VAPT- A Service on Eucalyptus Cloud
Download as DOCX, PDF1 like538 views
The document proposes a cloud-based service for Vulnerability Assessment and Penetration Testing (VAPT) aimed at enhancing network security for organizations. It details the process of identifying and remediating vulnerabilities using a private cloud architecture with a web interface for authorized clients. The service combines the benefits of VAPT with the scalability and security of private clouds, allowing clients to receive vulnerability reports in standardized formats.
![Proposal of VAPT as a Service on Cloud
Mrs. Swapna Shetye
Information Technology Department
Terna Engineering College
Mumbai, India
sgkhatu@gmail.com
Dr. Deven Shah
Information Technology Department
Terna Engineering College
Mumbai, India
Sir.deven@gmail.com
Abstract— Vulnerability refers to a weakness in a system. A security risk is categorised as vulnerability if it is identified
as a possible means of attack. Hence a vulnerability assessment is a vital process for any organization. Vulnerability
assessment process scans client’s network to discover potential threats. With penetration testing client network is
exploitedwith identifiedpotential threats underthe controlled environment. These two processes together are termed as
VAPT (Vulnerability Assessment Penetration Testing).This paper illustrates a proposal to create VAPT as a service on
the cloud. Only authorizedusers will be able to subscribe this service. VAPT as service on cloud will combine benefits of
private cloud architecture in order to support multiple client requests.
Keywords- Network Security;VAPT;vulnerabilities; private cloud security.
I. INTRODUCTION
Today most of the organizations are using firewalls, anti-virus applications and Intrusion Detection System (IDS)
for security reasons. Despite heavy reliance on such security measures organizations find their environments
exploitable to the intruder’s attacks. Different vulnerability attacks are Eavesdropping, Data modification, Identity
spoofing, Password based attacks, Denial-of-Service Attack, Man-in-the-Middle Attack, Compromised-Key Attack,
Sniffer attack. Today every organization is in need of security policies that will help network administrators to keep
their networks safe from such vulnerability attacks. It has also become essential to create and execute predefined
policies that will identify the weaknesses i.e. vulnerabilities in the network on scheduled periodic basis. Such
identified vulnerabilities are the potential opportunities for an attacker.
Different network vulnerability assessment tools available are Nessus,GFI Lan guard, map, RetiAssessment, core
impact,ISS internet scanner, X scan,Sara,QualisGuard,Saint,MBSA.A vulnerability assessment [9, 5] takes network
parameters as input and finds the weaknesses that need to be fixed. An ongoing vulnerability assessment process, in
combination with proper remediation, can help ensure that the network is fortified to withstand the latest attacks.
Vulnerability assessment provides a comprehensive picture of all systems, services and devices that can breach a
network, as well as a complete, prioritized list of vulnerabilities that need to be addressed. Remediation is the
follow-up stage after vulnerabilities have been accurately identified. The true benefit of vulnerability assessment is
that it is a powerful proactive process for securing an enterprise network. With vulnerability assessment [10]
solutions potential security holes are fixed before they become problematic, allowing companies to fend off attacks
before they occur. Penetration testing is the process of attempting to exploit previously identified vulnerabilities
found during the vulnerability assessment.
The main idea behind the paper is to propose a solution that will combine VAPT service and advantages of private
cloud architecture. This service will then be provided to the registered clients on as needed basis. This service will
require private cloud setup inclusive of VAPT service and a web interface [4] for the clients. A web interface for end
clients will also act as an agent which will execute some script in order to fetch client’s network parameters and
send them to the private cloud where the VAPT service resides. The cloud in turn takes care of VM instance
generation for corresponding client. Then the target network of the client will be scanned and the result will be
produced in standard format like PCI DSS.](https://image.slidesharecdn.com/vaptpaper-151113085339-lva1-app6892/85/VAPT-A-Service-on-Eucalyptus-Cloud-1-320.jpg)
![II. EASE OF USE
VAPT process comprises of 9 steps and they are Scope, Information Gathering, Vulnerability Detection,
Information Analysis and Planning, Penetration Testing, Privilege Escalation, Result Analysis, Reporting and
Cleaning.
In this paper we propose a VAPT service on a private cloud where the private cloud will b e created using
Eucalyptus open source private cloud architecture setup. Eucalyptus is a Linux-based open-source software
architecture that implements efficiency-enhancing private and hybrid clouds within an enterprise’s existing IT
infrastructure. The name Eucalyptus stands for Elastic Utility Computing Architecture for Linking Your Programs to
Useful Systems. A Eucalyptus private cloud is deployed across an enterprise’s “on premise” data center
infrastructure and is accessed by users over enterprise intranet. Thus, sensitive data remains entirely secure from
external intrusion behind the enterprise firewall.Eucalyptus cloud platform pools together existing virtualized
infrastructure to create cloud resources for compute, network and storage [11]. The benefits of Eucalyptus cloud are
highly efficient scalability, organization agility, and increased trust and control for IT [11].
III. THE PROBLEM DEFINITION
The problem definition comprises of creating VAPT as a service [4, 6] on the cloud. The service will be available to
the clients through web interface. Only authorized users will be able to subscribe the service. Finally the
vulnerability report in standard format will be generated and will be forwarded to the client.
Fig2.VAPT as a service Use Case Diagram
Vulnerability is a weakness which allows an attacker to reduce an information assurance. Vulnerability Assessment
is Process of identifying and quantifying vulnerabilities in an environment and emphasizing on identifying areas that
are vulnerable.
IV. THE PROPOSED ARCHITECTURE
The proposed mechanism is to build the Eucalyptus private cloud, creating VMimage with VAPT Scanner tool
installed in it, uploading this image on the cloud, creating the VMinstance for incoming client request. Finally
VAPT on the cloud produces vulnerability report in standard format and send this to client.](https://image.slidesharecdn.com/vaptpaper-151113085339-lva1-app6892/85/VAPT-A-Service-on-Eucalyptus-Cloud-2-320.jpg)
![Fig4. VAPT as a Service on Cloud Architecture
V. METHODOLOGY
Prerequisites to successful implementation of VAPT as a service on cloud are listed below.
Setting up a private cloud [1]. (with the help of Eucalyptus framework)
Creating virtual machine image.
Upload that machine image on cloud.
Provide web interface to the clients for VAPT service subscription.
Scan registered client’s network inside the Virtual machine image instance.
Saving the scan results in the cloud storage.
Create soft computing
platform
Develop and Deploy
Private Cloud
Create User Interface For
Client
Scan Client Network
Generate Standard report
Fig3.Proposed Mechanism
VI. PERFORMANCE EVALUATION
First Client subscribes for VAPT service using a web interface. After that cloud [8] service provide a login window
for authentication and send welcome message to the client. Some script will then execute on client’s machine to
fetch all network parameters. These parameters will then be passed to the cloud.CLC will then create VMinstance on
the node machine.VAPT for every client will be performed inside designated node. Finally vulnerability reports
generated in standard format will be forwarded to client as well as stored inside the cloud walrus.
Common Vulnerability Scoring System (CVSS) [3, 7, 9] is almost an industrial standard for assessing the security
vulnerabilities. It attempts to evaluate the degree of risks posed by vulnerabilities, so mitigation efforts can be
prioritized. The measures termed scores are computed using assessments (called metrics) of vulnerability attributes
based on the opinions of experts in the field Common Vulnerability Scoring System (CVSS) [12]. CVSS defines a
number of metrics that can be used to characterize vulnerability. For each metric, a few qualitative levels are defined
and a numerical value is associated with each level. CVSS is composed of three major metric groups: Base,
Temporal and Environmental.](https://image.slidesharecdn.com/vaptpaper-151113085339-lva1-app6892/85/VAPT-A-Service-on-Eucalyptus-Cloud-3-320.jpg)
![VII. IMPLEMENTATION PLATFORM
A. HARDWARE:
Fast processor (p4/p5 2 GHz Intel chipset)
Min. 1 GB RAM
100 GB HDD (as clients are limited)
Bandwidth (full bandwidth is available i.e. 100 mbps)
B. SOFTWARE:
Eucalyptus Framework for cloud deployment
VAPT vulnerability assessment tool(Nessus)
MapReduce framework for application development
SAAJ [SOAP Attachment API for JAVA ] for distributed communication
Data management Tools
C. SKILLS / EXPERTISE:
Strong analytical, documentation, and communication skills.
Understanding of Tool & its technologies
Understanding of generated report analysis.
Understanding of network traffic analysis
Experience with trouble ticketing and change management tools.
Passion for all things information technology and information security
Natural curiosity and ability to learn new skills quickly.
VIII. CONCLUSION
One major advantage of “VAPT as a service on the cloud” is that it lends itself to subscription-based software,
which doesn’t require complex licensing or distribution points, which not only cuts cost, but also ensures no piracy.
When actually providing a service, clients are locked into paying every time that they want to use the service.
Clients don’t have to invest in any local hardware and can access their information and services from any Internet
access. This type of application moves away fromthe requirements of having big applications on client’s systems to
processing everything on the servers, which means clients need less money to get into application.
From Service providers point of view setting up private cloud architecture brings advantages for an organization
where the optimum resources utilization can be achieved and will also provide security to the organization‘s
intranetworking from outside networks. From end clients point of view subscribing VAPT service which will be part
of private cloud will converge into an enterprise level solution for resource hungry applications.
REFERENCES
[1] NIST Definitionof CloudComputing, http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-def-v15.doc
[2] Proceedings of the1st International CyberResilience Conference, EdithCowan University,PerthWestern Australia, 23rdAugust 2010
[3] http://en.wikipedia.org/wiki/Vulnerability_assessment
[4] Building Applications in The CloudBy Chris Moyer
[5] http://www.eeye.com/eEyeDigitalSecurity/media/White-Papers/The-Need-for-Vulnerability-Assessment-and-Remediation-What-My-CIO-
Needs-to-Know-WP.pdf
[6] “Effective NetworkVulnerabilityAssessment through Model Abstraction” by Suhang, XiningOu, John Homer 8thInternational
Conference; DIMVA 2011, Amsterdam, The Netherlands, July 7-8, 2011.
[7] “Active vulnerabilityassessment of computer networks by simulationofcomplex remote attacks “by St. PetersburgInst.for Informatics &
Autom., Liniya,Russia appearedin Computer Networks andMobile Computing, 2003. ICCNMC 2003.
[8] Amazon Compute Cloud(AmazonEC2),http:// Elastic aws.amazon.com/ec2/, [retrieved: May,201
[9] http://en.wikipedia.org/wiki/Vulnerability_assessment
[10] White Paper onwhat is vulnerability assessment preparedon July 17, 2011 by DEMYO INC.
[11] http://www.eucalyptus.com/eucalyptus-cloud/iaas](https://image.slidesharecdn.com/vaptpaper-151113085339-lva1-app6892/85/VAPT-A-Service-on-Eucalyptus-Cloud-4-320.jpg)
VAPT- A Service on Eucalyptus Cloud
- 1. Proposal of VAPT as a Service on Cloud Mrs. Swapna Shetye Information Technology Department Terna Engineering College Mumbai, India sgkhatu@gmail.com Dr. Deven Shah Information Technology Department Terna Engineering College Mumbai, India Sir.deven@gmail.com Abstract— Vulnerability refers to a weakness in a system. A security risk is categorised as vulnerability if it is identified as a possible means of attack. Hence a vulnerability assessment is a vital process for any organization. Vulnerability assessment process scans client’s network to discover potential threats. With penetration testing client network is exploitedwith identifiedpotential threats underthe controlled environment. These two processes together are termed as VAPT (Vulnerability Assessment Penetration Testing).This paper illustrates a proposal to create VAPT as a service on the cloud. Only authorizedusers will be able to subscribe this service. VAPT as service on cloud will combine benefits of private cloud architecture in order to support multiple client requests. Keywords- Network Security;VAPT;vulnerabilities; private cloud security. I. INTRODUCTION Today most of the organizations are using firewalls, anti-virus applications and Intrusion Detection System (IDS) for security reasons. Despite heavy reliance on such security measures organizations find their environments exploitable to the intruder’s attacks. Different vulnerability attacks are Eavesdropping, Data modification, Identity spoofing, Password based attacks, Denial-of-Service Attack, Man-in-the-Middle Attack, Compromised-Key Attack, Sniffer attack. Today every organization is in need of security policies that will help network administrators to keep their networks safe from such vulnerability attacks. It has also become essential to create and execute predefined policies that will identify the weaknesses i.e. vulnerabilities in the network on scheduled periodic basis. Such identified vulnerabilities are the potential opportunities for an attacker. Different network vulnerability assessment tools available are Nessus,GFI Lan guard, map, RetiAssessment, core impact,ISS internet scanner, X scan,Sara,QualisGuard,Saint,MBSA.A vulnerability assessment [9, 5] takes network parameters as input and finds the weaknesses that need to be fixed. An ongoing vulnerability assessment process, in combination with proper remediation, can help ensure that the network is fortified to withstand the latest attacks. Vulnerability assessment provides a comprehensive picture of all systems, services and devices that can breach a network, as well as a complete, prioritized list of vulnerabilities that need to be addressed. Remediation is the follow-up stage after vulnerabilities have been accurately identified. The true benefit of vulnerability assessment is that it is a powerful proactive process for securing an enterprise network. With vulnerability assessment [10] solutions potential security holes are fixed before they become problematic, allowing companies to fend off attacks before they occur. Penetration testing is the process of attempting to exploit previously identified vulnerabilities found during the vulnerability assessment. The main idea behind the paper is to propose a solution that will combine VAPT service and advantages of private cloud architecture. This service will then be provided to the registered clients on as needed basis. This service will require private cloud setup inclusive of VAPT service and a web interface [4] for the clients. A web interface for end clients will also act as an agent which will execute some script in order to fetch client’s network parameters and send them to the private cloud where the VAPT service resides. The cloud in turn takes care of VM instance generation for corresponding client. Then the target network of the client will be scanned and the result will be produced in standard format like PCI DSS.
- 2. II. EASE OF USE VAPT process comprises of 9 steps and they are Scope, Information Gathering, Vulnerability Detection, Information Analysis and Planning, Penetration Testing, Privilege Escalation, Result Analysis, Reporting and Cleaning. In this paper we propose a VAPT service on a private cloud where the private cloud will b e created using Eucalyptus open source private cloud architecture setup. Eucalyptus is a Linux-based open-source software architecture that implements efficiency-enhancing private and hybrid clouds within an enterprise’s existing IT infrastructure. The name Eucalyptus stands for Elastic Utility Computing Architecture for Linking Your Programs to Useful Systems. A Eucalyptus private cloud is deployed across an enterprise’s “on premise” data center infrastructure and is accessed by users over enterprise intranet. Thus, sensitive data remains entirely secure from external intrusion behind the enterprise firewall.Eucalyptus cloud platform pools together existing virtualized infrastructure to create cloud resources for compute, network and storage [11]. The benefits of Eucalyptus cloud are highly efficient scalability, organization agility, and increased trust and control for IT [11]. III. THE PROBLEM DEFINITION The problem definition comprises of creating VAPT as a service [4, 6] on the cloud. The service will be available to the clients through web interface. Only authorized users will be able to subscribe the service. Finally the vulnerability report in standard format will be generated and will be forwarded to the client. Fig2.VAPT as a service Use Case Diagram Vulnerability is a weakness which allows an attacker to reduce an information assurance. Vulnerability Assessment is Process of identifying and quantifying vulnerabilities in an environment and emphasizing on identifying areas that are vulnerable. IV. THE PROPOSED ARCHITECTURE The proposed mechanism is to build the Eucalyptus private cloud, creating VMimage with VAPT Scanner tool installed in it, uploading this image on the cloud, creating the VMinstance for incoming client request. Finally VAPT on the cloud produces vulnerability report in standard format and send this to client.
- 3. Fig4. VAPT as a Service on Cloud Architecture V. METHODOLOGY Prerequisites to successful implementation of VAPT as a service on cloud are listed below. Setting up a private cloud [1]. (with the help of Eucalyptus framework) Creating virtual machine image. Upload that machine image on cloud. Provide web interface to the clients for VAPT service subscription. Scan registered client’s network inside the Virtual machine image instance. Saving the scan results in the cloud storage. Create soft computing platform Develop and Deploy Private Cloud Create User Interface For Client Scan Client Network Generate Standard report Fig3.Proposed Mechanism VI. PERFORMANCE EVALUATION First Client subscribes for VAPT service using a web interface. After that cloud [8] service provide a login window for authentication and send welcome message to the client. Some script will then execute on client’s machine to fetch all network parameters. These parameters will then be passed to the cloud.CLC will then create VMinstance on the node machine.VAPT for every client will be performed inside designated node. Finally vulnerability reports generated in standard format will be forwarded to client as well as stored inside the cloud walrus. Common Vulnerability Scoring System (CVSS) [3, 7, 9] is almost an industrial standard for assessing the security vulnerabilities. It attempts to evaluate the degree of risks posed by vulnerabilities, so mitigation efforts can be prioritized. The measures termed scores are computed using assessments (called metrics) of vulnerability attributes based on the opinions of experts in the field Common Vulnerability Scoring System (CVSS) [12]. CVSS defines a number of metrics that can be used to characterize vulnerability. For each metric, a few qualitative levels are defined and a numerical value is associated with each level. CVSS is composed of three major metric groups: Base, Temporal and Environmental.
- 4. VII. IMPLEMENTATION PLATFORM A. HARDWARE: Fast processor (p4/p5 2 GHz Intel chipset) Min. 1 GB RAM 100 GB HDD (as clients are limited) Bandwidth (full bandwidth is available i.e. 100 mbps) B. SOFTWARE: Eucalyptus Framework for cloud deployment VAPT vulnerability assessment tool(Nessus) MapReduce framework for application development SAAJ [SOAP Attachment API for JAVA ] for distributed communication Data management Tools C. SKILLS / EXPERTISE: Strong analytical, documentation, and communication skills. Understanding of Tool & its technologies Understanding of generated report analysis. Understanding of network traffic analysis Experience with trouble ticketing and change management tools. Passion for all things information technology and information security Natural curiosity and ability to learn new skills quickly. VIII. CONCLUSION One major advantage of “VAPT as a service on the cloud” is that it lends itself to subscription-based software, which doesn’t require complex licensing or distribution points, which not only cuts cost, but also ensures no piracy. When actually providing a service, clients are locked into paying every time that they want to use the service. Clients don’t have to invest in any local hardware and can access their information and services from any Internet access. This type of application moves away fromthe requirements of having big applications on client’s systems to processing everything on the servers, which means clients need less money to get into application. From Service providers point of view setting up private cloud architecture brings advantages for an organization where the optimum resources utilization can be achieved and will also provide security to the organization‘s intranetworking from outside networks. From end clients point of view subscribing VAPT service which will be part of private cloud will converge into an enterprise level solution for resource hungry applications. REFERENCES [1] NIST Definitionof CloudComputing, http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-def-v15.doc [2] Proceedings of the1st International CyberResilience Conference, EdithCowan University,PerthWestern Australia, 23rdAugust 2010 [3] http://en.wikipedia.org/wiki/Vulnerability_assessment [4] Building Applications in The CloudBy Chris Moyer [5] http://www.eeye.com/eEyeDigitalSecurity/media/White-Papers/The-Need-for-Vulnerability-Assessment-and-Remediation-What-My-CIO- Needs-to-Know-WP.pdf [6] “Effective NetworkVulnerabilityAssessment through Model Abstraction” by Suhang, XiningOu, John Homer 8thInternational Conference; DIMVA 2011, Amsterdam, The Netherlands, July 7-8, 2011. [7] “Active vulnerabilityassessment of computer networks by simulationofcomplex remote attacks “by St. PetersburgInst.for Informatics & Autom., Liniya,Russia appearedin Computer Networks andMobile Computing, 2003. ICCNMC 2003. [8] Amazon Compute Cloud(AmazonEC2),http:// Elastic aws.amazon.com/ec2/, [retrieved: May,201 [9] http://en.wikipedia.org/wiki/Vulnerability_assessment [10] White Paper onwhat is vulnerability assessment preparedon July 17, 2011 by DEMYO INC. [11] http://www.eucalyptus.com/eucalyptus-cloud/iaas