For layer-3 network isolation forensic collection,the paper proposes a policy-matrix reconstruction method.By collecting routing rules,firewall strategy and OVS flow table and analyzing the complex discrete information,this paper constructs the cloud platform multi-tenant layer-3 network communication policymatrix,which is convenient for tenants to find out whether their layer-3 network isolation has abnormal communication connection.In addition,due to the distribute feature of the multi-tenant network isolation forensic collection,the method also designes a distributed forensic collection method based on AMQP mechanism,which can effectively unify the issuance of various types of network forensic acquisition request,and send back all kinds of forensic data from different Openstack physical nodes.Finally,this paper designs a prototype system to implement the method,which proves that the method can intuitively collect most kinds of network forensic of Openstack cloud platform and effectively express the current multi-tenant network isolation status of the cloud platform to users.In summary,the method provides a good idea for solving the trust problem between cloud platform and users,which is beneficial to the further development of cloud computing.
Keywords/Search Tags:Cloud Computing, Multi-Tenant, Network Virtualization, Isolation, Forensic Collection
PDF Full Text Request
Related items