Upload
liz
View
74
Download
0
Embed Size (px)
DESCRIPTION
Extensible Network Configuration and Communication Framework. Todd Sproull and John Lockwood {todd,lockwood}@arl.wustl.edu 7 th International Working Conference on Active and Programmable Networks (IWAN) November 2005 http://www.arl.wustl.edu/arl/projects/fpx/. Overview. Background - PowerPoint PPT Presentation
Citation preview
Extensible Networking Platform 1 1 - IWAN 2005
Extensible Network Configuration and
Communication Framework
Todd Sproull and John Lockwood{todd,lockwood}@arl.wustl.edu
7th International Working Conference on Active and Programmable Networks (IWAN)
November 2005
http://www.arl.wustl.edu/arl/projects/fpx/
Extensible Networking Platform 2 2 - IWAN 2005
Overview
• Background– Project motivation
• Extensible Network Configuration Architecture
• Experimental Results – Initial results using the Emulab testbed
• Conclusions
Extensible Networking Platform 3 3 - IWAN 2005
Background
• Administrators currently overwhelmed securing networks
WirelessRouter
Traffic Shaper
Intrusion Prevention System (IPS)
NAT / Firewall
Intrusion DetectionSystem (IDS)
• Security devices in the network help combat the problem– Intrusion Detection or Prevention
Systems (IDS) or (IPS) – Packet shapers– Firewalls
• Overhead associated with managing these devices is fairly high– Require manual configuration– Lack interoperability with other
security devices
Extensible Networking Platform 4 4 - IWAN 2005
Problem Statement
• Objective– Develop generic infrastructure for management of
security devices• Challenges
– Need an abstraction for communication between heterogeneous security devices
– Need to provide interfaces to configure key components of a security device
• Example: Ability to update rules on each firewall supported in the overlay
• Proposed Solution– Deploy an overlay network of security devices – Allow nodes to communicate through eXtensible Markup
Language (XML) – Create generic abstractions of a device are advertised to
peers• Example: “Advertisement: I provide firewall capabilities”
Extensible Networking Platform 5 5 - IWAN 2005
Description of Framework
• Create overlay network of security devices
• Devices subscribe to events of interest– Administrative Updates– Virus Signatures– Malicious IP flows to rate limit
• Administrator joins overlay to issue updates– Messages sent to each peer or a single group
• Nodes communicate with each other through services
• Nodes discover services in each group
?
?
?
??
• Nodes create and join groups of interest– Administrative – Firewall– Anomaly Detection
• Overlay software interfaces directly with applications executing on the node– Modifying configuration files– Restarting processes
WirelessRouter
Traffic Shaper
Intrusion Prevention System (IPS)
NAT / Firewall
Intrusion DetectionSystem (IDS)
Extensible Networking Platform 6 6 - IWAN 2005
Implementation
• Overlay network built using the JXTA API– Provides open infrastructure to create Peer-to-Peer (P2P) networks
• Protocols built into JXTA include– Peer Discovery
• Discover peers, groups, and service in the overlay– Endpoint Routing
• Provide route information to peers, simplifying communication behind firewalls and NAT
– Pipe Binding• Creates communication channels for sending and receiving XML
messages
• Supports various programming languages– Java (J2SE)– C– Mobile Java (J2ME)– Ruby
Extensible Networking Platform 7 7 - IWAN 2005
Example Security Nodes
• Current research explores three hardware platforms
Wireless Router Workstation Extensible Switch
Intrusion Detection or Prevention
Snort with limited ruleset
Snort or Bro FPGA Snort Lite
Quality of Service Linksys QoS Support
Hierarchical Token Buckets (HTB)
FPGA Queue Manager
Anomaly or Event Detection
None SPADE FPGA Worm Detector
FPX with FPGA Hardware
Pentium M Embedded Processor
200MHz MIPS
Extensible Networking Platform 8 8 - IWAN 2005
Experimental Setup• Testbed experiment evaluates overhead in Processing and Routing XML Messages in JXTA
– XML Publish/Subscribe– JXTA Pipes Creation– JXTA Message Notification
• Traffic Generator sends XML messages to Publisher• Publisher parses XML messages and forwards message to clients based on individual
service subscription• Experiment created in Emulab testbed
– 2GHz Pentium 4 nodes– 100Mbit/sec Ethernet links
Publisher
Subscribers
Network A Network B
XML Traffic Generator
Extensible Networking Platform 9 9 - IWAN 2005
Experimental Results
• Experiments performed measure packet loss as packets per second (pps) increase
– XML Traffic Generator increases pps to Publisher
– Publisher forwards relevant messages to a single subscriber
• All messages forwarded in this experiment
– Loss represents packets not received by subscriber
• Relatively low performance deal with overhead in JXTA creating an “output pipe” for each connection
– The overhead is approximately 40ms per connection
• Potential optimizations– Creating output pipe once per node,
assuming the peer is available– Utilizing JXTA sockets instead of JXTA
pipes
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
70.00%
80.00%
90.00%
100.00%
0 100 200 300 400 500 600 700
Packets per Second
Pac
ket
Lo
ss %
Extensible Networking Platform 10 10 - IWAN 2005
Future Work
• Evaluate security functions of the overlay– Example: Benchmark nodes ability to update
firewall rules in the presence of an attack
• Deploy all three platforms in one testbed environment– Utilize Open Network Labs
• Testbed for developing high performance network applications
– Investigate Hardware Plug-ins
Extensible Networking Platform 11 11 - IWAN 2005
Conclusions
• Proposed Architecture for Network Configuration and Communication– Overlay network distributing XML messages between
devices
• Developed and deployed framework in network testbed
• Obtained Preliminary Results – Quantified overhead of JXTA protocol and XML
message parsing in publish subscribe network
Extensible Networking Platform 12 12 - IWAN 2005
Acknowledgments
• Research Group– Reconfigurable Network Group
http://arl.wustl.edu/projects/fpx/reconfig.htm