An archetype for mitigating the security threats in multi-cloud environment by implementing tree-based next-generation firewalls

Abstract

Cloud computing on-demand dynamicity in nature of end-user that leads towards a hybrid cloud model deployment is called a multi-cloud. Multi-cloud is a multi-tenant and multi-vendor heterogeneous cloud platform in terms of services and security under a defined SLA (service level agreement). The diverse deployment of the multi-cloud model leads to rise in security risks. In this paper, we define a multi-cloud model with hybridization of vendor and security to increase the end-user experience. The proposed model has a heterogeneous cloud paradigm with a combination of firewall tracts to overcome rising security issues. The proposed work consists of three steps, firstly, all incoming traffic from the consumer end into five major groups called ambient. Secondly, design a next-generation firewall (NGFW) topology with a mixture of tree-based and demilitarized zone (DMZ) implications. Test implementation of designed topology performed by using a simple DMZ technique in case of vendor-specific model and NGFW on hybrid vendor based multi-cloud model. Furthermore, it also defines some advantages of NGFW to overcome these concerns. The proposed work is helpful for the new consumer to define their dynamic secure cloud services under a single SLA before adopting a multi-cloud platform. Finally, results are compared in terms of throughput and CPU utilization in both cases.

Keywords

Multi-cloud next-generation firewall (NGFW)firewall security cloud computing single SLA

1 Introduction

Cloud computing delivers elasticity in resource provisioning and reallocation with extensive hardware support to increase end-user experience. Such an archetype helps to reduce the cost in terms of operational expenditure (Opex) and capital expenditure (Capex) [1]. Cloud vendor provides a diversity of services to cloud consumers according to pay per use model under a signed service level agreement (SLA), via a redundant internet link [2]. The current cloud solutions unable to overcome the dynamicity of on-demand services from a single tenant or the same services from multi-tenant under a single SLA such as optimal application deployment, specific vendor lock-in, and security policies [3]. Numerous hybrid solutions are offered by different cloud vendors with the combination of public and private infrastructure but the well-known optimal solution is multi-cloud. Multi-cloud is a federation trust between different vendors e.g. Amazon, Microsoft, Xen, VMware, and Salesforce to ensure vibrant services with extensive support under define SLA [4, 5]. Multi-cloud is a heterogeneous platform that offers a variety of dynamic services with a combination of several cloud models, vendors, storage, applications, and software. Organizations use a multi-cloud environment to overcome vital on-demand services by the use of different tenants working under the same ecosystem. Multi-cloud is used to obtain runtime resource allocation under different data groups to achieve high-availability and transparency of access control to the end-user.

Figure 1 presents an archetypal multi-cloud with a hybrid vendor based on the deployment of a cloud provider. The multi-vendor archetype has three basic topographies, Private cloud use to ensure a better end-user experience with transparency and high-availability. Secure fabric blends of security parameters like network security, end-user security, Virtual Private Network (VPN) security, physical and virtual data alliances security, application awareness, and devices access control-based security, infrastructure security, email, and content-based security. Data alliances ensure the availability, redundancy, and elasticity of end-user data experience. The consumer end presents the dynamicity of consumers in terms of cloud broker or end-user, it can be an organization or individual.

Fig. 1

Multi-tenant, multi-vendor, Multi-cloud example.

The major part of current cloud deployment is rapidly migrating to multi-cloud in terms of services and tools. This rapid growth of multi-cloud architecture unable to acquire the desired security level. Modern security concerns must be evaluated with the integration of vendor and network policies to mitigate the security concerns related to the internet of things (IoT) and shared distributed multi-cloud paradigm. The integration shrinks the window of current concern and makes some possible ways to introduce and deploy new policies in the current infrastructure. The multi-cloud is an efficient fence to reduce the ossification of cloud services, which may concern the resources allocation delinquent for both virtual and physical resources to overcome a particular requirement.

Multi-cloud has edge over the homogeneous cloud model in terms of cost and security because traditional public cloud vendor treats security as separate anxiety. In these models, Security is referred to as a complete isolated service paradigm or handled by the third party as distinct security metrics. In the case of multi-cloud, a hybrid model is deployed with a combination of application, software, service, and security[6, 7]. The security model traits deployed on the same cluster of heterogeneous VMs (virtual machines) or an individual specific cluster under that ecosystem. The dynamic heterogeneous multi-tenants and services deployed in a multi-cloud ecosystem which lead towards a huge amount of inbound and outbound data flow over the network. Some well-known virtualization vendors like VMware (ESXi), Microsoft (Hyper-V), and Linux (Xen) have built-in stateful (dynamic, rule-based filtering) and stateless (static, access control list-based filtering) firewall to prevent from attacks and threats. But currently, present traditional firewall solutions unable to handle the dynamic flow of multi-cloud infrastructure. Which requires a hybrid and dynamic firewall implementation called “Next Generation Firewall” (NGFW). NGFW performs application access control with transparency, integrated intrusion prevention system (IIPS), and intelligent cloud attacks awareness. In a simple form, NGFW is equal to traditional stateful and stateless inspection plus, IPS, and other devices access control based filtering.

In this paper, we proposed a multi-cloud model with multi-vendor based implementation and security by defining the security under a single SLA. The proposed model deployed a tree-based NGFW hybrid platform that performs stateless listed rules inspection, extensive IPS, and device-based filtering. Projected NGFW based multi-cloud deployment model used to obtain efficiency in terms of throughput and cost. The proposed NGFW technique help to overcome the current rising threats e.g. phishing attack, polymorphic malware, Ransomware, and secure dynamic policy execution in a multi-cloud environment.

The further research work consists of related work, rule design metrics for firewall, rules creation with the prove of basic set based mathematical equations, implementation of design rule on vendor-specific and tree-based NGFW on multi-cloud, comparison of CPU utilization and throughput results and benefits of the deployed model toward adopting multi-cloud as a new norm.

Novelty or contribution.

Define multi-cloud architecture with multi-vendor and security for a service provider.

Split inbound consumer traffic into different clusters to define rules on the DMZ firewall.

Rule designing and implementation on the tree-based next-generation firewall.

Define security and services under a single SLA, which is helpful for the new consumer to adopt a multi-cloud environment.

2 Related work

Yang et al. [8] provided a solution to the multi-cloud Storage (MCS) problem, i.e. how partial data can be shared with various cloud service providers based on multi-objective optimization while maintaining a high degree of security and quality at minimal storage cost. To solve the problem, non-dominated Sorting Genetic Algorithm II with a special combination method (NSGA-II-C) was adopted. NSGA-II-C has improved generational separation and diversity quality by contrasting the proposed question with MOEA/D and SPEA2 based on the statistical analysis of results. The work suggested transform the MCS problem into a MOP with maximizing security, minimizing the cost, and response time of data storage for users at the same time. The approach proposed correlated with related MCS and single cloud storage studies. Arunkumar et al. [9] focused on various existing technologies and their policies for firewalls in highly dynamic networks such as coalition networks. The authors highlighted the essential for a next-generation firewall (NGFW) to demonstrate the problems in the existing firewalls.

Amato et al. [10] presented a model-driven reserve proxy-based firewall technique to sort out the security issues in cloud orchestrate. The DMZ (demilitarized zone) firewall is deployed in three layers, where the outer and inner layer of the firewall cover reserve proxy. The model-driven analysis is used to verify and validate security concerns in certain cloud models to access multi-tenant micro-cloud-based services with different SLA requirements in terms of cost and latency. Bhamare [11] introduced a model-based technique with the combination of scheduling algorithms and firewall arrangement tactics to ensure the efficiency in terms of overall turnaround time and security to access micro-application hosted on the multi-cloud platform.

Yeasmin et al. [12] induced firewall implementation techniques in single or multi-cloud archetypes to measure performance based on response time, database security, data load, email security, web filtering, and archive. Three variations of firewall implication tested, i) single cloud, ii) multi-cloud with single server iii) multi-cloud with multiple servers. Results exposed that multi-cloud with multiple serves performance was much accurate and efficient. In the case of web application multi-tire servers under multiple clusters geographically separated (where each cluster is responsible to manage its load) perform better than a single cluster having multiple applications and services [13].

Content-based distributed network has multiple variations in SLA and requirements. Liao et al. [14] presented a virtual content-based platform by using v-firewall, virtual DNS, and proxy server, where each v-firewall connected to a physical cluster via a virtual link. The implantation help to save cost in terms of energy and efficiency.

Bhamare et al. [15] presented a network function based technique to replace the traditional firewall behavior like access control, destination IP, and port-based filtering. Simple greedy and first-fit decreasing approach applied on network function based virtual parameter to reduce cost in terms of delay, capital, and operational expenses. Virtual firewall implanted to save cost and SLA gain, based on access control transparency policies in commination oriented cloud models [16].

Patil et al. [17] used packet filtering, signature detection, and log alert traditional firewall function with the combination of binary bat algorithm and random forest classifier to detect and prevent intrusion in cloud-based secure networks. Each VM applied to the set of network traffic filters under the designed model for a specific organization.

Sheridan et al. [18] proposed an automated deployment technique to protect newly deployed applications on the cloud from cyber vulnerabilities. The whole model consists of three steps detection of vulnerabilities, implementation of the firewall to mark the vulnerability, and freeze it for further communication in a virtual network by provisioning and integration of virtual nodes. An optimal approach for the combination of software defines network and virtualization for the V center has the radial metrics of big data and firewall rules. This integrated technology is used to obtain a quality of services in security and threat awareness in virtual data centers [19]. Better average response time of conflict-free and optimal neural network achieved in a multi-cloud platform with the combination of firewall implementation policies and software-defined rules. Results showed that average response time increase with increment of specific processing load on central devices [20].

Levina et al. [21] presented a load balancing as a Service (LBaaS) approach for Software Defined Networks (SDN) on cloud architecture. The proposed solution based on the hierarchical orchestra, anticipated in a centralized structure, as the central element becomes a failure point for the entire system. The authors tested a federated environment set up according to three sample configurations to prove the validity of the solution: a (single) standalone distributor and, respectively, either 2, 4, or 8 amphorae, used inactive configuration.

Sohal [22] presented IDS and virtual honeypot devices (VHD) based on a technique to prevent malicious end devices in fog computing. VHD deployed model firewall used to detect malicious insider and outsider in both IPS and IDS manners. Once the firewall marked the end node as a malicious then the particular node disconnected or freeze to perform upcoming communication.

Toumi et al. [23] proposed a framework based on a hybrid intrusion detection system for the detection of internal and external attacks in the cloud. The proposed framework work consists of mobile agents and firewalls to improve the security in infrastructure as service (IaaS). The proposed intrusion work focused on mobile agents in a versatile and interoperable way to recover and analyze malicious data.

Wieland et al. [24] proposed a data-driven approach to cloud and cloud shadow semantic segmentation in single-date images based on a modified U-Net convolutional neural network. The proposed work trained the network for the segmentation of five groups (“shadow,” “earth,” “wind,” “ground” and “snow/ice”) on a global Landsat OLI image database, for any application that uses optical data. The best-performed model uses six spectral bands (Red, Green, Blue, NIR, SWIR1, and SWIR2) and trained in an enhanced version of the training data for contrast and brightness.

3 The proposed work

3.1 Rule designed metrics

The proposed NGFW model consists of the following four metrics to create a firewall rule. These metrics designed to obtain maximum throughput to dynamic load balancing and minimize the cost in terms of Capex and Opex.

3.1.1 No shadow rule

A rule which can never be matched with any other listed rules because is followed and tested by any present rule above in the list. Shadow rule causes security concern, i.e. when a new worm is detected in a dynamic network, and firewall admin creates a separate rule to stop such kind of attacks. The created rule turns into a shadow rule under the above large tested list, hence too many shadow rules cause security concern and speed limitation to reduce the efficacy of the network flow control. Shadow rule can be deducted and removed to improve firewall policy [25, 26].

3.1.2 No rule swapping

Swapping between a list of rules up or down cause problems in listed rules sequence, i.e. as a certain listed rule above is responsible for the client to server communication and it swapped down, now the current listed rule has block action against such a critical and demanding task to generate security lacks [27 –29].

3.1.3 No redundant rule

Redundancy in listed rules with the same action against the same request cause time out and accuracy issues and it is better to remove redundant rules from the list, i.e. two rules have the same deny/accept action against the same SIP (Source IP), DIP (Destination IP) or DPT (Destination port number). Administrators must have to detect and remove rules which create redundancy to improve accuracy [30, 31].

3.1.4 No sequential rule

Sequential rule causes speed problems and increases time to take a complete decision in large-scale networks where a variety of rules are followed by the same sequence. A big rule is mapped with a big relation and cover by the small rule above. If a big rule is created above then all small rules will be shadow rule under this big rule, i.e. deny /allow all from a specific port number, protocol header, white list, blacklist in rule firewall [32, 33].

3.2 Proposed model

The implementation of NGFW in multi-cloud architecture varies as per the requirement of multi-layer infrastructure, DMZ coating with packet filtering, stateful, and proxy combination. However, this implementation does not fulfill the requirements of the modern digital ecosystem. The proposed model is the deployment of a dynamic next-generation firewall based on modest tree-based data structural techniques. The NGFW implementation incorporates traditional firewall impacts, integrated intrusion prevention systems, DNS filtering, device filtering, application awareness, and access control.

Initially, in this research we split all incoming traffic from the cloud consumer side on a vendor end in five small groups called ambient. These ambient are constructed on defined metrics i.e. protocol header (pd) and associated port number of source network traffic. In the proposed model, there are five ambient which are denoted by “A₁ to A₅”. The discretion of each ambient is as follows.

“A₁” Email ambient with protocol header SMTP, PoP3, IMAP, MAPI, and EAS

“A₂” Web access ambient coating with HTTP, HTTPS, TCP

“A₃” Data access ambient FTP, UDP

“A₄” Hardware and trust management

“A₅” Access control and transparency

Figure 2 shows the firewall implantation with DMZ on cloud service provider ends for a specific vendor. The four well-known cloud hypervisors are ESXi (VMWare), Hyper-V (Microsoft), Xen (Citrix), and KVM (Linux). The focus of the proposed model on ESXi and Hyper-V. While in the case of a firewall the choice is 5nine and IPTABLES virtual firewall. The DMZ is separated by a virtual switch that works as port forwarding and translating traffic from DMZ to the internal vendor zone via 2^nd layer of firewall directly connected to each defined ambient in the above topology.

Fig. 2

The proposed topology Implementation on vendor-specific cluster.

4 Mathematical model for stateful and stateless firewalls

Here are some mathematical prove of two parallel processes of the same ambient to expert desire facts and best results. Two jobs “R” and “S” presented on two firewalls of ambient A₁. $A 1 [R]$

Process “R” executed on ambient A₁ $F x A 1 [R]$

“F” denotes the firewall security. Where, “x” is the dynamic type of firewall state (stateless, virtual, stateful, and NGFW). A₁ represents the ambient.

The tree-based NGFW deployment is proposed to define methodology. NGFW = TF+IIPS+DPI+DNS and device filtering+Application awareness and access control

Where,

TF=traditional stateful and stateless firewall

IIPS=integrated intrusion prevention system

Let calculate the mobility of the process “M.P” on ambient A₁ with the implementation of stateless, stateful, and NGFW. $F_{x 11}, F_{x 21}, F_{x 31}$ $F_{x 12}, F_{x 22}, F_{x 32}$ $F_{x 13}, F_{x 23}, F_{x 33}$

Where F_x1, F_x2, F_x3 denote stateless, stateful, and NGFW firewalls respectively, while F_x11 presents job 1 (set of rules) executed on firewall F_x1 and vice versa.

4.1 Stateless firewall

Let F_x1, Rl_x_, Cs_x are the stateless firewall, rules, and connection state of currently deployed rules on firewall respectively. The rule decision is denoted by “D”.

In the case of F_x1_, where a state of firewall is static $F_{x 1} = ({Rl}_{x}, φ) or {Rl}_{x}$ ${Cs}_{x} \mapsto D$

Where connection state directly depends on the rule state and static configuration of the given rule. Which predicate over packet flow and rule based on packet flow control. Where “D” represents deny or allow and rule depends on port number, IP, and subnet mask.

4.2 Stateful firewall

Decision rule = D, Protocol header = Pd, Connection state =Cs_x, TCP connection state = Stp.

Connection states = new, established, occupied, release.

Factors upon which rule depend on are connection state and rules experts.

Rules parameters = SIP (source IP), DIP (destination IP), SP (source port number), DP (destination port number), Pd (protocols header)

The protocol header is recognized through protocol code, type, and ID. Complete connection state is ensured by ack and syn flags. $F_{x 2} = ({Rl}_{x}, {Cs}_{x})$

The rule depends on port number, IP, subnet mask, protocol header, connection state.

4.3 Next generation firewall (NGFW)

The incoming dynamic consumer on-demand traffic is monitored and controlled by using DMZ or Super (F_x1) firewall orientation and treated based on a defined rule. This rule is known as a super rule based on the listed rule firewall. The super rule responsible for two major aspects. It differentiates the inbound traffic on the bases of protocol header and port number to define five ecosystems denoted by A₁ to A₅. Secondly, DMZ (Super) firewall responsible to mark disable certain malicious traffic, port, host, consumer, or ecosystem group based on internal firewall layer primary (F_x2) and secondary (F_x3) in binary form. This implementation refers to a binary tree known as a tree-based firewall. Where each “F_x” related to A₁ to A₅ and donated as “A_xF_x” respectively for each ambient.

In the next step, a V-switch is used between the super firewall and internal vendor zone firewalls. The V-Switch translates the public incoming traffic to private local groups as per the decision of a super firewall and forwards each defined set of traffic to its respective group. Each ambient consists of two firewalls primary and secondary. A primary firewall is responsible to translate and make a decision based on the design rule. While the secondary firewall handles the disaster, logging, error correction, and archive. Each ambient is connected with an individual hardware cluster for computational and data processing as per the requirement shown in Fig. 2.

Connection state, protocol header, source & destination IP, source and destination port number, TCP state these parameters are dynamic in case of NGFW as diversity in consumer on-demand services from various sort of infrastructure and deployment. So these parameters denoted by “x” at the vendor end present the dynamicity of the job. Some other parameters are.

DNS and URL filtering = DUF

Integrated intrusion prevention system = IIPS

Access control and devices accessibility = ADS

There are three flags used in this case syn, ack, st. Where the “st” (status) flag is used to ensure the disable or inactive device, consumer, URL, DNS, etc. when the value of the flag is false then the rule will proceed on each ambient. $F_{x 3} = ({Rl}_{x}, {Cs}_{x} & s_{t}) | s_{t}$

If the “st” value is true then a block message will be updated through secondary to super firewall against a particular job.

5 Creation of rules

Following are the types of created rules

Super rule on the super firewall

Stateful on primary firewall

Error correction, archive and logging rule on secondary firewall

5.1 Super rule

Super rule on DMZ firewall handle all type of traffic and forwards to an intelligent V-switch. The V-switch is the boundary between internal access of V-Cluster and outer DMZ network which is directly connected to the internet.

Outer DMZ firewall known as the super firewall is hardware-based. In proposed topology and will present the super rule. The super rule is static consists of two subparts. First rule expert the internet traffic on the basses of protocol header, source IP (in this case will be dynamic and specific depend on consumer define SLA), Source port number (static or specific configured on core applications as per SLA). The second rule is responsible for the integrated intrusion prevention system. The rule is an integral part of the first rule correlated with each other. If some job is already marked as malicious then the super firewall will not proceed further. V-switch is responsible to translate filtered traffic into the explicit ecosystem as per definition. $SIP * SP * Pd = (i, j, k) | P$

Where “P” is related to the projection of the second part of the ruling witch ensures pre-marked malicious request. It means that incoming traffic from the source will be checked the right projection of “P” to proceed further. This projection is responsible to grant access to the internal ecosystem [34, 35].

5.2 Vendor ecosystem primary rule

Each V-switch port is connected to a pair of firewalls to extant binary Trees. These primary and secondary firewalls are identical and work under these definitions.

Two firewalls of the same ambient said to be equal and can be present by the denotational model. $F_{x} \sim F_{x}^{'}$

If a set of all rules is the same to ensure disaster and load balancing features then we can present it like. $[[A_{x} F_{x}]] k = [[A_{x} F_{x}^{'}]] k$

Where A is the ambient name.

If two firewalls are equal the relative projection of rule on each firewall also be equal. If we present a projection of each firewall by ⨀ a circular dot and down arrow operators then $(A_{x} F_{x} ⨀ A_{x} F_{x}^{'}) ↓ P \sim A_{x} F_{x} ↓ P ⨀ {AxF}_{x}^{'} ↓ P$

This can be written as $A_{x} F_{x} ↓ P \sim A_{xF}^{'} x ↓ P$

The complement of this in case of false value on s_t or any other flag $A_{x} F_{x} ↓ ↼ P \sim A_{x} F_{x}^{'} ↓ ↼ P$

For any firewall group F_x on any ambient Ax based on projection P we have $[[A_{x} F_{x}]] k = [[A_{x} F_{x} ↓ P]] k \cup [[A_{x} F_{x} ↓ ↼ P]] k$

Where ↓P and ↓ ↼ P based on set theory related to “K” can be proved by using set distribution law.

5.3 Vendor ecosystem secondary rule

If the path is found affected on the primary firewall then it is responsible for the secondary firewall of the group to handle the affected job and update its semantics to the super firewall. The secondary firewall is also responsible for error correction and logging. Logging provides transparency to end-user.

When an affected path is found under the permission rule of the primary firewall then it changes the value of the “st” flag as true and this septic job is marked and updated to super rule via a secondary firewall.

6 Implementation

There are four best cloud vendors ESXi, KVM, Hyper-V, and Xen. In multi-cloud infrastructure a hybrid combination of these big four hypervisors created to overcome all desire services of a specific consumer under a single SLA, in our case we merge a hybrid environment with the blend of Hyper-V and ESXi under the secure domain in terms of NGFW implementation. ESXi has its built-in firewall but this firewall unable to secure or expert physical virtual machine. Hyper-V has no built-in firewall. So, in this work, we implemented our design topology in three different ways.

Hyper-V via 5Nine V-firewall. (Vendor-specific secure cloud services)

ESXi with the combination of the IPTABLES firewall. (Vendor-specific secure cloud services)

Hybrid Hyper-V and ESXi ecosystem with a combination of IPTABLES and 5Nine firewall. (Multi-cloud secure services)

The proposed set of rule is based on listed rule firewall basic properties. 5nine and IPTABLES have core rule design properties to project and implement our proposed work. The vendor-specific design implementation as per “Fig. 2” and NGFW as per “Fig. 3” topology. Calculate throughput and CPU utilization in both cases i.e. vendor-specific (Fig. 2) and NGFW deployment (Fig. 3).

Fig. 3

Tree-based NGFW deployment in Multi-cloud.

6.1 Vendor specific secure cloud services Hyper-V execution

Hyper-V has no built-in firewall so we used 5nine firewall on Hyper-V specific vendor based ecosystem on our defined topology in Fig. 2. Test rules are in binary form, 8 as minimum and 4096 as maximum (23 to 212) respectively to measure throughput and CPU utilization. The main reason to use 5nine with Microsoft based cluster is more suitable and provides the best performance on Microsoft embedded environment like Azure. On the other hand, 5nine v-firewall needs an extra agent on each VM related to that ecosystem and the Linux based agent is not available in full functional form.

6.1.1 ESXi execution

On ESXi, we performed testing with the combination of IPTABLES command-line based listed rule firewall according to the topology presented in Fig. 2. ESXi has its built-in firewall but this firewall is not useful or can be performed on physical VM scanning. So, IPTABLES are used to scan VM on the VMware based specific cluster. The design rule is 23 to 212 for calculating the maximum throughput and CPU utilization against the number of rules.

6.2 Multi-cloud secure services NGFW execution

The same binary number rules are used to perform testing on hybrid Hyper-V and ESXi (multi-cloud) environment with the combination of both IPTABLES and 5Nine firewalls according to the defined paradigm in Fig. 3. Cost in terms of maximum throughput in both computational and efficacy of resources calculated by comparing the result of vendor-specific (ESXi, Hyper-V) and multi-cloud NGFW implementation.

7 Results and analysis

The maximum throughput of infrastructure with firewall implementation depends upon CPU utilization and memory consumption. The Table 1 shows the variation of throughput results with different deployment schemes. The results of IPTABLESs and 5Nine firewalls are compared with NGFW implementation. Rules can be created as per defined metrics in section 3. The reason to choose IPTABLES and 5Nine firewall is that it can be easily available as a free version and can be customized according to our utilization. We have defined three major rule categories as super, primary, and backup. So, we have started our testing from 2³. The reason behind, to choose a rule sequence in binary number form is that it is easy to justify and modify the sequence. Thousands of rules can be created as per requirement by using basic facts of firewall implementation in a given environment.

Table 1
Throughput results in a comparison of a vendor-specific and multi-cloud firewall implementation

Vendor-Specific Hyper-V VS Multi-Cloud Vendor-Specific ESXi VS Multi-Cloud

Number of Rules 5nine NGFW IPTABLESs NGFW

8 97.91 97.35 98.97 97.35

16 96.85 96.42 96.93 96.42

32 95.81 95.53 95.73 95.53

64 94.75 94.71 85.05 94.71

128 89.69 91.89 77.83 91.89

256 83.42 86.01 72.35 86.01

512 78.13 82.29 65.07 82.29

1024 71.42 77.46 57.31 77.46

2048 63.03 73.75 46.53 73.75

4096 51.35 71.09 35.15 71.09

	Vendor-Specific Hyper-V VS Multi-Cloud	Vendor-Specific ESXi VS Multi-Cloud
8	97.91	97.35	98.97	97.35
16	96.85	96.42	96.93	96.42
32	95.81	95.53	95.73	95.53
64	94.75	94.71	85.05	94.71
128	89.69	91.89	77.83	91.89
256	83.42	86.01	72.35	86.01
512	78.13	82.29	65.07	82.29
1024	71.42	77.46	57.31	77.46
2048	63.03	73.75	46.53	73.75
4096	51.35	71.09	35.15	71.09

In our defined types of firewall implementations the consequences and discussion on throughput and CPU utilization as follow.

While defining our first type of vendor specific implication “Microsoft secure cloud”, we designed rule as per defined metrics in section 3. It can be seen from results shown in Fig. 4a; maximum throughput as per the implementation of topology 1. But this implementation lacks of multi-cloud and NGFW. Hyper-V has no bulletin firewall so only a single case implementation cannot create NGFW definition. Throughput results presented in Table 1 indicate that when the number of rules increased above than 500 or 1000 up to 4000 the throughput value decreases up to 50 %. So, this time of implementation does not support the elasticity and dynamicity of a hybrid environment because of the number of rules.

Fig. 4

a) Hyper-V 5nine vs Multi-cloud tree-based NGFW b) ESXi IPTABLEs vs Multi-cloud tree-based NGFW.

ESXi has a bulletin firewall but this firewall unable to be an expert on VM level. So, IPTABLESs can scan VM. The limitation is IPTABLES applicable to the small type of infrastructure and these are not suitable for large scale infrastructure, where the number of rules increasing as per large scale deployment. Throughput rust shows less variation concerning the first type. This implementation is also vendor-specific secure cloud as per Fig. 2 implementation. Results in table1 and Fig. 4b indicate that a rapid drop in the throughput graph when the number of rules more than 500. It means this type of implementation suitable for the small homogeneous cloud model. As the secondary firewall is responsible for handling logging, archive, and error management so, the net traffic on the primary firewall will be less and specific as per define rules on a super firewall to filter and quarantine suspicious traffic.

Figure 3 shows the implication of NGFW with the multi-cloud concept. NGFW has a blend of firewall implantation on super, primary, and secondary deployment layers. This implication is capable to handle all the requirements of multi-cloud (VMware and Microsoft) under a given single SLA. Throughput results show high and high when we are increasing the number of rules. This topology also overcome the deficiencies of ESXi, 5Nine, and IPTABLESs firewalls as per define rules under each cluster. Tree-based multi-cloud NGFW implication provides more reliability in terms of elasticity and dynamicity as per the nature of requirement.

Compare CPU utilization as an effective source of computational cost-saving, results in Fig. 5 show the utilization cost of computational resource increase as an increase in several rules. But in the case of NGFW the increase in CPU % increase very steady manners as compared to another vendor two vendor-specific topologies. The reason behind this is tree-based implantation as a secondary firewall is used to handle dynamicity, error correction, logging, and archive.

Fig. 5

CPU utilization compression of define three topologies.

8 Benefits of NGFW

In this section, we discuss the possible benefits of NGFW implementation in the current era of dynamic cloud environment with rising threats and attacks due to the dynamicity and nature of implementation. Our defined topology presents some core benefits based on end-user agreement and utilization and IT organizations. These core befits will be helpful for the upcoming IT infrastructures, who want to migrate or shift to the cloud.

8.1 Prevention of credential theft

A phishing attack is used to target non-technical staff visits on phishing sites. The most organization has educational training to aware employees like this kind of attacks but it leads to human error by nature. The available solutions commonly rely on detecting and flirting phishing sites and filtering email methods but these techniques easy broken by new sites and methods like social engineering. NGFW with ML-based analysis accelerates this type of attack by analyzing and blocking action against these sorted sites and mark as malicious. To protect against credential theft on some unknown sites admin can maintain whitelist and wish list rules.

NGFW prevents the use of corporate credentials on unknown websites. By blocking the user to submit credentials with ML analysis support.

NGFW can sort and take action against previously sorted sites and log the user attempt to submit credentials or access these sites.

8.2 Dynamic security for multi-cloud dynamicity

Multi-cloud policies are attribute-based and dynamic for multi-multi-tenant as per application, service, and node. So this dynamicity can be done with the help of dynamic grouping on NGFW. These dynamic address groups are not IP based but on bases of similar attributes and tasks e.g. application, services, action, task, and protocol. This technique reduces the work overhead and reduces the dependency between provider and end-user.

NGFW enables the creation of security policy on both private and public administrator end to ensure the locally created policies affected rapidly without relying on a global team.

NGFW provides consistent security policy based on VM and data center access form multi-tenet using a different location and access attributes.

NGFW minimizes the delay and ensures separate role-based access control policies on local and global end with roll-back automation enhancement.

NGFW maintains an LPS “log per second” on multiple firewalls to enhance time capacity while accessing log files.

8.3 Protection against evasive and never seen before attacks

Evasive threat becomes common these days by developing new malware techniques in current multi-cloud architecture, such as wrapping malicious payload in real files, packing files to hide detect or waiting for awakening sleep call-in virtual sandboxes. Most commonly malware can easily bypass all traditional and currently available detection and prevention techniques.

NGFW use the content-based signature technique to detect variants, polymorphic malware, and command-based activity. A content-based signature provides a facility to automatically detect known malware by its signature that has been modified. Malware developer creating C2 communication to auto change DNS and URL. C2 pattern-based signature based on C2 outbound communication is the most effective protection and to scale machine speed at the time of auto-creation.

In a multi-cloud environment when a single origination marks a malware, threat, or attack as malicious then by sharing these log with other organizations. Other organizations mark this unknown malicious activity as known.

NGFW supports multi analysis techniques to detect malware including bare metal analysis, detecting evasive, and sand-box malware awareness.

NGFW uses content-based and pattern-based signature techniques to detect unknown malware.

8.4 Ransom attack prevention and consistent protection

Ransom is top of mind everywhere these days, it encrypts organizational data but organizational also have to bear the cost of customer data regain, equipment replacement, policy modification, damaged reputation, and much more in a multi-cloud environment.

Ransomware has multiple life cycles that create damage on a different layer so until now no such a legal pentation tool or technique to prevent this super automation attack. In the case of NGFW multilayer firewall deployment, it is possible to overcome ransomware somehow. NGFW provides automation and analyzes the file, system, URL, or malicious activity. Once this malicious activity is detected then it forwards to all over the network and cloud endpoint, which make sure to block entry points of these types of attacks.

NGFW can prevent to execution of an executable block from an unknown application, service, or URL.

NGFW support dynamic update against the unknown domain to prevent ransomware as DNS Signature.

NGFW makes sure to provide consistent security from anywhere to end your on their remote and mobile location via connectivity.

NGFW provides facilities of multiple virtual and physical VPN connections to ensure secure end-user connectivity.

9 Conclusion and future work

In this paper, the main aim is to justify three major concerns related to the current need for cloud services, infrastructure deployment, and security. The focus of this research is to define all possible on-demand services related to an IT infrastructure deployment under a single SLA, and isolate a complete vendor infrastructure in small relevant groups called ambient. Deploying a traditional DMZ firewall topology by creating a set of the major rules on vendor-specific each ambient of the cluster. We defined a multi-cloud environment by the blend of Vendor and types of a firewall to design a tree-based NGFW.

We deployed the designed set of rule on vendor-specific and multi-cloud with traditional DMZ and NGFW firewall implementation respectively. Then compared the results based on two metrics throughput with CPU utilization. The comparison of 5nine firewalls on Hyper-V and IPTABLEs on ESXi with NGFW on multi-cloud shows that NGFW performs better in both cases when the number of dynamic rules is high. We conclude that our proposed work listed down possible current threats and provided protection against these threats in multi-cloud deployment. In the future, the work can be extended on specific ambient like data or access control and trust. In the case of data, multi-factor authentication using NGFW can be deployed on the multi-cloud model to measure the accuracy and effectiveness.

References

Tchernykh

, et al., Towards understanding uncertainty in cloud computing with risks of confidentiality, integrity, and availability, Journal of Computational Science 36 (2019), 100581.

Uriarte

R.B.

, et al., Defining and guaranteeing dynamic service levels in clouds, Future Generation Computer Systems 99 (2019), 27–40.

Kritikos

, et al., Towards a security-enhanced PaaS platform for multi-cloud applications, Future Generation Computer Systems 67 (2017), 206–226.

Casola

, et al., Security-by-design in multi-cloud applications: An optimization approach, Information Sciences 454 (2018), 344–362.

Alaluna

, et al., Secure Multi-Cloud Network Virtualization, Computer Networks 161 (2019), 45–60.

Márkus

and Dombi

J.D.

, Multi-cloud management strategies for simulating iot applications, Acta Cybernetica 24(1) (2019), 83–103.

Luo

, et al., Container-based fog computing architecture and energy-balancing scheduling algorithm for energy IoT, Future Generation Computer Systems 97 (2019), 50–60.

Yang

, Zhu

and Liu

, Secure and economical multi-cloud storage policy with NSGA-II-C, Applied Soft Computing 83 (2019), 105649.

Arunkumar

, et al., Next generation firewalls for dynamic coalitions, in 2017 IEEE Smart World, Ubiquitous Intelligence & Computing, Advanced & Trusted Computed, Scalable Computing & Communications, Cloud & Big Data Computing, Internet of People and Smart City Innovation (SmartWorld/SCALCOM/UIC/ATC/CBDCom/IOP/SCI), 2017, IEEE.

10.

Amato

, Mazzocca

and Moscato

, Model driven design and evaluation of security level in orchestrated cloud services, Journal of Network and Computer Applications 106 (2018), 78–89.

11.

Bhamare

, et al., Multi-objective scheduling of micro-services for optimal service function chains, in 2017 IEEE International Conference on Communications (ICC), 2017, IEEE.

12.

Yeasmin

, et al., Performance evaluation of multi-cloud compared to the single-cloud under varying firewall conditions, Cogent Engineering 5(1) (2018), 1471974.

13.

Dhull

V.K.

, Alam

S.I.

and Hassan

S.I.

, An optimized deployment approach for intercloud and hybrid cloud, Int J Adv Trends Comput Sci Eng 9 (2017), 266–274.

14.

Liao

, et al., Energy-efficient virtual content distribution network provisioning in cloud-based data centers, Future Generation Computer Systems 83 (2018), 347–357.

15.

Bhamare

, et al., Optimal virtual network function placement in multi-cloud service function chaining architecture, Computer Communications 102 (2017), 1–16.

16.

Subramanian

and Jeyaraj

, Recent security challenges in cloud computing, Computers & Electrical Engineering 71 (2018), 28–42.

17.

Patil

, Dudeja

and Modi

, Designing an efficient security framework for detecting intrusions in virtual network of cloud computing, Computers & Security 85 (2019), 402–422.

18.

Sheridan

, Massonet

and Phee

, Deployment-time multi-cloud application security, in 2017 IEEE International Conference on Smart Computing (SMARTCOMP), 2017, IEEE.

19.

Bolodurina

I.P.

and Parfenov

D.I.

, Development of network security models in the software-defined infrastructure of virtual data center, in 2018 IEEE Conference of Russian Young Researchers in Electrical and Electronic Engineering (EIConRus), 2018, IEEE.

20.

Bolodurina

, et al., Development and Investigation of Multi-Cloud Platform Network Security Algorithms Based on the Technology of Virtualization Network Functions 1 The research work was funded by RFBR, according to the research projects No. 16-37-60086 mol a dk, 16-07-01004, 18-07-01446, 18-47-560016 and the President of the Russian Federation within the grant for state support of young Russian scientists (MK-1624.2017. 9), in 2018 International Scientific and Technical Conference Modern Computer Network Technologies (MoNeTeC), 2018, IEEE.

21.

Levin

, et al., Hierarchical load balancing as a service for federated cloud networks, Computer Communications 129 (2018), 125–137.

22.

Sohal

A.S.

, et al., A cybersecurity framework to identify malicious edge device in fog computing and cloud-of-things environments, Computers & Security 74 (2018), 340–354.

23.

Toumi

, et al., Implementing Hy-IDS, Mobiles Agents and Virtual Firewall to Enhance the Security in IaaS Cloud, Procedia Computer Science 160 (2019), 819–824.

24.

Wieland

, Li

and Martinis

, Multi-sensor cloud and cloud shadow segmentation with a convolutional neural network, Remote Sensing of Environment 230 (2019), 111203.

25.

Kim

, et al., Firewall ruleset visualization analysis tool based on segmentation, in 2017 IEEE Symposium on Visualization for Cyber Security (VizSec), 2017, IEEE.

26.

Kumar

, An improved Linux firewall using a hybrid frame of netfilter, in 2017 International Conference on Trends in Electronics and Informatics (ICEI), 2017, IEEE.

27.

Saâdaoui

, Souayeh

N.B.Y.B.

and Bouhoula

, FARE: FDD-based firewall anomalies resolution tool, Journal of Computational Science 23 (2017), 181–191.

28.

Mohan

, et al., On optimizing firewall performance in dynamic networks by invoking a novel swapping window–based paradigm, International Journal of Communication Systems 31(15) (2018), p. e3773.

29.

Voronkov

, et al., Systematic literature review on usability of firewall configuration, ACM Computing Surveys (CSUR) 50(6) (2017), 1–35.

30.

Ceragioli

, Galletta

and Tempesta

, From Firewalls to Functions and Back, in ITASEC, 2019.

31.

Cuppens

, Cuppens-Boulahia

and Garcia-Alfaro

, Misconfiguration management of network security components, arXiv preprint arXiv:1912.07283, 2019.

32.

Arthur

J.K.

, et al., Firewall Rule Anomaly Detection and Resolution using Particle Swarm Optimization Algorithm, International Journal of Computer Applications 975, 8887.

33.

Schnepf

, et al., Rule-Based Synthesis of Chains of Security Functions for Software-Defined Networks, Electronic Communications of the EASST, 2019, 76.

34.

, et al., Improving cloud network security using the Tree-Rule firewall, Future Generation Computer Systems 30 (2014), 116–126.

35.

Jarraya

, et al., Verification of firewall reconfiguration for virtual machines migrations in the cloud, Computer Networks 93 (2015), 480–491.

	Vendor-Specific Hyper-V VS Multi-Cloud		Vendor-Specific ESXi VS Multi-Cloud
Number of Rules	5nine	NGFW	IPTABLESs	NGFW
8	97.91	97.35	98.97	97.35
16	96.85	96.42	96.93	96.42
32	95.81	95.53	95.73	95.53
64	94.75	94.71	85.05	94.71
128	89.69	91.89	77.83	91.89
256	83.42	86.01	72.35	86.01
512	78.13	82.29	65.07	82.29
1024	71.42	77.46	57.31	77.46
2048	63.03	73.75	46.53	73.75
4096	51.35	71.09	35.15	71.09