"Extensible Network Configuration and Communication Framework"
Upcoming SlideShare
Loading in...5
×
 

"Extensible Network Configuration and Communication Framework"

on

  • 675 views

 

Statistics

Views

Total Views
675
Views on SlideShare
675
Embed Views
0

Actions

Likes
0
Downloads
1
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • I would like to thank the research sponsors, Global Velocity and Boeing for their financial support. Additionally, I would like to thank the members of the Reconfigurable Networking Group in the Applied Research Laboratory at Washington University.

"Extensible Network Configuration and Communication Framework" "Extensible Network Configuration and Communication Framework" Presentation Transcript

  • Extensible Network Configuration and Communication Framework Todd Sproull and John Lockwood {todd,lockwood}@arl.wustl.edu 7 th International Working Conference on Active and Programmable Networks (IWAN) November 2005 http://www.arl.wustl.edu/arl/projects/fpx/
  • Overview
    • Background
      • Project motivation
    • Extensible Network Configuration Architecture
    • Experimental Results
      • Initial results using the Emulab testbed
    • Conclusions
  • Background
    • Administrators currently overwhelmed securing networks
    Wireless Router Traffic Shaper Intrusion Prevention System (IPS) NAT / Firewall Intrusion Detection System (IDS)
    • Security devices in the network help combat the problem
      • Intrusion Detection or Prevention Systems (IDS) or (IPS)
      • Packet shapers
      • Firewalls
    • Overhead associated with managing these devices is fairly high
      • Require manual configuration
      • Lack interoperability with other security devices
  • Problem Statement
    • Objective
      • Develop generic infrastructure for management of security devices
    • Challenges
      • Need an abstraction for communication between heterogeneous security devices
      • Need to provide interfaces to configure key components of a security device
        • Example: Ability to update rules on each firewall supported in the overlay
    • Proposed Solution
      • Deploy an overlay network of security devices
      • Allow nodes to communicate through eXtensible Markup Language (XML)
      • Create generic abstractions of a device are advertised to peers
        • Example: “Advertisement: I provide firewall capabilities”
  • Description of Framework
    • Create overlay network of security devices
    • Devices subscribe to events of interest
      • Administrative Updates
      • Virus Signatures
      • Malicious IP flows to rate limit
    • Administrator joins overlay to issue updates
      • Messages sent to each peer or a single group
    • Nodes communicate with each other through services
    • Nodes discover services in each group
    ? ? ? ? ?
    • Nodes create and join groups of interest
      • Administrative
      • Firewall
      • Anomaly Detection
    • Overlay software interfaces directly with applications executing on the node
      • Modifying configuration files
      • Restarting processes
    Wireless Router Traffic Shaper Intrusion Prevention System (IPS) NAT / Firewall Intrusion Detection System (IDS)
  • Implementation
    • Overlay network built using the JXTA API
      • Provides open infrastructure to create Peer-to-Peer (P2P) networks
    • Protocols built into JXTA include
      • Peer Discovery
        • Discover peers, groups, and service in the overlay
      • Endpoint Routing
        • Provide route information to peers, simplifying communication behind firewalls and NAT
      • Pipe Binding
        • Creates communication channels for sending and receiving XML messages
    • Supports various programming languages
      • Java (J2SE)
      • C
      • Mobile Java (J2ME)
      • Ruby
  • Example Security Nodes
    • Current research explores three hardware platforms
    FPX with FPGA Hardware Pentium M Embedded Processor FPGA Worm Detector SPADE None Anomaly or Event Detection FPGA Queue Manager Hierarchical Token Buckets (HTB) Linksys QoS Support Quality of Service FPGA Snort Lite Snort or Bro Snort with limited ruleset Intrusion Detection or Prevention Extensible Switch Workstation Wireless Router 200MHz MIPS
  • Experimental Setup
    • Testbed experiment evaluates overhead in Processing and Routing XML Messages in JXTA
      • XML Publish/Subscribe
      • JXTA Pipes Creation
      • JXTA Message Notification
    • Traffic Generator sends XML messages to Publisher
    • Publisher parses XML messages and forwards message to clients based on individual service subscription
    • Experiment created in Emulab testbed
      • 2GHz Pentium 4 nodes
      • 100Mbit/sec Ethernet links
    Publisher Subscribers Network A Network B XML Traffic Generator
  • Experimental Results
    • Experiments performed measure packet loss as packets per second (pps) increase
      • XML Traffic Generator increases pps to Publisher
      • Publisher forwards relevant messages to a single subscriber
        • All messages forwarded in this experiment
      • Loss represents packets not received by subscriber
    • Relatively low performance deal with overhead in JXTA creating an “output pipe” for each connection
      • The overhead is approximately 40ms per connection
    • Potential optimizations
      • Creating output pipe once per node, assuming the peer is available
      • Utilizing JXTA sockets instead of JXTA pipes
  • Future Work
    • Evaluate security functions of the overlay
      • Example: Benchmark nodes ability to update firewall rules in the presence of an attack
    • Deploy all three platforms in one testbed environment
      • Utilize Open Network Labs
        • Testbed for developing high performance network applications
      • Investigate Hardware Plug-ins
  • Conclusions
    • Proposed Architecture for Network Configuration and Communication
      • Overlay network distributing XML messages between devices
    • Developed and deployed framework in network testbed
    • Obtained Preliminary Results
      • Quantified overhead of JXTA protocol and XML message parsing in publish subscribe network
  • Acknowledgments
    • Research Group
      • Reconfigurable Network Group http://arl.wustl.edu/projects/fpx/reconfig.htm