12
Extensible Networking Platform 1 1 - IWAN 2005 Extensible Network Configuration and Communication Framework Todd Sproull and John Lockwood {todd,lockwood}@arl.wustl.edu 7 th International Working Conference on Active and Programmable Networks (IWAN) November 2005 http://www.arl.wustl.edu/arl/projects/fpx/

Extensible Network Configuration and Communication Framework

  • Upload
    liz

  • View
    74

  • Download
    0

Embed Size (px)

DESCRIPTION

Extensible Network Configuration and Communication Framework. Todd Sproull and John Lockwood {todd,lockwood}@arl.wustl.edu 7 th International Working Conference on Active and Programmable Networks (IWAN) November 2005 http://www.arl.wustl.edu/arl/projects/fpx/. Overview. Background - PowerPoint PPT Presentation

Citation preview

Page 1: Extensible Network Configuration and Communication Framework

Extensible Networking Platform 1 1 - IWAN 2005

Extensible Network Configuration and

Communication Framework

Todd Sproull and John Lockwood{todd,lockwood}@arl.wustl.edu

7th International Working Conference on Active and Programmable Networks (IWAN)

November 2005

http://www.arl.wustl.edu/arl/projects/fpx/

Page 2: Extensible Network Configuration and Communication Framework

Extensible Networking Platform 2 2 - IWAN 2005

Overview

• Background– Project motivation

• Extensible Network Configuration Architecture

• Experimental Results – Initial results using the Emulab testbed

• Conclusions

Page 3: Extensible Network Configuration and Communication Framework

Extensible Networking Platform 3 3 - IWAN 2005

Background

• Administrators currently overwhelmed securing networks

WirelessRouter

Traffic Shaper

Intrusion Prevention System (IPS)

NAT / Firewall

Intrusion DetectionSystem (IDS)

• Security devices in the network help combat the problem– Intrusion Detection or Prevention

Systems (IDS) or (IPS) – Packet shapers– Firewalls

• Overhead associated with managing these devices is fairly high– Require manual configuration– Lack interoperability with other

security devices

Page 4: Extensible Network Configuration and Communication Framework

Extensible Networking Platform 4 4 - IWAN 2005

Problem Statement

• Objective– Develop generic infrastructure for management of

security devices• Challenges

– Need an abstraction for communication between heterogeneous security devices

– Need to provide interfaces to configure key components of a security device

• Example: Ability to update rules on each firewall supported in the overlay

• Proposed Solution– Deploy an overlay network of security devices – Allow nodes to communicate through eXtensible Markup

Language (XML) – Create generic abstractions of a device are advertised to

peers• Example: “Advertisement: I provide firewall capabilities”

Page 5: Extensible Network Configuration and Communication Framework

Extensible Networking Platform 5 5 - IWAN 2005

Description of Framework

• Create overlay network of security devices

• Devices subscribe to events of interest– Administrative Updates– Virus Signatures– Malicious IP flows to rate limit

• Administrator joins overlay to issue updates– Messages sent to each peer or a single group

• Nodes communicate with each other through services

• Nodes discover services in each group

?

?

?

??

• Nodes create and join groups of interest– Administrative – Firewall– Anomaly Detection

• Overlay software interfaces directly with applications executing on the node– Modifying configuration files– Restarting processes

WirelessRouter

Traffic Shaper

Intrusion Prevention System (IPS)

NAT / Firewall

Intrusion DetectionSystem (IDS)

Page 6: Extensible Network Configuration and Communication Framework

Extensible Networking Platform 6 6 - IWAN 2005

Implementation

• Overlay network built using the JXTA API– Provides open infrastructure to create Peer-to-Peer (P2P) networks

• Protocols built into JXTA include– Peer Discovery

• Discover peers, groups, and service in the overlay– Endpoint Routing

• Provide route information to peers, simplifying communication behind firewalls and NAT

– Pipe Binding• Creates communication channels for sending and receiving XML

messages

• Supports various programming languages– Java (J2SE)– C– Mobile Java (J2ME)– Ruby

Page 7: Extensible Network Configuration and Communication Framework

Extensible Networking Platform 7 7 - IWAN 2005

Example Security Nodes

• Current research explores three hardware platforms

Wireless Router Workstation Extensible Switch

Intrusion Detection or Prevention

Snort with limited ruleset

Snort or Bro FPGA Snort Lite

Quality of Service Linksys QoS Support

Hierarchical Token Buckets (HTB)

FPGA Queue Manager

Anomaly or Event Detection

None SPADE FPGA Worm Detector

FPX with FPGA Hardware

Pentium M Embedded Processor

200MHz MIPS

Page 8: Extensible Network Configuration and Communication Framework

Extensible Networking Platform 8 8 - IWAN 2005

Experimental Setup• Testbed experiment evaluates overhead in Processing and Routing XML Messages in JXTA

– XML Publish/Subscribe– JXTA Pipes Creation– JXTA Message Notification

• Traffic Generator sends XML messages to Publisher• Publisher parses XML messages and forwards message to clients based on individual

service subscription• Experiment created in Emulab testbed

– 2GHz Pentium 4 nodes– 100Mbit/sec Ethernet links

Publisher

Subscribers

Network A Network B

XML Traffic Generator

Page 9: Extensible Network Configuration and Communication Framework

Extensible Networking Platform 9 9 - IWAN 2005

Experimental Results

• Experiments performed measure packet loss as packets per second (pps) increase

– XML Traffic Generator increases pps to Publisher

– Publisher forwards relevant messages to a single subscriber

• All messages forwarded in this experiment

– Loss represents packets not received by subscriber

• Relatively low performance deal with overhead in JXTA creating an “output pipe” for each connection

– The overhead is approximately 40ms per connection

• Potential optimizations– Creating output pipe once per node,

assuming the peer is available– Utilizing JXTA sockets instead of JXTA

pipes

0.00%

10.00%

20.00%

30.00%

40.00%

50.00%

60.00%

70.00%

80.00%

90.00%

100.00%

0 100 200 300 400 500 600 700

Packets per Second

Pac

ket

Lo

ss %

Page 10: Extensible Network Configuration and Communication Framework

Extensible Networking Platform 10 10 - IWAN 2005

Future Work

• Evaluate security functions of the overlay– Example: Benchmark nodes ability to update

firewall rules in the presence of an attack

• Deploy all three platforms in one testbed environment– Utilize Open Network Labs

• Testbed for developing high performance network applications

– Investigate Hardware Plug-ins

Page 11: Extensible Network Configuration and Communication Framework

Extensible Networking Platform 11 11 - IWAN 2005

Conclusions

• Proposed Architecture for Network Configuration and Communication– Overlay network distributing XML messages between

devices

• Developed and deployed framework in network testbed

• Obtained Preliminary Results – Quantified overhead of JXTA protocol and XML

message parsing in publish subscribe network

Page 12: Extensible Network Configuration and Communication Framework

Extensible Networking Platform 12 12 - IWAN 2005

Acknowledgments

• Research Group– Reconfigurable Network Group

http://arl.wustl.edu/projects/fpx/reconfig.htm