1 / 35

The Aerospace Clinic 2002

This project aims to evaluate and implement the Tunnel specification as a BEEP profile in multiple programming languages, such as C and Java. The tunnel will facilitate secure communication and allow authorized messages to pass through firewalls.

wilfredot
Download Presentation

The Aerospace Clinic 2002

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger Aerospace Liaisons Joseph Betser, PhD Rayford Sims

  2. Overview • Background Information • Tunnel • Technical Approach • Completed work • Tunnel Demo • Future work • Questions

  3. Background • TCP/IP • Network Security • Firewalls • BEEP • IDXP

  4. TCP/IP • Main protocols used over the Internet • Provides reliable, full-duplex, peer-to-peer communication • Most current application protocols use this directly: HTTP (web), SMTP (email), etc. • Multiple connections to the same machine are handled using ports

  5. Today’s Internet

  6. Network Security • Only authorized users should be able to access private networks • Some data and services should only be available internally • Firewalls are used in most corporations to restrict access to network resources

  7. Firewalls • Set of rules to restrict network traffic • Can filter by any combination of: • Source IP • Destination IP • Port • Protocol • Rule sets are usually static

  8. Today’s Internet with Firewalls

  9. BEEP • Blocks Extensible Exchange Protocol • General framework for the rapid creation of application-level protocols • Provides a message framing mechanism and many common services (profiles) • Application chooses services (e.g. security) or protocol (HTTP, IDXP) • Requires an underlying transport protocol – TCP

  10. Tomorrow’s Internet with BEEP

  11. IDXP • Intrusion Detection eXchange Protocol • Standard communication of Intrusion Detection messages (IDMEF) • BEEP profile • Firewall must not block authorized messages

  12. The Internet with Tunnel

  13. Tunnel • Our focus is Tunnel for IDXP messages

  14. Tunnel • Uses XML messages to establish a tunnel: <tunnel fqdn=“host1.example.com" port="10289"> <tunnel /> </tunnel> • Parsed at every host.

  15. Tunnel • Characteristics • Poke a “controlled” hole in firewall – short lived • Mutual authentication of client/server • Application level security • Differs from • SSH which has one sided authentication • VPNs which are long lived • IPSec which requires OS modification

  16. Problem Statement • Evaluate and implement the Tunnel specification as a BEEP profile in at least two programming languages.

  17. Deliverables • Evaluation of Tunnel specification • Will this work? • What needs more clarification? • Tunnel Implementation in C and Java • Fully documented code tree for both languages • Sample Client/Server/Proxy Applications

  18. Completed Work • Evaluated Tunnel Specification • Chose BEEP Implementations • Implemented • Host to Host Tunnel • Single Firewall Tunnel • Some interoperability testing

  19. Fall Schedule

  20. Tunnel Evaluation • No standard way to extend the DTD. • Previously no IPv6 support in the DTD. • Possibility for loops with misconfigured servers. • No way to specify a Time-To-Live when using a dynamic route, ie: connecting to a service rather than a host.

  21. BEEP Implementations: • JAVA: • PermaBEEP 0.8 (Better API) • Beepcore–java 0.9.07 (TLS support) • C • Roadrunner 0.9 (More fully implemented) • Beepcore–C 0.2 (Abandoned)

  22. Host to Host Tunnel • Profile and application can successfully open a tunnel to a host with no firewall in between.

  23. Single Firewall Tunnel

  24. Tunnel host1.example.com host2.example.com proxy.example.com Transport Connect TCP

  25. Tunnel host1.example.com host2.example.com proxy.example.com Transport Connect BEEP Greeting Advertise services (Tunnel, maybe others)

  26. Tunnel host1.example.com host2.example.com proxy.example.com Transport Connect BEEP Greeting Start Tunnel <tunnel fqdn="host2.example.com" port="10288"> <tunnel /> </tunnel>

  27. Tunnel host1.example.com host2.example.com proxy.example.com Transport Connect BEEP Greeting Start Tunnel Transport Connect TCP

  28. Tunnel host1.example.com host2.example.com proxy.example.com Transport Connect BEEP Greeting Start Tunnel Transport Connect BEEP Greeting Advertise services (Tunnel, maybe others)

  29. Tunnel host1.example.com host2.example.com proxy.example.com Transport Connect BEEP Greeting Start Tunnel Transport Connect BEEP Greeting Start Tunnel <tunnel />

  30. Tunnel host1.example.com host2.example.com proxy.example.com Transport Connect BEEP Greeting Start Tunnel Transport Connect BEEP Greeting Start Tunnel OK <ok />

  31. Tunnel host1.example.com host2.example.com proxy.example.com Transport Connect BEEP Greeting Start Tunnel Transport Connect BEEP Greeting Start Tunnel OK OK <ok /> proxy now transparently forwards messages

  32. Tunnel host1.example.com host2.example.com proxy.example.com Transport Connect BEEP Greeting Start Tunnel Transport Connect BEEP Greeting Start Tunnel OK OK BEEP Greeting Advertise services (proxy now invisible)

  33. Future Work • Firewall daemon (Enforce Security Policy) • Multi-Firewall Support • More interoperability testing between C and Java implementations. • Bug squashing • Final report

  34. Spring Schedule

  35. Questions?

More Related