{"title":"为基础设施即服务采用软件定义周界(SDP)体系结构","authors":"Jaspreet Singh, A. Refaey, J. Koilpillai","doi":"10.1109/CJECE.2020.3005316","DOIUrl":null,"url":null,"abstract":"The use of cloud Infrastructure as a Service (IaaS) for enterprise applications is at an all-time high and is charted to continue growing to approximately 73% by 2022. IaaS suffers from several security concerns, such as hypervisor hijacking, virtual machine (VM) hopping, and account hijacking. With such a large percentage of enterprise traffic on the cloud, a strong security framework is demanded. To secure IaaS, this article proposes a software-defined perimeter (SDP) as a solution. SDP provides a logical perimeter to restrict access to services with a layer of authentication and authorization to allow. Only authorized clients may connect to services hidden by SDP gateways. SDP is implemented and verified in an AWS cloud environment. Port scanning is used to verify SDP behavior as well. The results demonstrate the SDP’s ability to “darken” services behind a gateway. The performance of SDP against a denial-of-service (DoS) attack is demonstrated in a local environment. The test results demonstrate that SDP is indeed capable of resisting DoS attacks while allowing legitimate user traffic even under the duration of the attack. These results lead to a discussion on future research for SDP in IaaS.","PeriodicalId":55287,"journal":{"name":"Canadian Journal of Electrical and Computer Engineering-Revue Canadienne De Genie Electrique et Informatique","volume":null,"pages":null},"PeriodicalIF":1.7000,"publicationDate":"2020-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1109/CJECE.2020.3005316","citationCount":"19","resultStr":"{\"title\":\"Adoption of the Software-Defined Perimeter (SDP) Architecture for Infrastructure as a Service\",\"authors\":\"Jaspreet Singh, A. Refaey, J. Koilpillai\",\"doi\":\"10.1109/CJECE.2020.3005316\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"The use of cloud Infrastructure as a Service (IaaS) for enterprise applications is at an all-time high and is charted to continue growing to approximately 73% by 2022. IaaS suffers from several security concerns, such as hypervisor hijacking, virtual machine (VM) hopping, and account hijacking. With such a large percentage of enterprise traffic on the cloud, a strong security framework is demanded. To secure IaaS, this article proposes a software-defined perimeter (SDP) as a solution. SDP provides a logical perimeter to restrict access to services with a layer of authentication and authorization to allow. Only authorized clients may connect to services hidden by SDP gateways. SDP is implemented and verified in an AWS cloud environment. Port scanning is used to verify SDP behavior as well. The results demonstrate the SDP’s ability to “darken” services behind a gateway. The performance of SDP against a denial-of-service (DoS) attack is demonstrated in a local environment. The test results demonstrate that SDP is indeed capable of resisting DoS attacks while allowing legitimate user traffic even under the duration of the attack. These results lead to a discussion on future research for SDP in IaaS.\",\"PeriodicalId\":55287,\"journal\":{\"name\":\"Canadian Journal of Electrical and Computer Engineering-Revue Canadienne De Genie Electrique et Informatique\",\"volume\":null,\"pages\":null},\"PeriodicalIF\":1.7000,\"publicationDate\":\"2020-01-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"https://sci-hub-pdf.com/10.1109/CJECE.2020.3005316\",\"citationCount\":\"19\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Canadian Journal of Electrical and Computer Engineering-Revue Canadienne De Genie Electrique et Informatique\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/CJECE.2020.3005316\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q2\",\"JCRName\":\"Engineering\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Canadian Journal of Electrical and Computer Engineering-Revue Canadienne De Genie Electrique et Informatique","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CJECE.2020.3005316","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"Engineering","Score":null,"Total":0}
Adoption of the Software-Defined Perimeter (SDP) Architecture for Infrastructure as a Service
The use of cloud Infrastructure as a Service (IaaS) for enterprise applications is at an all-time high and is charted to continue growing to approximately 73% by 2022. IaaS suffers from several security concerns, such as hypervisor hijacking, virtual machine (VM) hopping, and account hijacking. With such a large percentage of enterprise traffic on the cloud, a strong security framework is demanded. To secure IaaS, this article proposes a software-defined perimeter (SDP) as a solution. SDP provides a logical perimeter to restrict access to services with a layer of authentication and authorization to allow. Only authorized clients may connect to services hidden by SDP gateways. SDP is implemented and verified in an AWS cloud environment. Port scanning is used to verify SDP behavior as well. The results demonstrate the SDP’s ability to “darken” services behind a gateway. The performance of SDP against a denial-of-service (DoS) attack is demonstrated in a local environment. The test results demonstrate that SDP is indeed capable of resisting DoS attacks while allowing legitimate user traffic even under the duration of the attack. These results lead to a discussion on future research for SDP in IaaS.
期刊介绍:
The Canadian Journal of Electrical and Computer Engineering (ISSN-0840-8688), issued quarterly, has been publishing high-quality refereed scientific papers in all areas of electrical and computer engineering since 1976