Extensible Network Configuration and Communication Framework

tunisianbromidrosisInternet και Εφαρμογές Web

5 Φεβ 2013 (πριν από 3 χρόνια και 10 μήνες)

111 εμφανίσεις

Extensible Networking Platform


1



1

-


IWAN 2005

Extensible Network
Configuration and
Communication Framework

Todd Sproull and John Lockwood

{todd,lockwood}@arl.wustl.edu


7
th

International Working Conference on

Active and Programmable Networks (IWAN)


November 2005


http://www.arl.wustl.edu/arl/projects/fpx/


Extensible Networking Platform


2



2

-


IWAN 2005

Overview


Background


Project motivation



Extensible Network Configuration
Architecture



Experimental Results


Initial results using the Emulab testbed



Conclusions

Extensible Networking Platform


3



3

-


IWAN 2005

Background


Administrators currently overwhelmed
securing networks


Wireless

Router

Traffic Shaper

Intrusion
Prevention
System (IPS)

NAT / Firewall

Intrusion
Detection

System (IDS)



Security devices in the network help
combat the problem


Intrusion Detection or Prevention
Systems (IDS) or (IPS)


Packet shapers


Firewalls



Overhead associated with managing
these devices is fairly high


Require manual configuration


Lack interoperability with other
security devices

Extensible Networking Platform


4



4

-


IWAN 2005

Problem Statement


Objective


Develop generic infrastructure for management of
security devices


Challenges


Need an abstraction for communication between
heterogeneous security devices


Need to provide interfaces to configure key components
of a security device


Example: Ability to update rules on each firewall supported
in the overlay



Proposed Solution


Deploy an overlay network of security devices


Allow nodes to communicate through eXtensible Markup
Language (XML)


Create generic abstractions of a device are advertised to
peers


Example: “Advertisement: I provide firewall capabilities”



Extensible Networking Platform


5



5

-


IWAN 2005

Description of Framework


Create overlay network of security devices



Devices subscribe to events of interest


Administrative Updates


Virus Signatures


Malicious IP flows to rate limit


Administrator joins overlay to issue updates


Messages sent to each peer or a single group


Nodes communicate with each other through
services




Nodes discover services in each group

?

?

?

?

?


Nodes create and join groups of interest


Administrative


Firewall


Anomaly Detection



Overlay software interfaces directly with
applications executing on the node


Modifying configuration files


Restarting processes

Wireless

Router

Traffic Shaper

Intrusion
Prevention
System (IPS)

NAT / Firewall

Intrusion
Detection

System (IDS)

Extensible Networking Platform


6



6

-


IWAN 2005

Implementation


Overlay network built using the JXTA API


Provides open infrastructure to create Peer
-
to
-
Peer (P2P) networks



Protocols built into JXTA include


Peer Discovery


Discover peers, groups, and service in the overlay


Endpoint Routing


Provide route information to peers, simplifying communication behind
firewalls and NAT


Pipe Binding


Creates communication channels for sending and receiving XML
messages



Supports various programming languages


Java (J2SE)


C


Mobile Java (J2ME)


Ruby

Extensible Networking Platform


7



7

-


IWAN 2005

Example Security Nodes


Current research explores three hardware
platforms

Wireless Router

Workstation

Extensible Switch

Intrusion
Detection or
Prevention

Snort with limited
ruleset

Snort or Bro

FPGA Snort Lite

Quality of Service

Linksys QoS
Support

Hierarchical
Token Buckets
(HTB)

FPGA Queue Manager

Anomaly or Event
Detection

None

SPADE

FPGA Worm Detector

FPX with

FPGA Hardware

Pentium M

Embedded Processor

200MHz
MIPS

Extensible Networking Platform


8



8

-


IWAN 2005

Experimental Setup


Testbed experiment evaluates overhead in Processing and Routing XML Messages in JXTA


XML Publish/Subscribe


JXTA Pipes Creation


JXTA Message Notification


Traffic Generator sends XML messages to Publisher


Publisher parses XML messages and forwards message to clients based on individual service
subscription


Experiment created in Emulab testbed



2GHz Pentium 4 nodes


100Mbit/sec Ethernet links


Publisher

Subscribers

Network A

Network B

XML Traffic Generator

Extensible Networking Platform


9



9

-


IWAN 2005

Experimental Results


Experiments performed measure packet
loss as packets per second (pps)
increase


XML Traffic Generator increases pps
to Publisher


Publisher forwards relevant
messages to a single subscriber


All messages forwarded in this
experiment


Loss represents packets not received
by subscriber



Relatively low performance deal with
overhead in JXTA creating an “output
pipe” for each connection


The overhead is approximately 40ms per
connection



Potential optimizations


Creating output pipe once per node,
assuming the peer is available


Utilizing JXTA sockets instead of JXTA
pipes



0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
70.00%
80.00%
90.00%
100.00%
0
100
200
300
400
500
600
700
Packets per Second
Packet Loss %

Extensible Networking Platform


10



10

-


IWAN 2005

Future Work



Evaluate security functions of the overlay


Example: Benchmark nodes ability to update
firewall rules in the presence of an attack



Deploy all three platforms in one testbed
environment


Utilize Open Network Labs


Testbed for developing high performance
network applications


Investigate Hardware Plug
-
ins

Extensible Networking Platform


11



11

-


IWAN 2005

Conclusions


Proposed Architecture for Network Configuration
and Communication


Overlay network distributing XML messages between
devices



Developed and deployed framework in network
testbed



Obtained Preliminary Results


Quantified overhead of JXTA protocol and XML
message parsing in publish subscribe network



Extensible Networking Platform


12



12

-


IWAN 2005

Acknowledgments



Research Group


Reconfigurable Network Group

http://arl.wustl.edu/projects/fpx/reconfig.htm