HardWhale: A Hardware-Isolated Network Security Enforcement System for Cloud Environments

Myoungsung You; Jaehyun Nam; Hyunmin Seo; Minjae Seo; Jaehan Kim; Dongmin Choi; Seungwon Shin

doi:10.1109/ICDCS60910.2024.00053

HardWhale: A Hardware-Isolated Network Security Enforcement System for Cloud Environments

Myoungsung You
, Jaehyun Nam
, Hyunmin Seo
, Minjae Seo
, Jaehan Kim
, Dongmin Choi
, Seungwon Shin

School of Electrical and Computer Engineering

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

2 Scopus citations

Abstract

With the increasing popularity of containers for deploying microservices, ensuring the security of container networks has become a vital concern. However, current security solutions rely on a host's operating system (OS) to enforce network policies for container traffic. This design incurs severe overhead and cannot guarantee container network security when attackers gain access to the host's OS. Therefore, we propose HardWhale, a hardware-isolated network security enforcement system for containers that delivers high-performance and robust network security without depending on the host's OS. HardWhale leverages a smartNIC, physically isolating the entire container traffic inspection stack from the host and accelerating inspection tasks. Inspection policies securely reside within the smartNIC and are updated in runtime without involving the host, due to our isolated policy management mechanism. This design ensures robust network security for containers, even if the host is exposed to attackers. Evaluations show that HardWhale protects containers against various network attacks in compromised environments and improves HTTP throughput threefold and HTTP latency 2.3-fold compared to state-of-the-art solutions.

Original language	English
Title of host publication	Proceedings - 2024 IEEE 44th International Conference on Distributed Computing Systems, ICDCS 2024
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	496-507
Number of pages	12
ISBN (Electronic)	9798350386059
DOIs	https://doi.org/10.1109/ICDCS60910.2024.00053
State	Published - 2024
Event	44th IEEE International Conference on Distributed Computing Systems, ICDCS 2024 - Jersey City, United States Duration: 23 Jul 2024 → 26 Jul 2024

Publication series

Name	Proceedings - International Conference on Distributed Computing Systems
ISSN (Print)	1063-6927
ISSN (Electronic)	2575-8411

Conference

Conference	44th IEEE International Conference on Distributed Computing Systems, ICDCS 2024
Country/Territory	United States
City	Jersey City
Period	23/07/24 → 26/07/24

Keywords

Cloud computing
Container
Network security
Programmable data plane

Access to Document

10.1109/ICDCS60910.2024.00053

Cite this

You, M., Nam, J., Seo, H., Seo, M., Kim, J., Choi, D., & Shin, S. (2024). HardWhale: A Hardware-Isolated Network Security Enforcement System for Cloud Environments. In Proceedings - 2024 IEEE 44th International Conference on Distributed Computing Systems, ICDCS 2024 (pp. 496-507). (Proceedings - International Conference on Distributed Computing Systems). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/ICDCS60910.2024.00053

You, Myoungsung ; Nam, Jaehyun ; Seo, Hyunmin et al. / HardWhale : A Hardware-Isolated Network Security Enforcement System for Cloud Environments. Proceedings - 2024 IEEE 44th International Conference on Distributed Computing Systems, ICDCS 2024. Institute of Electrical and Electronics Engineers Inc., 2024. pp. 496-507 (Proceedings - International Conference on Distributed Computing Systems).

@inproceedings{cfb4f6cb63774be3a13d2f8b3f244bbd,

title = "HardWhale: A Hardware-Isolated Network Security Enforcement System for Cloud Environments",

abstract = "With the increasing popularity of containers for deploying microservices, ensuring the security of container networks has become a vital concern. However, current security solutions rely on a host's operating system (OS) to enforce network policies for container traffic. This design incurs severe overhead and cannot guarantee container network security when attackers gain access to the host's OS. Therefore, we propose HardWhale, a hardware-isolated network security enforcement system for containers that delivers high-performance and robust network security without depending on the host's OS. HardWhale leverages a smartNIC, physically isolating the entire container traffic inspection stack from the host and accelerating inspection tasks. Inspection policies securely reside within the smartNIC and are updated in runtime without involving the host, due to our isolated policy management mechanism. This design ensures robust network security for containers, even if the host is exposed to attackers. Evaluations show that HardWhale protects containers against various network attacks in compromised environments and improves HTTP throughput threefold and HTTP latency 2.3-fold compared to state-of-the-art solutions.",

keywords = "Cloud computing, Container, Network security, Programmable data plane",

author = "Myoungsung You and Jaehyun Nam and Hyunmin Seo and Minjae Seo and Jaehan Kim and Dongmin Choi and Seungwon Shin",

note = "Publisher Copyright: {\textcopyright} 2024 IEEE.; 44th IEEE International Conference on Distributed Computing Systems, ICDCS 2024 ; Conference date: 23-07-2024 Through 26-07-2024",

year = "2024",

doi = "10.1109/ICDCS60910.2024.00053",

language = "English",

series = "Proceedings - International Conference on Distributed Computing Systems",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "496--507",

booktitle = "Proceedings - 2024 IEEE 44th International Conference on Distributed Computing Systems, ICDCS 2024",

address = "United States",

}

You, M, Nam, J, Seo, H, Seo, M, Kim, J, Choi, D & Shin, S 2024, HardWhale: A Hardware-Isolated Network Security Enforcement System for Cloud Environments. in Proceedings - 2024 IEEE 44th International Conference on Distributed Computing Systems, ICDCS 2024. Proceedings - International Conference on Distributed Computing Systems, Institute of Electrical and Electronics Engineers Inc., pp. 496-507, 44th IEEE International Conference on Distributed Computing Systems, ICDCS 2024, Jersey City, United States, 23/07/24. https://doi.org/10.1109/ICDCS60910.2024.00053

HardWhale: A Hardware-Isolated Network Security Enforcement System for Cloud Environments. / You, Myoungsung; Nam, Jaehyun; Seo, Hyunmin et al.
Proceedings - 2024 IEEE 44th International Conference on Distributed Computing Systems, ICDCS 2024. Institute of Electrical and Electronics Engineers Inc., 2024. p. 496-507 (Proceedings - International Conference on Distributed Computing Systems).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - HardWhale

T2 - 44th IEEE International Conference on Distributed Computing Systems, ICDCS 2024

AU - You, Myoungsung

AU - Nam, Jaehyun

AU - Seo, Hyunmin

AU - Seo, Minjae

AU - Kim, Jaehan

AU - Choi, Dongmin

AU - Shin, Seungwon

PY - 2024

Y1 - 2024

N2 - With the increasing popularity of containers for deploying microservices, ensuring the security of container networks has become a vital concern. However, current security solutions rely on a host's operating system (OS) to enforce network policies for container traffic. This design incurs severe overhead and cannot guarantee container network security when attackers gain access to the host's OS. Therefore, we propose HardWhale, a hardware-isolated network security enforcement system for containers that delivers high-performance and robust network security without depending on the host's OS. HardWhale leverages a smartNIC, physically isolating the entire container traffic inspection stack from the host and accelerating inspection tasks. Inspection policies securely reside within the smartNIC and are updated in runtime without involving the host, due to our isolated policy management mechanism. This design ensures robust network security for containers, even if the host is exposed to attackers. Evaluations show that HardWhale protects containers against various network attacks in compromised environments and improves HTTP throughput threefold and HTTP latency 2.3-fold compared to state-of-the-art solutions.

AB - With the increasing popularity of containers for deploying microservices, ensuring the security of container networks has become a vital concern. However, current security solutions rely on a host's operating system (OS) to enforce network policies for container traffic. This design incurs severe overhead and cannot guarantee container network security when attackers gain access to the host's OS. Therefore, we propose HardWhale, a hardware-isolated network security enforcement system for containers that delivers high-performance and robust network security without depending on the host's OS. HardWhale leverages a smartNIC, physically isolating the entire container traffic inspection stack from the host and accelerating inspection tasks. Inspection policies securely reside within the smartNIC and are updated in runtime without involving the host, due to our isolated policy management mechanism. This design ensures robust network security for containers, even if the host is exposed to attackers. Evaluations show that HardWhale protects containers against various network attacks in compromised environments and improves HTTP throughput threefold and HTTP latency 2.3-fold compared to state-of-the-art solutions.

KW - Cloud computing

KW - Container

KW - Network security

KW - Programmable data plane

UR - https://www.scopus.com/pages/publications/85203142320

U2 - 10.1109/ICDCS60910.2024.00053

DO - 10.1109/ICDCS60910.2024.00053

M3 - Conference contribution

AN - SCOPUS:85203142320

T3 - Proceedings - International Conference on Distributed Computing Systems

SP - 496

EP - 507

BT - Proceedings - 2024 IEEE 44th International Conference on Distributed Computing Systems, ICDCS 2024

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 23 July 2024 through 26 July 2024

ER -

You M, Nam J, Seo H, Seo M, Kim J, Choi D et al. HardWhale: A Hardware-Isolated Network Security Enforcement System for Cloud Environments. In Proceedings - 2024 IEEE 44th International Conference on Distributed Computing Systems, ICDCS 2024. Institute of Electrical and Electronics Engineers Inc. 2024. p. 496-507. (Proceedings - International Conference on Distributed Computing Systems). doi: 10.1109/ICDCS60910.2024.00053

HardWhale: A Hardware-Isolated Network Security Enforcement System for Cloud Environments

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this