A Security Perspective on Federated Cloud Networks and Network Functions

The BEACON H2020 project focuses on enabling federated cloud networking. The long term vision is a fully virtualized data center for federated clouds that relies on the convergence of cloud computing and software defined network technologies. By interconnecting two or more cloud computing environments to form a cloud federation resources can be shared in order to increase capacity, availability or resilience. Shared resources include compute and storage resources but also networking resources. By integrating software defined networks (SDN), network virtualization (NFV) and network function chaining (SFC) technologies into cloud management platforms it is possible to create more advanced and flexible cloud federation mechanisms. The BEACON project is integrating network virtualisation technologies from the OVN open source project with open source cloud middleware OpenNebula and OpenStack to experiment with different types of cloud federations.

In this position paper we focus on how to secure federated cloud networks. When several network segments are federated it is also necessary to federate the security network functions of the different segments in order to satisfy global security policies. We developing mechanisms to tailor the security of each individual federated cloud network running in a federation to satisfy the security requirements of its stakeholders. We propose an architecture for securing federated cloud networks that uses NFV and SFC to select, configure and compose security virtual network functions (VNF). Cloud stakeholders can specify the required security VNF, how to configure them, and how to chain them in a service manifest. Examples of VNF are VNF are traffic monitors, traffic Analyzers, deep packet Inspection, encryption/decryption, firewall, video optimizer and WAN. By allowing cloud tenants to tailor not only their compute resources but also the security of their network resources we are providing tenants with greater ability to tailor their cloud environments to their specific needs.

The project is fully committed to open source software. Cloud networking aspects will be based on Open Virtual Network (OVN), a collaborative open source for Open vSwitch. This will allow us to define new rich inter-cloud APIs to provision cross-site virtual networks overlays. The new inter-cloud network capabilities will be leveraged by existing open source cloud platforms, OpenNebula and OpenStack, to deploy multi-cloud applications. In particular, different aspects of the platforms will be extended to accommodate the federated cloud networking features like multi-tenancy, federated orchestration of networking, compute and storage management or the placement and elasticity of the multi-cloud applications.