2. network is vulnerable to attacks.
• An off-site user has intricacy connecting to the
private network, due to corporate firewalls.
• IPSec can inflict high CPU overhead on VPN
gateways due to the processing obligatory for packet
encryption/decryption and authentication.
• There is packet loss in VPN networks [8].
II. DETAILS OF NDIS ARCHITECTURE
NDIS is an acronym for Network Driver Interface
Specification. It performs a set of functions for the
network adapter drivers’ for instance registering and
Fig. 3 Detailed NDIS
apprehending hardware interrupts or communicating with
underlying network adapters. There are two major types of NDIS drivers which are
It permits a range of transport protocols like IPX, described here:
TCP/IP and Native ATM to communicate with network
adapters and other hardware devices. Once the A. NDIS Intermediate Drivers
communication between the network adapter and the Intermediate drivers or IM drivers are situated between
transport protocols has been accomplished, then the the Internet Protocol Layers and the MAC. The entire
exchange of packets or data can take place over the network traffic that is being received by the NIC card can
network in-use [2]. An imperative aspect of NDIS is that be controlled and scrutinized by the NDIS IM drivers.
it allows the components of higher-level protocols to be
Two types of interfaces are implemented by the NDIS
independent of the network adapter by means of a
IM drivers: the protocol interface and the miniport
standard interface.
interface. The miniport driver and protocol driver both
reside in the IM driver, and they communicate with the
miniport interface and the protocol interface respectively.
There are two types of NDIS IM drivers:
• LAN Emulation IM Driver: It is accountable for
transmuting the connectionless Transport’s LAN
format to the connection oriented format. ATM is a
paradigm of such a connection oriented format. It
transforms the packets in a format that can be
dispatched over a separate and a diverse medium.
• Filter Driver: Their objective is to perform exclusive
operations and procedures on those packets that are
transferred using or through them. Exclusive
operations resembling packet tracing, encryption and
compression can be performed on the packets.
Fig. 2 Communication between NDIS’ of terminals
B. NDIS Protocol Drivers
The Windows library offers a fully standardized
interface to implement a customized network adapter The second type of NDIS driver is the NDIS Protocol
driver for the Windows Operating system. The network Driver designed for the purpose of exporting a complete
architecture of Windows 2000 supports NDIS. NDIS in set of functions to the lower edge of the transport protocol
Windows 2000 encompasses of a special code file by the stack. The Protocol driver communicates with the NDIS
name Ndis.sys, also known as the NDIS wrapper. The in order to receive or transmit the packets. It binds to an
NDIS drivers are completely bounded by the NDIS IM driver or an underlying miniport driver which then
wrapper. Its key functionality is to provide a consistent exports interface to the upper edge of the stack. An
interface between the NDIS device drivers and the imperative aspect of the NDIS Protocol Driver is that it
protocol drivers. Additionally, the NDIS wrapper also may also sustain the Transport Driver Interface or the TDI
encloses certain supporting routines that assist in at the Upper edge. Additionally, it can also export
developing the NDIS drivers and make the overall interface to a high-level KM (Kernel-Mode) driver [2]. It
development process easier [4] [5]. can be achieved through a transport stack of drivers,
681
679
3. which can include the stack that supports the Transport
Driver Interface.
NDIS protocol drivers continuously make use of the
functions provided by the NDIS in order to communicate
with the underlying NDIS drivers. For instance, there is a
protocol driver using a connectionless lower-edge (may
be using Token Ring or Ethernet) that wishes to transmit
packets to the underlying NDIS driver; in such a case, the
protocol driver has to make a call of NdisSendPackets or
NdisSend. In order to set the Object Identifiers (OIDs) of
the connectionless drivers, the protocol driver has to
summon NdisRequest. If a protocol driver makes use of a Fig. 4 Internals of SmartX
connection oriented lower edge (e.g. ATM) then the
protocol driver must call NdisCoSendPackets in order to Wireless networks are particularly prone to such
dispatch network packets to the lower-edge or lower level sniffing attacks and applications within an
NDIS driver. For setting those OIDs that are supported by organization customarily do not secure the data.
connection oriented drivers, the protocol driver has to call Hence, by securing the data at the network level it is
NdisCoRequest [4]. ensured that all the data flowing out of a particular
node is safeguarded. When an out-bound packet
Protocol Drivers are more portable and manageable arrives at the NDIS module, the module encrypts the
amongst Microsoft OS that makes use of NDIS versions entire packet (i.e. from the start of the Ethernet header
of such functions. For the operating system to support till the end of the data) and creates one or more UDP
these protocol drivers, it must also support the Win32 packets out of it. If the size of the encrypted packet
interface. exceeds the MTU then it is split into two UDP packets.
The UDP packets are then dispatched to the destination
III. PROPOSED SOLUTION nodes where they are reassembled, if required and then
decrypted [1]. The software to be developed would
SmartX is a framework which secures the data provide a more efficient and secure method of packet
flowing in a network. The framework employs an exchange over a network. Packets transmitted using
infrastructure, called Mutual-Identity, to authenticate VPN are prone to both active and passive attacks. The
two workstations in a network and create a secure authentication of the 2 workstations trying to exchange
tunnel between the two endpoints. It is obligatory for packets over the network is done using Mutual-
each endpoint to contain a SmartX enabled module Identity. After successful authentication a tunnel is
which performs a set of alterations on each network established between the 2 workstations. An entry point
packet which is about to hit the wire. would be programmed in the NDIS code by means of
For Windows based systems, the module is a NDIS which the packets would be captured. These packets
(Network Driver Interface Specification) module which would then be processed by a 128-bit Advanced
is installed just above the network driver module. When Encryption Standard (AES 128-bit) encryption scheme
a network packet originates from one of the applications and would then be passed on to the tunnel for
and is to be passed on to the NIC driver, the NDIS delivery.At the receiver’s end, the packet would be
module intercepts the packet, encrypts it and then seized and would undergo the decryption to obtain the
forwards it to the NIC. When a packet arrives at the original packet. The output packet obtained would
NIC and is about to be forwarded to the application, then be sent up to the OSI layers for processing.
the NDIS module decrypts the packet and forwards it
to the concerned application.
The keys used for the encryption/decryption are IV. APPLICATIONS
provided by the Mutual-Identity key management
infrastructure. Each participating node has a set of • Systems using SmartX will have better CPU
user-space applications which perform Mutual-Identity performance due to reduced context switches and
authentication with the other nodes before transacting memory copies and improved security aspects.
data. Once the Mutual-Identity authentication is over, • It will eliminate the drawbacks involved in VPN
each of the two sides arrive at a set of keys which systems by usage of Mutual-Identity, which is a more
they utilize for data protection. The data flowing in a secure way of performing online transactions.
given network can be sniffed unless the applications
transacting the data have taken adequate measures in
protecting the data.
682
680
4. • SmartX proves to be helpful particularly in resistant over the network. Applications like encryption of
applications such as e-banking, defense, e-life data, compression of packets, and increased transfer rate
insurance. can be easily added to this software. It will also provide
• Provides Cloud Security. security in Cloud and will be beneficial for various
applications such as e-banking, e-life Insurance.
V. RESULT
REFERENCES
When a packet arrives at NIC, the packet is encrypted
using a session key for mutual authentication which is [1]. Suk Lee, Jee Hun Park, Kyoung Nam Ha, Kyung Chang Lee
provided by patent mutual identity algorithm. When this “WirelessNetworked Control System Using NDIS-based
Four-Layer Architecture for IEEE 802.11b” – 2008
packet hits the wire for transmission it is highly secured
[2]. He chaokai “Design and implementation of a personal
and resistant to the attack on the network. The throughput firewall Based on NDIS Intermediate Drivers”, Eighth ACIS
of the system is increased to a large extent by avoiding International Conference on Software Engineering, Artificial
the creation of multiple copies of the same data and Intelligence, Networking, and Parallel/Distributed
reducing the number of context switches. The processing Computing, 2007.
overhead of the system is also reduced by [3]. Yunhe Zhang, Zhitang Li, Song Mei, Cai Fu “Session-based
encrypting/decrypting the packet within the system itself Tunnel Scheduling Model in Multi-link Aggregate IPSec
by eliminating the need of extra protocol overhead. VPN”, 2009 Third International Conference on Multimedia
and Ubiquitous Engineering.
VI. CONCLUSION [4]. Jee Hun Park, Kyoung Nam Ha, Suk Lee, Kyung Chang Lee
“Performance Evaluation of NDIS-based four-layer
architecture with virtual scheduling algorithm for IEEE
Currently, VPN systems are being utilized throughout
802.11b”, International Conference on Control, Automation
the world. SmartX will eliminate the drawbacks involved and Systems 2007 Oct. 17-20, 2007 in COEX, Seoul, Korea.
in the Virtual Private Networks. It will thus improve the [5]. Shuo Dai, Ye Du “Design and Implementation of Dynamic
processing time of CPU and allow CPU to perform other Web Security and Defense Mechanism based on NDIS
work simultaneously during context switching. SmartX is Intermediate Driver”, 2009 Asia-Pacific Conference on
for the Windows operating system and it can also be Information Processing.
implemented for the Linux based system. It improves the [6]. William Sax, Carleton Jillson, William Wollman, Harry
memory management scheme. The major contribution of Jegers, “Experience with Prefix Discovery Servers and IPSec
the paper is to demonstrate the drawbacks of the Virtual VPN Gateways”.
Private Network and show how the SmartX will eliminate [7]. Olalekan Adeyinka, “Analysis of IPSec VPNs Performance in
its drawback and make the communication more secure A Multimedia Environment”.
[8]. Olalekan Adeyinka, “Analysis of problems associated with
and efficient. The SmartX will provide the additional
IPSec VPN Technology”.
level of security to the current world of communication
system. It makes the packet more secure and attack
683
681