1 / 29

This work is partially supported by Commission of Higher Education (CHE), UniNET, Thailand

Experiences in Deploying Machines Registration and Integrated Linux Firewall with Traffic Shaper for Large Campus Network. Kasom Koth- a rsa 1 , Surasak Sanguanpong 2 , Pirawat Watanpongse 2 , Surachai Chitpinityon 3 , Chalermpol Chatampan 3

astegner
Download Presentation

This work is partially supported by Commission of Higher Education (CHE), UniNET, Thailand

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Experiences in Deploying Machines Registration and Integrated Linux Firewall with Traffic Shaper for Large Campus Network Kasom Koth-arsa1, Surasak Sanguanpong2, Pirawat Watanpongse2,Surachai Chitpinityon3 , Chalermpol Chatampan3 {Kasom.K, Surasak.S, Pirawat.W, Surachai.Ch, cpccpc}@ku.ac.th 1Engineering Computer Center, Faculty of Engineering 2Department of Computer Engineering, Faculty of Engineering 3Office of Computer Services Kasetsart University APAN, Xi’an, Network Security, 29th August 2007 This work is partially supported by Commission of Higher Education (CHE), UniNET, Thailand

  2. Kasetsart University • Established in 1943 A.D. • 7 campuses with ~43,000 students, ~9600 academic and supported staffs

  3. Internet JGN TIEN2 45 Mbps 630 Mbps 155 Mbps 10 GigE ThaiSARN UniNet Bangkhen 1 Gbps 1 Gbps 1 Gbps (backup) 2 Mbps 34 Mbps 10 GigE 34 Mbps 34 Mbps SakonNakhon Supan Buri SriRacha Kampaengsaen NontriNet Quick Facts • University Network - NontriNet • 41,992 MAC addresses (As of 2007/08/28) • 8,852 Clients (Personal, Wired) • 3,269 Clients (Service, Wired) • 29,342 Clients (Wireless) • 495 Servers • 34 misc. devices • Avg. In/out Traffic • 550/490 Mbps

  4. Obstacles & Opportunities • Large number of hosts • Hard to keep track • Non-productive bandwidth usage • P2P file sharing • QoS issues • Security issues

  5. Special Requirements • Fully-integrated information database • Low cost • Customizable • Extensible • Scalable

  6. Our Designed Features • Web-based Machines Registration • Linux Firewall & Traffic Shaper extension

  7. SMART(Simple Machine Address Registration Tool) • Mandatory Web-based Machines Registration • Registration Enforcement Agent: The Overlord • Centralized Database: Command Center • Distributed Data Entry: the Interface

  8. Target Subnetwork SMART: Architecture Diagram Statistics Detection Rules Policies Overlord Command-Center Observer Detected Incident Sniffed Packets Sniffed Packets Injected Packets (TCP hijacking)

  9. Command Center Command-Center Database Manager MAC Policy Detection Rules Administrators Overlords, Observers Network Anomaly Web Interface Users Users Logs Policies Overlord Statistics Documents Communicator Statistics Detection Rules Observer Detected Incident

  10. Target Subnetwork Overlord (TCP Hijack) Overlord Command Center Communicator Policies Statistics Table of MACs’ Policy + Statistics Policy Checker Sniffed Packets Packet Sniffer Packet Injector Injected Packets (TCP hijacking)

  11. Target Subnetwork Observer Observer Command Center Communicator Detection Rules Detected Incident Table of Detection Rules Pattern Matcher Packet Sniffer Sniffed Packets

  12. Linux Firewall & Traffic Shaper Extension • Intelligent Master Controller • User-friendly configuration interface • Automatic egress SYN-flood/P2P blocking • Per-host traffic shaping

  13. Mechanism • Use Linux server as a bridge • Traffic classification through iptables • Traffic control through tc • Use IPP2P and our in-house daemon to identify P2P traffic • Use our in-house daemon to detect some problematic network pattern

  14. Hardware • Dell Power Edge 2900 • Xeon 5160 Dual core(3.0GHz) • 1 GB of RAM • 160 GB SATA hard disk • 2 x SUN 10 Gigabit Ethernet Controller PCI Express Card (SR module)

  15. Software • Linux 2.6.18-8.1.8.el5 (CentOS’s stocked kernel) on CentOS 5 (64 bit) • bridge-utils • ebtables • iptables • IPP2P • Our in-house developed daemon for automatically adjust the shaping/blocking policy.

  16. Simplified Network Diagram Gigabit Ethernet Link Gateway Router (OSPF/BGP) Traffic Shaper/ Firewall (Bridge) Core Router (OSPF) UniNet 10 GigE 10 GigE Gigabit Ethernet Links NECTEC 10 GigE Gigabit Ethernet Link Bypass/failover path for IPv4, main connection for IPv6 and multicast IPv4.

  17. How we shape the traffic • Use iptables’ ‘MARK’ target to mark the class of traffic for every packets • Hierarchical Token Bucket (HTB) as packet shaper • Stochastic Fairness Queuing (SFQ) as queuing algorithm

  18. Traffic Classification • Port-based • Content based (L7) • using IPP2P through iptables • Automatically adjust iptables’ rules using our daemon

  19. Sample Reports - Bandwidth Incoming Traffic Outgoing Traffic Stop Shaping Restart Shaping Turn off shaping during Friday morning to Monday morning

  20. Sample Reports - Packet Incoming Traffic Outgoing Traffic Stop Shaping Restart Shaping Turn off shaping during Friday morning to Monday morning

  21. Sample Reports - SYN Flood Blocking Bandwidth Real Outgoing Traffic Attempt Outgoing Traffic Packet A host infected with an Internet worm send a large amount of SYN packets at 9:19.

  22. Sample Reports - Shaping by Classes Traffic shaping was turned off during 21:21 to 21:53.

  23. Sample Reports - Shaping by Classes P2P allow in the night P2P Traffic allow in the night. No P2P allow

  24. Misc. reports Detected hosts Last seen IP matrix Number of last seen hosts

  25. Conclusions • Complete control of unregistered machines • Prevent unauthorized/unregistered net usage • Automatic co-operate between registration and firewall/traffic shaping • Complete control of P2P traffics under desired policy (class, usage period, bandwidth, etc.) • Prevent our machines from becoming a source of SYN-flood attack

  26. Conclusions (cont.) • Free up NOC officer’s time • Real-world, low-cost, high-efficiency implementation (currently online)

  27. References • The Official BitTorrent Home Page http://www.bittorrent.org/ • Kazaa http://www.kazaa.com/ • Netfilter/iptables project homepage http://www.netfilter.org/ • Official IPP2P homepage http://www.ipp2p.org/ • HTB home http://luxik.cdi.cz/~devik/qos/htb/ • SFQ queuing discipline http://www.opalsoft.net/qos/DS-25.htm

  28. Questions?

  29. Thank you

More Related