Protection of services in the cloud

Computing clouds are not in line with many traditional security concepts like perimeter security on the basis of firewalls. Cloud Computing exposes all our computing power to the world. Our virtual machines run in parallel with all kinds of other competing virtual machines unknown to us. Our machines can even share a physical machine with them. In essence, the machines do not run on our premises with only friendly machines around them.

While security mechanisms should still be able to protect our machines in this scenario, the layers of defense are reduced. Attackers may exploit this. They scan all kinds of devices on the Internet and check whether they have a weakness that can be utilized. If our machine has this weakness, it will be successfully attacked. So, we have to stop non-legitimate users and devices from accessing and scanning our virtual machine even though it runs in a public environment. This means we need authentication and some kind of privacy for the services on our machine.

In SafeCloud, we are developing a variety of defense mechanisms. Most relevant for the issue above is sKnock. sKnock provides authenticated port knocking and, thus, hides the services running on the machine. As a consequence, the purpose and the application of the machine is far less exposed. Active probing does not reveal it.

What does it do? sKnock generates a situation where for an external user, the machine seems to run no service at all. All ports on the machine seem to be closed. Clients who can authenticate themselves on the basis of a certificate and appropriate cryptographic mechanisms will see a different picture. Once they authenticated and told which service they want to access, they can for some amount of time access the service on the port and it does not appear closed to them. Once this connection is established, the clients and the service can communicate with each other as long as the connection remains open.

With this SafeCloud solution, we managed to generate a privacy solution for services running on the Internet. And this means that we are enabling a level of protection that we would otherwise only have in a protected environment in our own computing room.

Heiko Niedermayer, TUM