Scrivener Publishing
100 Cummings Center, Suite 541J
Beverly, MA 01915-6106
Publishers at Scrivener
Martin Scrivener (martin@scrivenerpublishing.com)
Phillip Carmical (pcarmical@scrivenerpublishing.com)
This edition first published 2018 by John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, USA and Scrivener Publishing LLC, 100 Cummings Center, Suite 541J, Beverly, MA 01915, USA
© 2018 Scrivener Publishing LLC
For more information about Scrivener publications please visit www.scrivenerpublishing.com.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, except as permitted by law. Advice on how to obtain permission to reuse material from this title is available at http://www.wiley.com/go/permissions.
Wiley Global Headquarters
111 River Street, Hoboken, NJ 07030, USA
For details of our global editorial offices, customer services, and more information about Wiley products visit us at www.wiley.com.
Limit of Liability/Disclaimer of Warranty
While the publisher and authors have used their best efforts in preparing this work, they make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives, written sales materials, or promotional statements for this work. The fact that an organization, website, or product is referred to in this work as a citation and/or potential source of further information does not mean that the publisher and authors endorse the information or services the organization, website, or product may provide or recommendations it may make. This work is sold with the understanding that the publisher is not engaged in rendering professional services. The advice and strategies contained herein may not be suitable for your situation. You should consult with a specialist where appropriate. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read.
Library of Congress Cataloging-in-Publication Data
ISBN 978-1-119-48790-6
1.1 Pre-copy method for live migration
1.2 Pre- vs. Postcopy migration sequence
1.3 Bin packing in VM context
1.4 Nodes connected in a network
1.5 Learning automata
2.1 Simple representation of a virtualized system
2.2 Types of virtual machines
2.3 Virtual machine applications
2.4 Xen live migration
2.5 Type-1 and type-2 hypervisor
2.6 Simplified architecture of para-and full virtualization
2.7 Types of virtualization
2.8 Xen architecture
2.9 Architecture of KVM
2.10 OpenStack architecture
2.11 Virtual machine migration
2.12 QEMU and KVM
2.13 Libvirt architecture
3.1 Fake certificate injection
3.2 Cross-site scripting
3.3 SQL injection
3.4 Layer-2 attacks
3.5 Double encapsulation attacks
3.6 Multicast brute force attacks
3.7 Spanning tree attacks
3.8 Random frame attacks
3.9 DNS attacks
3.10 Layer 3 attacks
3.11 Man-in-the-middle attack
4.1 Software-defined networking architecture
4.2 Authentication in cloud
4.3 Data transfer after authentication in cloud
5.1 Virtualization vs. Containers
5.2 Security as a service
6.1 Types of load balancing approaches
6.2 Relationship between policy engine and the Xen hosts
6.3 For our prototype, the policy engine runs inside of a VM separate from everything else
6.4 The prototype policy engine communicates with all hosts to decide when VMs should be migrated and to initiate migration when necessary
6.5 Distribution of nodes in groups based on load thresholds
6.6 OpenNebula architecture
7.1 Data center architecture
7.2 Server power model based on CPU utilization
8.1 Trusted computing standards
9.1 VM Checkpointing
11.1 Hardware-assisted virtualization
11.2 Pre-copy live migration
11.3 Post-copy live migration
11.4 Hybrid live migration
1.1 Variables used in formulas in the VM buddies system
2.1 Types of virtual machines
2.2 Virtual machine applications
2.3 Advantages associated with virtualization
2.4 Kernel-based virtual machine features
3.1 Popular layer 2 attacks
4.1 Cloud computing security risks
5.1 Virtualizationrelated security issues
The idea of cloud computing isn’t new, or overly complicated from a technology resources and Internet perspective. What’s new is the growth and maturity of cloud computing methods, and strategies that enable business agility goals. Looking back, the phrase “utility computing” didn’t captivate or create the stir in the information industry as the term “cloud computing” has in recent years. Nevertheless, appreciation of readily available resources has arrived and the utilitarian or servicing features are what are at the heart of outsourcing the access of information technology resources and services. In this light, cloud computing represents a flexible, cost-effective and proven delivery platform for business and consumer information services over the Internet. Cloud computing has become an industry game changer as businesses and information technology leaders realize the potential in combining and sharing computing resources as opposed to building and maintaining them.
There’s seemingly no shortage of views regarding the benefits of cloud computing nor is there a shortage of vendors willing to offer services in either open source or promising commercial solutions. Beyond the hype, there are many aspects of the Cloud that have earned new consideration due to their increased service capability and potential efficiencies. The ability to demonstrate transforming results in cloud computing to resolve traditional business problems using information technology management’s best practices now exists. In the case of economic impacts, the principles of pay-as-you-go and computer agnostic services are concepts ready for prime time. Performances can be well measured by calculating the economic and environmental effects of cloud computing today.
In Cloud Computing and Virtualization, Dac Nhuong Le et al. take the industry beyond mere definitions of cloud computing and virtualization, grid and sustainment strategies to contrasting them in day-to-day operations. Dac-Nhuong Le and his team of co-authors take the reader from beginning to end with the essential elements of cloud computing, its history, innovation, and demands. Through case studies and architectural models they articulate service requirements, infrastructure, security, and outsourcing of salient computing resources.
The adoption of virtualization in data centers creates the need for a new class of networks designed to support elasticity of resource allocation, increasing mobile workloads and the shift to production of virtual workloads, requiring maximum availability. Building a network that spans both physical servers and virtual machines with consistent capabilities demands a new architectural approach to designing and building the IT infrastructure. Performance, elasticity, and logical addressing structures must be considered as well as the management of the physical and virtual networking infrastructure. Once deployed, a network that is virtualization-ready can offer many revolutionary services over a common shared infrastructure. Virtualization technologies from VMware, Citrix and Microsoft encapsulate existing applications and extract them from the physical hardware. Unlike physical machines, virtual machines are represented by a portable software image, which can be instantiated on physical hardware at a moment’s notice. With virtualization, comes elasticity where computer capacity can be scaled up or down on demand by adjusting the number of virtual machines actively executing on a given physical server. Additionally, virtual machines can be migrated while in service from one physical server to another. Extending this further, virtualization creates “location freedom” enabling virtual machines to become portable across an ever-increasing geographical distance. As cloud architectures and multi-tenancy capabilities continue to develop and mature, there is an economy of scale that can be realized by aggregating resources across applications, business units, and separate corporations to a common shared, yet segmented, infrastructure.
Elasticity, mobility, automation, and density of virtual machines demand new network architectures focusing on high performance, addressing portability, and the innate understanding of the virtual machine as the new building block of the data center. Consistent network-supported and virtualization-driven policy and controls are necessary for visibility to virtual machines’ state and location as they are created and moved across a virtualized infrastructure.
Dac-Nhuong Le again enlightens the industry with sharp analysis and reliable architecture-driven practices and principles. No matter the level of interest or experience, the reader will find clear value in this in-depth, vendor-neutral study of cloud computing and virtualization.
This book is organized into thirteen chapters. Chapter 1, “Live Migration Concept in Cloud Environment,” discusses the technique of moving a VM from one physical host to another while the VM is still executing. It is a powerful and handy tool for administrators to maintain SLAs while performing optimization tasks and maintenance on the cloud infrastructure. Live migration ideally requires the transfer of the CPU state, memory state, network state and disk state. Transfer of the disk state can be circumvented by having a shared storage between the hosts participating in the live migration process. This chapter gives the brief introductory concept of live migration and the different techniques related to live migration such as issues with live migration, research on live migration, learning automata partitioning and, finally, different advantages of live migration over WAN.
Chapter 2, “Live Virtual Machine Migration in Cloud,” shows how the most well known and generally sent VMM-VMware is defenseless against reasonable assaults, focusing on their live migration’s usefulness. This chapter also discusses the different challenges of virtual machine migration in cloud computing environments along with their advantages and disadvantages and also the different case studies.
Chapter 3, “Attacks and Policies in Cloud Computing and Live Migration,” presents the cloud computing model based on the concept of pay-per-use, as the user is required to pay for the amount of cloud services used. Cloud computing is defined by different layer architecture (IAAS, PAAS and SAAS), and models (Private, Public, Hybrid and Community), in which the usability depends on different models. Chapter 4, “Live Migration Security in Cloud,” gives different security paradigm concepts that are very useful at the time of data accessing from the cloud environment. In this chapter different cloud service providers that are available in the market are listed along with security risks, cloud security challenges, cloud economics, cloud computing technologies and, finally, common types of attacks and policies in cloud and live migration.
Chapter 5, “Solutions for Secure Live Migration,” analyzes approaches for secure data transfer, focusing mainly on the authentication parameter. These approaches have been categorized according to single- and multi-tier authentication. This authentication may use digital certificate, HMAC or OTP on registered devices. This chapter gives an overview of Cloud security applications, VM migration in clouds and security concerns, software-defined networking, firewalls in cloud and SDN, SDN and Floodlight controllers, distributed messaging system, customized testbed for testing migration security in cloud. A case study is also presented along with other use cases: Firewall rule migration and verification, existing security scenario in cloud, authentication in cloud, hybrid approaches to security in cloud computing and data transfer, and architecture in cloud computing.
Chapter 6, “Dynamic Load Balancing Based on Live Migration,” concentrates on ancient data security controls (like access controls or encryption). There are two other steps to help operate unapproved data moving to cloud services: Monitor for large internal data migrations with file activity monitoring (FAM) and database activity monitoring (DAM) and monitor for data moving to the cloud with universal resource locater (URL) filters and data loss prevention. This chapter gives an overview of detecting and preventing data migrations to the cloud, protecting data moving to the cloud, application security, virtualization, VM guest hardening, security as a service, identity as service requirements, web services SecaaS requirements, email SECaaS requirements, security.
Chapter 7, “Live Migration in Cloud Data Center,” introduces the use of load balancing is to improve the throughput of the system. This chapter gives an overview of different techniques of load balancing, load rebalancing, and a policy engine to implement dynamic load balancing algorithm, some load balancing algorithms and VMware distributed resource scheduler.
In Chapter 8, “Trusted VMv-TPM,” data center network architectures and various network control mechanisms are introduced. Discussed in the chapter is how resource virtualization, through VM migration, is now commonplace in data centers, and how VM migration can be used to improve system-side performance for VMs, or how load can be better balanced across the network through strategic VM migration. However, all the VM migration works in this chapter have not addressed the fundamental problem of actively targeting and removing congestion from oversubscribed core links within data center networks. The TPM can be utilized to enable outside parties to guarantee that a specific host bearing the TPM is booted into a confided in state. That is performed by checking the arrangement of summaries (called estimations) of the stacked programming, progressively delivered all throughout the boot procedure of the gadget. The estimations are put away in a secured stockpiling incorporated within the TPM chip and are in this way impervious to programming assaults, albeit powerless against equipment altering. This chapter presents a stage skeptic trusted dispatch convention for a generic virtual machine image (GVMI). GVMIs are virtual machine pictures that don’t vary from the merchant-provided VM pictures (conversationally known as vanilla programming). They are made accessible by the IaaS suppliers for customers that plan to utilize a case of a VM picture that was not subject to any adjustments, such fixes or infused programming. The convention portrayed in this chapter permits a customer that demands a GVMI to guarantee that it is kept running on a confided stage.
Chapter 9, “Lightweight Live Migration,” presents a set of techniques that provide high availability through VM live migration, their implementation in the Xen hypervisor and the Linux operating system kernel, and experimental studies conducted using a variety of benchmarks and production applications. The techniques include: a novel fine-grained block identification mechanism called FGBI; a lightweight, globally consistent checkpointing mechanism called VPC (virtual predict checkpointing); a fast VM resumption mechanism called VM resume; a guest OS kernel-based live migration technique that does not involve the hypervisor for VM migration called HSG-LM; an efficient live migration-based load balancing strategy called DC balance; and a fast and storage-adaptive migration mechanism called FDM.
Chapter 10, “Virtual Machine Mobility with Self Migration” discusses many open issues identified with gadget drivers. Existing frameworks exchange driver protection for execution and simplicity of advancement, and gadget drivers are a noteworthy protection of framework insecurity. Endeavors have been made to enhance the circumstance, equipment security methods, e.g., smaller scale bits and Nooks, and through programming authorized seclusion. Product frameworks don’t uphold tending to confinements on gadget DMA, constraining the viability of the portrayed systems. Lastly, if applications are to survive a driver crash, the OS or driver security instrument must have a method for reproducing lost hardware state on driver reinitialization.
Chapter 11, “Different Approaches for Live Migration,” studies the implementation of two kinds of live migration techniques for hardware-assisted virtual machines (HVMs). The first contribution of this chapter is the design and implementation of the post-copy approach. This approach consists of the last two stages of the processmigration phases, the stop-and-copy phase and pull phase. Due to the introduction of the pull phase, this approach becomes non-deterministic in terms of the completion of the migration. This is because of the only on-demand fetching of the data from the source.
Chapter 12, “Migrating Security Policies in Cloud,” presents the concepts of cloud computing, which is a fast-developing area that relies on sharing of resources over a network. While more companies are adapting to cloud computing and data centers are growing rapidly, data and network security is gaining more importance and firewalls are still the most common means to safeguard networks of any size. Whereas today data centers are distributed around the world, VM migration within and between data centers is inevitable for an elastic cloud. In order to keep the VM and data centers secure after migration, the VM specific security policies should move along with the VM as well.
Finally, Chapter 13, “Case Study,” gives different case studies that are very useful for real-life applications, like KVM, Xen, emergence of green computing in cloud and ends with a case study that is very useful for data analysis in distributed environments. There are lots of algorithms for either transactional or geographic databases proposed to prune the frequent item sets and association rules, among which is an algorithm to find the global spatial association rule mining, which exclusively represent in GIS database schemas and geo-ontologies by relationships with cardinalities that are one-to-one and one-to-many. This chapter presents an algorithm to improve the spatial association rule mining. The proposed algorithm is categorized into three main steps: First, it automates the geographic data pre-processing tasks developed for a GIS module. The second contribution is discarding all well-known GIS dependencies that calculate the relationship between different numbers of attributes. And finally, an algorithm is proposed which provides the greatest degree of privacy when the number of regions is more than two, with each one finding the association rule between them with zero percentage of data leakage.
Dac-Nhuong Le
Raghvendra Kumar
Nguyen Gia Nhu
Jyotir Moy Chetterjee
January 2018
The authors would like to acknowledge the most important persons of our lives, our grandfathers, grandmothers and our wives. This book has been a long-cherished dream which would not have been turned into reality without the support and love of these amazing people. They have have encouraged us despite our failing to give them the proper time and attention. We are also grateful to our best friends for their blessings, unconditional love, patience and encouragement of this work.
ACL | Access Control List |
ALB | Adaptive Load Balancing |
AMQP | Advanced Message Queuing Protocol |
API | Application Programming Interface |
ARP | Address Resolution Protocol |
CAM | Content Addressable Memory |
CCE | Cloud Computing Environment |
CFI | Control Flow Integrity |
CSLB | Central Scheduler Load Balancing |
CSP | Cloud Service Provider |
DAM | Database Activity Monitoring |
DCE | Data Center Efficiency |
DLP | Data Loss Prevention |
DPM | Distributed Power Management |
DRS | Distributed Resource Scheduler |
DVFS | Dynamic Frequency Voltage Scaling |
DHCP | Dynamic Host Configuration Protocol |
ECMP | Equal-Cost Multi-Path |
EC2 | Elastic Compute Cloud |
FAM | File Activity Monitoring |
FGBI | Fine-Grained Block Identification |
GVMI | Generic Virtual Machine Image |
GOC | Green Open Cloud |
HVM | Hardware Assisted Virtual Machine |
HPC | Hardware Performance Counters |
HIPS | Host Intrusion Prevention System |
IaaS | Infrastructure as a Service |
IDS/IPS | Intrusion Detection System/Intrusion Prevention System |
IMA | Integrity Management Architecture |
IRM | In-Lined Reference Monitors |
ISA | Instruction Set Architecture |
KVM | Kernel-Based Virtual Machine |
KBA | Knowledge-Based Answers/Questions |
LAN | Local Area Network |
LLFC | Link Layer Flow Control |
LLM | Lightweight Live Migration |
LVMM | Live Virtual Machine Migration |
MiTM | Man-in-the-Middle Attack |
MAC | Media Access Control |
NAC | Network Access Control |
NRDC | Natural Resources Defense Council |
NIPS | Network Intrusion Prevention System |
OS | Operating System |
ONF | Open Networking Foundation |
PaaS | Platform as a Service |
PAP | Policy Access Points |
PDP | Policy Decision Points |
PEP | Policy Enforcement Points |
PUE | Power Usage Effectiveness |
PDT | Performance Degradation Time |
PMC | Performance Monitoring Counters |
PPW | Performance Per Watt |
RLE | Run-Length Encoding |
SaaS | Software as a Service |
SAML | Security Assertion Markup Language |
SDN | Software-Defined Networks |
SecaaS | Security as a Service |
SLA | Service Level Agreements |
SPT | Shadow Page Table |
SFI | Software Fault Isolation |
SMC | Secure Multi-Party Computation |
SIEM | Security Information and Event Management |
STP | Spanning Tree Protocol |
S3 | Simple Storage Service |
TPM | Trusted Platform Module |
TTP | Trusted Third Party |
TCG | Trusted Computing Group |
VDCs | Virtual Data Centers |
VLB | Valiant Load Balancing |
VPC | Virtual Predict Checkpointing |
VM | Virtual Machine |
VMM | Virtual Machine Migration |
VMLM | Virtual Machine Live Migration |
XSS | Cross-Site Scripting |
WAN | Wide Area Network |
Deputy-Head, Faculty of Information Technology
Haiphong University, Haiphong, Vietnam
Contemporary advancements in virtualization and correspondence advances have changed the way data centers are composed and work by providing new mechanisms for better sharing and control of data center assets. Specifically, virtual machine and live migration is an effective administration strategy that gives data center administrators the capacity to adjust the situation of VMs, keeping in mind the end goal to better fulfill execution destinations, enhance asset usage and correspondence region, moderate execution hotspots, adapt to internal failure, diminish vitality utilization, and encourage framework support exercises. In spite of these potential advantages, VM movement likewise postures new prerequisites on the plan of the fundamental correspondence foundation; for example, tending to data transfer capacity necessities to help VM portability. Besides, conceiving proficient VM relocation plans is additionally a testing issue, as it not just requires measuring the advantages of VM movement, but additionally considering movement costs, including correspondence cost, benefit disturbance, and administration overhead.
This book presents profound insights into virtual machine and live movement advantages and systems and examines their related research challenges in server farms in distributed computing situations.