SEAMLESS VIRTUAL MACHINE LIVE MIGRATION ON NETWORK SECURITY ENHANCED HYPERVISOR
Since the virtual network traffic is invisible outside the hypervisor, it is impossible for traditional network-base security devices to harness the attacks happened in virtual computing environment. Industry and academies adopt the network security enabled hypervisor (NSE-H) to protect virtual machines (VM) residing in the virtual network. In this paper, we identified the insufficiency of the existing live migration implementation, which prevents itself from providing transparent VM relocation between NSE-Hs. This occurs because the contemporary migration implementation only takes VM encapsulated states into account, but ignores VM related security context(SC) needed by NSE- embedded security engines (SE). We presented comprehensive live migration framework for the NSE-H, considering both the execution context encapsulated in VM instance and the VM related security context within the SEs. We built a prototype system of the framework based on stateful firewall enabled Xen hypervisor. Our experiment was performed with realistic applications and the results demonstrate that the solution complements the insufficiency without introducing significant performance downgrade. Even in the worst case, the downtime that occurs during migration increases no more than 15%, comparing to existing implementation.
virtualization hypervisor live migration network security
Chen Xianqin Wan Han Wang Sumei Long Xiang
State Key Laboratory of Virtual Reality Technology and System School of Computer Science and Technology Beijing University of Aeronautics and Astronautics Beijing 100191, China
国际会议
北京
英文
847-853
2009-10-18(万方平台首次上网日期,不代表论文的发表时间)