Securing Federated Networks: Automatic Firewall and OS Configuration in BEACON

As we have covered in previous blogs on this site, the BEACON project is seeking to to enable federated networking. However, in today’s blog we will see that this is not BEACON’s sole purpose.

The main project goal could be described as seeking to define and implement a federated cloud network framework. This will enable the provision of federated cloud infrastructures, allowing for shared resources and creating a large virtual pool of resources across many different network locations.

However, as in all IT systems, security is paramount. The potential risks of an unsecure system are well known, and so to attract potential users of a federated cloud, we must be able to inspire complete confidence in the system’s security.

It is for this reason that BEACON has, from its inception, given special emphasis to working on the security issues of federated cloud infrastructures. One key way in which BEACON addresses security challenges is through a specific security-focused use case [hyperlink]. Undertaken by Flexiant, work has already begun on integrating a vulnerability scanner to the network. This will improve security at the cloud level. Currently Flexiant are configuring the scanner to work with their market-leading commercial cloud orchestration product, Flexiant Cloud Orchestrator (FCO).

Upon detecting a new Virtual Machine (VM) starting, FCO will automatically apply a firewall template to protect the deployment. Following this it will call out to the scanner to scan the IP address of the VM. This highlights any vulnerabilities (for example, ports that need to be closed) and automatically updates the firewall on the VM. It may also be configured to update the firewall template, improving it for the next time it is deployed to a VM with a similar application tag. The scanner can be used within any cloud platform and so this work on the FCO platform will form a basis for similar work to be conducted in other platforms, such as OpenStack.

Further, Flexiant are investigating the possibility of moving firewall templates between cloud providers so the template follows the VM when the federation agent moves it. This work is at an early stage, and should it establish issues with this concept then upon a VM being moved, it would be re-scanned in its new location, and a new template firewall attached and updated. Either way, the VM will be secure from first deployment or redeployment, ensuring the security of the network.

Flexiant are also working to improve security of federated networks at the VM level, which will be achieved by using CHEF cookbooks to automatically configure the Operating System (OS) to achieve a baseline security standard. When a VM is created, the CHEF agent will connect to the CHEF server and pull down the security cookbooks that have been assigned. These cookbooks contain a list of instructions to the VM, which it automatically carries out to configure the OS. This ensures that the VM is secure before any thing else is undertaken.

Taken together Flexiant’s work in this area will mean that you can achieve the same baseline security in federated environments, regardless of which cloud you are on. This will make it easier to deploy to the cloud, easier to migrate between clouds, and automatically mitigates common security risks so as to offer peace of mind and encourage adoption of cloud usage.

Find out more information about the BEACON Project, or to find out more about Flexiant's involvement visit the Flexiant Research page.