Zero-Cost In-Depth Enforcement of Network Policies for Low-Latency Cloud-Native Systems

Budigiri, Gerald; Baumann, Christoph; Truyen, Eddy; Mühlberg, Jan Tobias; Joosen, Wouter

doi:10.1109/cloud60044.2023.00036

2023 IEEE 16th International Conference on Cloud Computing (CLOUD) 2023

DOI: 10.1109/cloud60044.2023.00036

|View full text |Cite

Zero-Cost In-Depth Enforcement of Network Policies for Low-Latency Cloud-Native Systems

Gerald Budigiri,

Christoph Baumann,

Eddy Truyen

et al.

Abstract: Packaging applications in containers and managing them dynamically using a cluster orchestrator is the de-facto approach for deployment of cloud-native applications. When containers run inside virtual machines (VMs) to protect infrastructural assets, network policies (NPs) at the container layer and security groups (SGs) at the VM layer provide complementary firewall mechanisms that strengthen defenses against lateral movement of attackers. However, least-privilege NPs at the container layer may not always be … Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...

Citation Types

Supporting

Mentioning

Contrasting

Year Published

2024

Publication Types

Select...

Other1

Relationship

Self Cite1

Independent0

Authors

Journals

Cited by 1 publication

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

Towards Intent-Based Scheduling for Performance and Security in Edge-to-Cloud Networks

Santos,

Truyen,

Baumann

et al. 2024

2024 27th Conference on Innovation in Clouds, Internet and Networks (ICIN)

Self Cite

View full text Add to dashboard Cite

Telecom vendors have adopted containerization to improve their software for heterogeneous edge-to-cloud networks. Container orchestration platforms face however challenges when adapting to the dynamic demands of multi-tenancy, often leading to performance and security conflicts between Cluster Administrators (CAs) and applications administrators. In this paper, we propose that network security and performance constraints should be directly integrated into the scheduler. By dynamically determining preferred network segments for each application, this approach will reduce the network attack surface, enhance resource utilization, and ensure improved performance. The presented prototype and evaluation is just a first step. A comprehensive solution must also support an intent-based interface to the scheduler that simplifies expression of cluster node segmentation constraints and thus frees the CA from node-level management. We outline the vision for such an intent-based interface and emulate it by means of traditional security groups.

show abstract

Towards Intent-Based Scheduling for Performance and Security in Edge-to-Cloud Networks

Santos,

Truyen,

Baumann

et al. 2024

2024 27th Conference on Innovation in Clouds, Internet and Networks (ICIN)

Self Cite

View full text Add to dashboard Cite

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

hi@scite.ai

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Zero-Cost In-Depth Enforcement of Network Policies for Low-Latency Cloud-Native Systems

Cited by 1 publication

References 19 publications

Towards Intent-Based Scheduling for Performance and Security in Edge-to-Cloud Networks

Towards Intent-Based Scheduling for Performance and Security in Edge-to-Cloud Networks

Contact Info

Product

Resources

About