Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. Applying a Multi-level Security Mechanism to a Network Address Translation Scheduler Arthur McDonald Computer Science Department East Stroudsburg University
  2. 2. Outline <ul><li>Introduction </li></ul><ul><li>Multi-Level Security Basics </li></ul><ul><li>Linux Virtual Servers </li></ul><ul><li>Proposed Algorithm </li></ul><ul><li>Implementation and Experiments </li></ul><ul><li>Results and Conclusions </li></ul>
  3. 3. Introduction <ul><li>Recent Security Threats </li></ul><ul><li>Need to protect data on distributed systems </li></ul><ul><li>Linux Virtual Servers </li></ul><ul><li>Load Scheduling </li></ul><ul><li>Multi-Level Security </li></ul>
  4. 4. Multi-Level Security <ul><li>Information with different sensitivities to be stored on same system </li></ul><ul><li>Information is processed with users having different security classes </li></ul><ul><ul><li>Prevents users from accessing info for which they are not cleared </li></ul></ul><ul><li>Example on Next slide </li></ul>
  5. 5. MLS Example <ul><li>Data assigned 4 security classes or levels: </li></ul><ul><ul><li>Level 1 – CLASSIFIED access </li></ul></ul><ul><ul><li>Level 2 – SECRET access </li></ul></ul><ul><ul><li>Level 3 – UNCLASSIFIED access </li></ul></ul><ul><ul><li>Level 4 – No access </li></ul></ul><ul><li>Clearances are hierarchical </li></ul>
  6. 6. MLS Properties – Access Control <ul><li>Control what users can read, write or execute files </li></ul><ul><li>System must also make decisions about access control </li></ul><ul><li>Two types: </li></ul><ul><ul><li>Discretionary Access Control (DAC) </li></ul></ul><ul><ul><li>Mandatory Access Control (MAC) </li></ul></ul>
  7. 7. Discretionary Access Control <ul><li>Restricts access based on the identity of the user </li></ul><ul><li>Three basic types of access: </li></ul><ul><ul><li>Read – User can open and view the data in file/directory </li></ul></ul><ul><ul><li>Write – User can open and write data to the file/directory </li></ul></ul><ul><ul><li>Execute – User can execute the file </li></ul></ul><ul><ul><ul><li>Relevant only to executables </li></ul></ul></ul>
  8. 8. Discretionary Access Control <ul><li>Owner makes access decisions </li></ul><ul><li>Typically three categories: </li></ul><ul><ul><li>Self: Owner of the data </li></ul></ul><ul><ul><li>Group: A set of users on the system </li></ul></ul><ul><ul><li>Public: All users of the system </li></ul></ul>
  9. 9. Mandatory Access Control <ul><li>Used in systems with extremely sensitive data </li></ul><ul><li>All objects (files, directories, etc…) and subjects (users) are assigned a sensitivity level. </li></ul><ul><li>Subject’s sensitivity level specifies objects it has access to. </li></ul>
  10. 10. Mandatory Access Control <ul><li>Two parts to label: Classification and a set of categories </li></ul><ul><ul><li>Classification is hierarchical </li></ul></ul><ul><ul><ul><li>DOD uses Top Secret, Secret, Confidential and Unclassified </li></ul></ul></ul><ul><ul><li>Categories are non-hierarchical – represent areas of information in the system </li></ul></ul><ul><ul><ul><li>Subject with highest classification level may not mean they are cleared to access all data </li></ul></ul></ul>
  11. 11. MLS Properties – Information Flow <ul><li>Three Models: </li></ul><ul><ul><li>Bell-LaPadula </li></ul></ul><ul><ul><li>Biba </li></ul></ul><ul><ul><li>Clark-Wilson </li></ul></ul>
  12. 12. Bell-LaPadula Model <ul><li>Linear model </li></ul><ul><li>User with security level b can READ objects at level a iff a <= b </li></ul><ul><li>User at level b can write objects at level c iff c >= b </li></ul><ul><li>Higher access can read from lower level and lower access can write to higher levels </li></ul><ul><li>Insures data confidentiality </li></ul>
  13. 13. Bell LaPadula Model Level b resources Read access only Write access only Read-Write access Level a Level c Level d Level b
  14. 14. Biba Model <ul><li>Opposite of Bell-LaPadula </li></ul><ul><li>Users at level b can write to level a iff a <= b and level b can read from level c iff c >= b </li></ul><ul><li>Insures data integrity </li></ul>
  15. 15. Biba Model Level c Level b resources Write access only Read access only Read-Write access Level a Level d Level b
  16. 16. Clark Wilson Model <ul><li>Similar to Biba, with one more constraint </li></ul><ul><li>Task is separated into duties </li></ul><ul><li>Ensures integrity rules are not disobeyed </li></ul>
  17. 17. Linux Virtual Servers <ul><li>What is an LVS? </li></ul><ul><li>Why use them? </li></ul><ul><li>How is it done? </li></ul>
  18. 18. Linux Virtual Servers – What? <ul><li>Cluster of computers connected by fast network </li></ul><ul><li>Cluster “appears” to be a single machine </li></ul><ul><li>Service requests from incoming clients </li></ul><ul><ul><li>HTTP, FTP, telnet, etc... </li></ul></ul><ul><li>Minimum requirements </li></ul><ul><ul><li>1 Director machine </li></ul></ul><ul><ul><li>2 or more Realservers </li></ul></ul>
  19. 19. Linux Virtual Servers – What? Client Realserver 2 Realserver N Director Realserver 1 Internet Network
  20. 20. Linux Virtual Servers – Why? <ul><li>Need for fast, reliable servers </li></ul><ul><li>Three requirements: </li></ul><ul><ul><li>Incremental Scalability </li></ul></ul><ul><ul><li>24x7 Availability </li></ul></ul><ul><ul><li>Cost-effectiveness </li></ul></ul>
  21. 21. Linux Virtual Servers – Why? <ul><li>“Old” way – single machine </li></ul><ul><ul><li>Need to upgrade when load becomes too much </li></ul></ul><ul><ul><li>Add faster CPU, more RAM, other hardware… </li></ul></ul><ul><ul><ul><li>Complex and expensive </li></ul></ul></ul><ul><ul><li>New machine can also become overloaded </li></ul></ul>
  22. 22. Linux Virtual Servers – Why? <ul><li>LVS’ satisfy all the requirements </li></ul><ul><li>Scalability – Add/Remove machines to cluster easily </li></ul><ul><li>Availability – Services are backed by multiple machines – One goes down, not a problem </li></ul><ul><li>Cost effective – No “supercomputer” to upgrade; simply add PCs </li></ul>
  23. 23. Linux Virtual Servers – How? <ul><li>Network director and realservers together </li></ul><ul><ul><li>Typically star topology network </li></ul></ul><ul><ul><li>Realservers are part of private network </li></ul></ul><ul><li>Two IPs for director </li></ul><ul><ul><li>Real IP: IP address for internal network </li></ul></ul><ul><ul><li>Virtual IP: Address that clients see </li></ul></ul><ul><li>Services are assigned to the director, along with port number and scheduling algorithm </li></ul>
  24. 24. Linux Virtual Servers – How? <ul><li>Director waits for connections </li></ul><ul><li>Connection received: </li></ul><ul><ul><li>Call scheduling function to determine what realserver to forward data to </li></ul></ul><ul><li>Three forwarding methods: </li></ul><ul><ul><li>Direct Routing </li></ul></ul><ul><ul><li>IP Tunnelling </li></ul></ul><ul><ul><li>Network Address Translation </li></ul></ul>
  25. 25. Linux Virtual Server – How? <ul><li>Load Scheduling Algorithms </li></ul><ul><ul><li>Round Robin </li></ul></ul><ul><ul><li>Weight Round Robin </li></ul></ul><ul><ul><li>Least Connection </li></ul></ul><ul><ul><li>Weighted Least Connection </li></ul></ul><ul><ul><li>Destination/Source Hash Scheduling </li></ul></ul>
  26. 26. MLS Load Scheduling <ul><li>Distribute load across realservers based on security levels </li></ul><ul><li>Security level determined by client’s IP address </li></ul><ul><li>Three security levels: A, B and No Access </li></ul><ul><li>Level A forwarded to Realserver 1 </li></ul><ul><li>Level B forwarded to Realserver 2 </li></ul><ul><li>No Access – Data is dropped </li></ul>
  27. 27. MLS Load Scheduling <ul><li>Code developed based on LVS schdeuling algorithms </li></ul><ul><li>Compiled directly into the kernel </li></ul><ul><ul><li>Can also be compiled as a module </li></ul></ul>
  28. 28. MLS Load Scheduling <ul><li>Init, update and finished function </li></ul><ul><li>Two main functions: </li></ul><ul><ul><li>ip_vs_mls_schedule </li></ul></ul><ul><ul><li>ip_vs_mls_get_security_level </li></ul></ul>
  29. 29. MLS Load Scheduling <ul><li>Problems: </li></ul><ul><ul><li>File I/O in Kernel Space </li></ul></ul><ul><ul><li>Dotted decimal string to unsigned int conversion of IP addresses </li></ul></ul>
  30. 30. Implementation <ul><li>Hardware: </li></ul><ul><ul><li>Four Intel Pentium machines connected by hub </li></ul></ul><ul><li>Software: </li></ul><ul><ul><li>Director: Red Hat 7.0 </li></ul></ul><ul><ul><li>Realserver 1: Red hat 7.0 kernel 2.2.16, Apache </li></ul></ul><ul><ul><li>Realserver 2: Mandrake 7.1, Apache </li></ul></ul><ul><ul><li>Client: Windows XP, Internet Explorer </li></ul></ul>
  31. 31. Implementation <ul><li>Installing LVS </li></ul><ul><ul><li>Obtain “fresh” kernel from www.kernel.org </li></ul></ul><ul><ul><li>Patch kernel with the LVS code </li></ul></ul><ul><ul><li>Configure the kernel using xconfig </li></ul></ul><ul><ul><li>Compile and install modules </li></ul></ul><ul><ul><li>Compile kernel </li></ul></ul><ul><ul><li>Test the new kernel </li></ul></ul>
  32. 32. Implementation <ul><li>IPVSADM </li></ul><ul><ul><li>Administration program for LVS </li></ul></ul><ul><ul><li>Used to set up service </li></ul></ul><ul><ul><li>Add realservers to LVS </li></ul></ul>
  33. 33. Experiments <ul><li>Attempt to connect to the realserver </li></ul><ul><ul><li>Test Case 1 – Client IP address set to Level A access </li></ul></ul><ul><ul><li>Test Case 2 – Client IP address set to Level B access </li></ul></ul><ul><ul><li>Test Case 3 – Client IP address set to No Access </li></ul></ul>
  34. 34. Future Work <ul><li>Improve algorithm for scalability </li></ul><ul><li>Design an admin tool for easy addition/deletion of client IP address/security levels </li></ul>
  35. 35. Conclusions <ul><li>Project is a good initial step in research towards MLS in Linux Virtual Servers </li></ul><ul><li>More work needs to be done, especially in the current global climate </li></ul><ul><li>Future looks bright for the LVS project </li></ul>