Many researches show that virtualization and cloud computing are technologies that will be essential in the future. They are already widely used because of the many advantages they introduce. They permit to reduce hardware cost, reduce the energy consumption, and ease the management of an ever-growing number of computers and servers. However, this abrupt switch from physical infrastructures to virtualized ones introduces a new networking aspect, the virtual traffic, and poses the question of how to secure this new type of traffic. In fact, virtual traffic between two virtual machines may never leave the physical host hardware; making traditional physical firewalls useless to monitor and secure this traffic. The best solution to this problem is the use of virtual firewalls.
The aim of this project is to evaluate the performances of a virtual firewall in a cloud environment. This thesis reviews the literature in the field of cloud computing and virtual firewall and concludes that three key requirements must be met in order to realize an effective evaluation: the choice of a cloud infrastructure, the choice of meaningful evaluation metrics and the use of proper evaluation methodologies.
Using open source solutions, a private cloud is designed and implemented with OpenNebula as a cloud toolkit and with Xen as a hypervisor. The Linux iptables virtual firewall is chosen to secure the cloud, and implemented in a strategic point of the virtual network infrastructure to work as a bridge-mode firewall. Based on the literature review findings, the following evaluation metrics are chosen to evaluate the virtual firewall: IP throughput, latency, goodput, HTTP transfer rate, Denial-of-Service handling and hardware consumption. Evaluation scenarios to measure these metrics are designed with the cloud infrastructure in mind.
By implementing these evaluations scenarios in the cloud infrastructure using different tools, the virtual firewall is evaluated. Overall, the results show that the performances of the virtual firewall decrease in different situations: traffic sent with small frame sizes, large amount of rules in the filtering table, high throughput levels. It also highlighted the difficulty for a firewall to protect a network against SYN Denial-of-Sevice attacks.
The conclusion made in this thesis highlights the fact that the evaluation results were the ones expected, confirming that the choice and implementation of the evaluation methodologies are correct. However, several limitations are also found. The main limitation involves the latency evaluation methodology, which had the goal of measuring the latency produced by the virtual firewall. It was in fact impossible to find a technique to measure this metric, and the round-trip latency of a connection to the virtual firewall was instead evaluated. Finally, the conclusion shows that more work should be done, especially in regards of evaluating additional virtual or physical firewalls using the same metrics and infrastructure, to provide means of comparison with the performances of the Linux iptables virtual firewall.