Historically, organizations and businesses developed or acquired bespoke or off-the-shelf software solutions for execution using dedicated computer hardware. Such software solutions find broad application in many varied areas of business such as: financial management; sales and order handling; record storage and management; human resource record management; payroll; marketing and advertising; internet presence; etc. The acquisition, management and maintenance of such software and hardware can require costly investment in systems development, management and revision—functions that can extend beyond the core business concerns of an organization.
As organizations increasingly seek to decouple such systems management from their core business processes to control costs, breadth of concern and liabilities, dedicated service offerings are provided to take the place of in-house systems. Computer systems are increasingly provided by third parties as services in the same way as utilities, a shift that has been partly facilitated by improvements in the availability of high-speed network connections allowing consuming businesses to access and use networked third party systems. Such systems can include substantially all aspects of a business computer system including hardware, operating systems software, file systems and data storage software including database applications and the like, middleware and transaction handling software, and commercial software. In this way consuming businesses can be relieved of concerns relating to the exact nature, arrangement and management of computing systems and focus resources elsewhere. The computing system is abstracted from the consuming business and can be logically thought of as a ‘cloud’ in which all system concerns are encapsulated and at least partly managed by a third party. Thus, such arrangements are known as “cloud computing.”
Service providers can provide computing infrastructure on a service basis using hardware shared by multiple systems employing virtualization software. Such services can be described as virtualized computing environments in which applications can be deployed to execute within virtual machines (VMs) executing in the virtualized environment. VMs can be managed by hypervisor software and the like.
The provision of computing resources and facilities “as a service” extends beyond the virtualization of computing systems. Commoditized software offerings are increasingly popular as applications developers seek to utilize the facilities of third party service providers for discrete software services. For example, network security services such as network firewall services, intrusion detection/prevention services, security patch management services, anti-malware services, deep packet inspection and virus detection services can be provided by dedicated security service providers. An example of such services is known as Intelligent Protection Services available from BT Cloud Compute virtualized computing services. With such services, an application within a VM of a virtualized computing environment communicates with a shared software service, such as a malware detection service, which service may be provided anywhere in a virtualized computing environment or in another computing environment. Communication between the VM and the shared software service is via a network such as a TCP/IP network. The shared software service is shared between multiple, potentially very many, service consumers such as VMs and applications executing within VMs. Such service consumers can be from different organizations sharing data that is sensitive or confidential. Accordingly, while the software service is shared, the security of information processed by the software service on behalf of potentially many disparate consumers must not be compromised.
For example, FIG. 1 is a component diagram of a networking arrangement for communication between VMs 102, 104, 106 in a virtualized computing environment and a shared software service 108. Each VM is a virtualized computing instance in the virtualized computing environment, such as a VM supported by a hypervisor system or multiple virtual system environment. Notably, the locations, configurations, implementations and arrangements of each of the VMs 102, 104, 106 can be similar, identical or disparate. Each VM 102, 104, 106 executes software such as a software stack including an operating system, middleware and application software, any combination of which can be considered an “application”. A VM can execute multiple applications, whether cooperating or not. Each VM 102, 104, 106 communicates with a shared software service 108. The service 108 is a software, hardware or combination function, feature, application or facility accessible to and used by potentially many different VMs and applications executing within VMs. For example, the shared software service 108 is a malware detection service that receives data and scans the data to detect malware. Such a service can be provided external to any particular application consuming the service and can be shared by multiple such applications, which can be advantageous due to the centralization of the facility as a specialized service 108 which is particularly suited to fulfilling this function, is routinely and centrally updated and may be configured with a particular virtualized or physical computing environment to optimize its effectiveness, efficiency and performance. The service 108 provides facilities for multiple consumers such as multiple VMs 102, 104, 106 in any one of a number of ways. For example, the service 108 can execute different threads 120, 122, 124, processes or subroutines for each VM such that, for example, a single thread or group of threads undertakes the function of the service 108 for a particular consuming VM. In this way the service 108 can separate its functionality and instances of its functionality for each discrete consuming VM, and inter-thread or inter-process security measures can be employed to protect information and processing occurring in each thread of execution. The shared service 108 will also include a network entrypoint 110 as an interface to the network via which communication from consuming VMs is received. The network entrypoint 110 can be a process, thread or function in its own right and can execute in association with a network address of the service 108 to communicate with consuming VMs 102, 104, 106 via a communications network 100.
The VMs 102, 104 and 106 can be separate and unrelated. For example, each of the VMs 102, 104, 106 may be executing for or on behalf of a different organization. In consuming the shared service 108, each VM communicates data to the service 108, such as data for which a malware scan is required. Such data is communicated via the communications network 100. The communications network 100 includes network elements 112 such as network routers, switches, base-stations and the like. The VMs 102, 104, 106 require that their data is kept private, secret and secure such that other VMs cannot access such data. Such a requirement can be for confidentiality, secrecy or other requirements. Further, a requirement to keep data communicated by or to VMs separate can arise to avoid cross-contamination, infection or transmission of malicious code, software, viruses, malware and the like between VMs or applications executing in VMs. Accordingly, the VMs employ “virtual local area networks” or VLANs to achieve a separation between their network communications. A VLAN is a virtual network known in the art that provides a low-latency virtual local area network connection between multiple separated (e.g. distributed) physical local area networks. The implementation of a VLAN is achieved at a low level in a network stack (such as layer 2—the data layer) and is supported by network elements 112. The network elements 112 provide VLAN separation between multiple VLANs 114, 116, 118 based on hardware or media access control (MAC) address information. For example, a VLAN can be implemented in network switches using endpoint MAC addresses and the Ethernet protocol (even where endpoints are virtualized, such as in a virtual computing environment).
Accordingly, each VM 102, 104, 106 communicates with the service 108 via a different VLAN 114, 116, 118. The VLANs provide for separation of network communication and can even be effective where the VMs are co-hosted in the same virtualized computing environment. For example, a typical usage scenario can involve multiple virtual computing environment consumers having different VMs hosted in different cloud service provider platforms, with each consumer wishing to use the services offered by the shared software service 108, such as to filter network traffic received by each VM. Due to the sensitive nature of the network traffic, isolation of communication with the shared service 108 is achieved by associating each VM with a unique VLAN so that traffic from different VMs cannot pass through the same VLAN and traffic isolation is achieved.
The use of VLANs in this way is not fully effective and has considerable drawbacks. Firstly, while the traffic is isolated during passage through the network 100, it must be communicated to the service 108 through the service network entrypoint 110. The service 108 can undertake separate isolated threads of execution to isolate processing for different VMs, but the initial communication via the interface of the service 108 by way of the entrypoint 110 constitutes a security weakness in the isolation of network communication for the VMs. This is because a single entrypoint 110, such as a single network address with one or a small number of discrete network sockets will be employed and a receiving process, such as a daemon process, server process, gatekeeper process, polling process or the like, constituting at least part of the entrypoint 110 will receive all communication from all VLANs before directing such communication to an appropriate thread for processing. Such directing of traffic may be explicit, like a routing or forwarding step, or may be implied by an association between each of the threads and a socket, sockets, handle or hook into or out of the network entrypoint 110. The point of weakness is indicated, by way of example, at 128.
Further, the use of VLANs includes considerable limitations because a maximum number of VLANs is limited by a number of VLANs supported by network elements 112. Some network elements such as switches and routers can support only 255 VLANs consecutively which imposes an unrealistically low limit where a number of VMs communicating over a network (such as the internet) can easily exceed this. Yet further, VLANs are arranged to be VM specific. Where a consumer of a virtualized computing environment deploys multiple different applications within a single virtual machine, each application will share the same VLAN for communication. Accordingly, sensitive information associated with one application can be accessed by the other application sharing the same VLAN and any network security compromise, such as a virus or malware attack, may traverse between the applications due to the shared network facilities using the same VLAN.
FIG. 2 is a component diagram of a networking arrangement for communication between applications 230, 232 in a VM 102 in a virtualized computing environment and a shared software service 108. Many of the features of FIG. 2 are identical to those described above with respect to FIG. 1. VM 102 has two applications 230, 232 in execution and each communicating with the shared service 108. In one arrangement, the applications require separation of their network communications for reasons of sensitivity or security. However, since the virtualized computing environment provides network traffic isolation on a VM basis by way of the VLAN 114, both applications communicate with the service 108 using the same VLAN. Accordingly, there is a point of weakness, indicated at 228, where network communications from both applications are not isolated as traffic is communicated via the same VLAN.
It would therefore be advantageous to provide for secure isolation of network traffic for virtualized computing systems such as virtual machines and applications executing therein consuming shared software services without the aforementioned shortcomings.