CloudProxy: A NAPT Proxy for Vulnerability Scanners based on Cloud Computing

Security-as-a-service (SaaS) is an outsourcing model for security management in cloud computing. Vulnerability scanners based on cloud computing is becoming one of the killer applications in SaaS due to the pay-per-use manner and powerful scanning capability. When performing vulnerability scanning through network, the scanner needs to establish a large number of TCP connections with the target host. To deal with the problem of IPv4 address shortening and to protect the hosts within the organization, the target hosts are almost always deployed behind a NAPT(Network Address and Port Translation) device, TCP packets sent by the scanner outside the network isolated by the NAPT device will be blocked, thus unable to complete the vulnerability scanning task when the scanners are deployed in the cloud. While there exists NAPT traversal methods, they support TCP poorly and therefore is not ready for the vulnerability scanning scenario where a large number of TCP connections needs to be established. In this paper we proposed a NAPT proxy named CloudProxy for adopting vulnerability scanners in cloud computing by combining the TURN extension protocol and the Socks5 protocol. We integrated function of Socks5 into the TURN client, so that the destination port of all scanning packets will be aggregated before passing through the TURN server, lessen the burden of the TURN server. The experimental results show that CloudProxy can relay packets for the vulnerability scanner based on cloud computing in a transparent way and its scalability is sufficient for practical use.