1 / 37

The Design and Implementation of a Secure Content Switch

The Design and Implementation of a Secure Content Switch. Master Thesis Presentation Ganesh Kumar Godavari Department of Computer Science Univ. of Colorado at Colorado Springs. Outline of the Talk. Content Switch and Overview of SSL Related Literature

dalia
Download Presentation

The Design and Implementation of a Secure Content Switch

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Design and Implementation of a Secure Content Switch Master Thesis Presentation Ganesh Kumar Godavari Department of Computer Science Univ. of Colorado at Colorado Springs Secure Content Switch/godavari

  2. Outline of the Talk • Content Switch and Overview of SSL • Related Literature • Design of Secure Content Switch (SCS) • Performance of SCS implementation • Lessons Learned and Future Directions • Conclusion Secure Content Switch/godavari

  3. Content Switch (CS) server1 home.htm ContentSwitch server2 client • Route packets based on high layer (Layer 5/7) headers and content. • Examples: • Direct Web traffic based on pattern of URLs, host tags, cookies. • Can Route incoming email based on email address;Connect POP/IMAP based on login • Web switches and Intel XML Director/accelerator are special cases of content switch. . . uccs.jpg Index.htm . rocky.mid server9 Secure Content Switch/godavari

  4. What Services It Can Provide • Enabling premium services for e-commerce, ISP, and Web hosting providers • Load Balancing and High Available Server Clusters: Web, E-commerce, Email, Computing, File, SAN • Policy-based networking, differential/QoS services. • Firewall, Strengthening DoS protection, cache/firewall load-balancing • ‘Flash-crowd' management • Email Spam Protection, Virus Detection/Removal Secure Content Switch/godavari

  5. About SSL • Secure Sockets Layer (SSL) protocol • developed by Netscape Communications to ensure private and authenticated communications • put into the public domain for the Internet community Secure Content Switch/godavari

  6. OpenSSL • OpenSSL is based on the excellent SSLeay library developed by Eric A. Young and Tim J. Hudson. • Open Source toolkit implementing the Secure Socket Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library • Important Libraries • SSL • The OpenSSL ssl library implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols • Crypto • The OpenSSL crypto library implements a wide range of cryptographic algorithms used in various Internet standards. The services provided by this library are used by the OpenSSL implementations of SSL, TLS, and they have also been used to implement SSH, OpenPGP, and other cryptographic standards Secure Content Switch/godavari

  7. Command Interface • The Openssl program is a command line tool for using the various cryptography functions of OpenSSL's crypto library from the shell. It can be used for • Creation of RSA, DH and DSA key parameters • Creation of X.509 certificates, and Certificate Revocation List (CRL) • Calculation of Message Digests o Encryption and Decryption with Ciphers • SSL/TLS Client and Server Tests • Handling of S/MIME signed or encrypted mail Secure Content Switch/godavari

  8. Secure Content Switch(SCS) • Secure content switch is a transparent proxy that can translate between encrypted and unencrypted data transport on socket connections. • Need for secure network access and high performance • e-commerce transactions require security • Need high performance for better Quality of Service Solution: just plug in SCS between client and the server and thereby add Secure Socket Layer (SSL) support. Secure Content Switch/godavari

  9. Goal & Design of Secure Content Switch • In addition to the above, we need to be able to route requests based on content to a set of backend real servers. Design Considerations • Our real Servers can be located at different places • Efficiency must not be ruined • Easy to understand/write content switching rules. • Dynamic rule update • Session Reusability Secure Content Switch/godavari

  10. Related Literature • [1]George Apostolopoulos, David Aubespin, Vinod Peris, Prashant Pradhan, Debanjan Saha, “ Design, Implementation and Performance of a Content-Based Switch”, Proc. Infocom2000, Tel Aviv, March 26 - 30, 2000, http://www.ieee-infocom.org/2000/papers/440.ps • [2] Gregory Yerxa and James Hutchinson, “Web Content Switching” , http://www.networkcomputing.com. • [3] “Release Notes for Cisco Content Engine Software”. http://www.cisco.com”. • [4] “Foundry ServIron Installation and Configuration Guide,” May 2000.r http://www.foundrynetworks.com/techdocs/SI/index.html • [5] “Intel IXA API SDK 4.0 for Intel PA 100,” http://www.intel.com/design/network/products/software/ixapi.htm and http://www.intel.com/design/ixa/whitepapers/ixa.htm#IXA_SDK Secure Content Switch/godavari

  11. Design of Secure Content Switch Secure Content Switch/godavari

  12. Advantages of Secure Content Switch • Preferential Treatment • Secure Content Switch has been developed to handle secure Content based routing of Requests. • e.g. high purchase requests can be routed to the fast real server • Security • The Secure Content Switch establishes the secure connection if the Server doesn't support HTTPS Secure Content Switch/godavari

  13. Architecture of Secure Content Switch • The web browser makes a request to the secure content switch. • The dispatcher module in the secure content switch forwards the request to the secure content switch child module. In the dynamic forking version of SCS the dispatcher module forks a child process. In Preforking version of SCS the dispatcher module forwards request to a free child. • The secure content switch child module performs the handshake with the client and reads in the request. • The secure content switch child module then sends the request to the Rule module, which performs rule matching and returns the name of the server by which the request can be served. • The secure content switch child forwards the request to the real server based on the routing decision Secure Content Switch/godavari

  14. Dynamic Forking Secure Content Switch Request From Web Browser to the SCS Dispatcher module fork () Secure Content Switch Child module Negotiate SSL Session No Existing SSL Session SSL Request Yes Decrypt Object Using SSL Session Information Yes Encrypt the Object Per Session Information and Send it over HTTPS to the Web Browser Send Object Information To Rule Matching Module Retrieve Server Information Rule Matching Module Retrieve Object From the Server Using Standard HTTP Secure Content Switch/godavari

  15. Request From Web Browser to the SCS Prefork Secure Content Switch Dispatcher module assign assign assign Negotiate SSL Session Secure Content Switch Child Process 1 Secure Content Switch Child Process 2 Secure Content Switch Child Process n No SSL Request Existing SSL Session Yes Yes Decrypt Object Using SSL Session Information Encrypt the Object Per Session Information and Send it over HTTPS to the Web Browser Retrieve Object From the Server Using Standard HTTP Retrieve Server Information Rule Matching Module Send Object Information To Rule Matching Module Secure Content Switch/godavari

  16. E-Commerce Example: 1. Client Client submits via HTTP/Post (or SOAP) the following purchase in XML: <purchase> <customerName>CCL</customerName> <customerID>111222333</customerID> <item><productID>309121544</productID> <productName>IBM Thinkpad T21</productName> <unitPrice>5000</unitPrice> <noOfUnits>10</noOfUnits> <subTotal>50000</subTotal> </item> <item><productID>309121538</productID> <productName>Intel wireless LAN PC Card</productName> <unitPrice>200</unitPrice> <noOfUnits>10</noOfUnits> <subTotal>2000</subTotal> </item> <totalAmount>52000</totalAmount> </purchase> Secure Content Switch/godavari

  17. E-Commerce Example: 2. Content Switch • Content switch receives the packet. • Recognize it is a http post request from http request line POST /purchase.cgi HTTP/1.1 • Recognize it is an XML document from the meta headercontent-type: TEXT/XML • Parsing XML content • Extract values of tag sequences: 52000 purchase/totalAmount CCL purchase/customerName • Rule 1 is matched and packet is routed to one of highSpeedServers.Rule 1: if (xml.purchase/totalAmount > 5000) routeTo(highSpeedServers);Rule 2: if (xml.purchase/customerName == CCL) routeTo(specialCustomerServers); Secure Content Switch/godavari

  18. Java-based Rule Editor • Detect conflicts in content switch rule set • Convert rules into LCS rule module. Secure Content Switch/godavari

  19. Design of Rule Module Server • How can I update rules Dynamically ? • Make rule matching part as an separate process Design considerations • will the rule module run locally on the machine as the SCS is running? • cannot say depends on the user • what is going to be the impact on performance ? • need to study once in detail !! Current Design • Rule module can run as a separate process on the same/different machine. • Rule module is an iterative server1 because we found that encryption and decryption are the bottlenecks not rule matching (from the previous results) Updating Rule Module • Shutdown the rule module, compile the rule module with new rule set and start up the rule module 1 an iterative server is one that can server one request at a time. Secure Content Switch/godavari

  20. Rule Server Module Establish Connection with Rule Server Module Send Url, Src portno, Src IP, HTTP Headers, Data (if any) to the Rule Module Yes Secure Content Switch Child Process No IS (Method == Post) Establish Connection with Default Rule Server Module No Yes Yes IS (content type == x-www-form-urlencoded) No Perform rule matching and send back the Real Server Name, Address and Port # on which Real Server is listening Yes Decrypt the data And populate the rules with values (if any) Secure Content Switch/godavari

  21. Test bed Secure Content Switch/godavari

  22. Configuration of machines used in testbed Secure Content Switch/godavari

  23. SSL Processing Overhead • Average SSL req./sec is 14.7 • Average HTTP req./sec is 180 dilbert.uccs.edu eca.uccs.edu Secure Content Switch/godavari

  24. Dynamic vs. Preforking SCS • The performance of the Pre-forking SCS is better than Dynamic Forking SCS eca.uccs.edu dilbert.uccs.edu oblib.uccs.edu frodo.uccs.edu Secure Content Switch/godavari

  25. Dynamic vs. Preforking SCS • The performance of the Dynamic forking SCS is better than Pre-forked SCS • Reason ? • What is the advantage of using cluster ? eca.uccs.edu dilbert.uccs.edu calvin.uccs.edu frodo.uccs.edu Secure Content Switch/godavari

  26. Performance of Prefork SCS on varying Startup Children • Startup children => no of child Processes spawned ahead of time • It is Suggested always to keep the Startup Children Small if you don’t expect heavy traffic • Having about 25 pre spawned children is better if the traffic load is heavy eca.uccs.edu dilbert.uccs.edu calvin.uccs.edu frodo.uccs.edu Secure Content Switch/godavari

  27. Impact of Rules on theperformance of Dynamic SCS • Clearly there is no impact of rules on the the performance of Dynamic Forking Secure Content Switch eca.uccs.edu dilbert.uccs.edu calvin.uccs.edu frodo.uccs.edu Secure Content Switch/godavari

  28. Impact of Rules on theperformance of Dynamic Non-SCS • Clearly there is some impact of Rules on the the Performance of Dynamic Forking Non-Secure content Switch • the smaller the rule set, better the performance • No heavy impact of the performance of the Secure content Switch with increase in the number of rules Secure Content Switch/godavari

  29. Impact of Real Servers on thePerformance of Dynamic SCS • Clearly there is no impact of Real Server on the the Performance of Dynamic Forking Secure content Switch • Is Secure Content Switch the bottleneck ?? calvin.uccs.edu eca.uccs.edu dilbert.uccs.edu frodo.uccs.edu Secure Content Switch/godavari

  30. Impact of Real Servers on thePerformance of Dynamic Non-SCS • Performance is not directly proportional to # of Real Servers !! • Clearly there is impact of Real Server on the the Performance of Dynamic Forking Non-SSL Secure content Switch • Performance was found to degrade when there is only one real server Secure Content Switch/godavari

  31. Performance of SCS in Local Node situation Local Node => Web Server runs on the Content Switch machine, therefore the content Switch can serve the requests by routing requests internally calvin.uccs.edu • No major gains if the real server runs locally or remotely dilbert.uccs.edu Apache Web Server Secure Content Switch/godavari

  32. Lessons Learned: Conflicts among Different Servers on Same Machine While measuring results using web bench for local node situation for Pre-fork Non-secure content switch The apache is running on port 8000, SCS on 80. After serving a few requests SCS stopped serving Requests. I stopped Apache web server, SCS started Serving Requests again. I started the Apache Web server, after serving a few requests SCS stopped serving Requests. This process is continuing Probable conflict on who to serve the request is ruled out, as a request send to Secure Content Switch /APACHE is being handled perfectly well Secure Content Switch/godavari

  33. Local vs. Remote Rule Module • Pre-fork SCS Overtakes Dynamic forking SCS • Dynamic forking SCS Performance was degraded by 100% Rule module walrus.uccs.edu eca.uccs.edu dilbert.uccs.edu frodo.uccs.edu Rule module Secure Content Switch/godavari calvin.uccs.edu

  34. Future Directions • Reducing bottleneck of SSL encryption / decryption by having Parallel Processing we need to maintain state across machine • using cookies • have server id parameter as a part of handshake (OpenSSL – 0.7 may have this feature) • caching of web pages • Tough to achieve in case of dynamic pages. • Modify the Apache web server to include preferred treatment and do fair comparision • have packet rewrite techniques. Secure Content Switch/godavari

  35. Conclusion • Preforking Secure Content Switch • encryption and decryption are the major bottleneck • no major gains if processor speed is increased. • no major benefit if the number of real server or increased • no major benefit if the number of the rules are increased • Dynamic forking Secure Content Switch • encryption and decryption are the major bottleneck • major gains if processor speed is increased. • no major benefit if the number of real server or increased • some impact if the number of the rules are increased • Preforking version of SCS is better than Dynamic forking version of SCS Secure Content Switch/godavari

  36. References [1] OpenSSL: The Open Source toolkit for SSL/TLS (http://www.openssl.org) [2] SSL and TLS, by Eric Rescorla [3] SSL and TLS Essentials, by Stephen Thomas [4] mod_ssl: The Apache Interface to OpenSSL (http://www.modssl.org) [5] HTTP Over TLS ftp://ftp.ietf.org/internet-drafts/draft-ietf-tls-https-02.txt The specification on how to run HTTP over SSL/TLS  [6] Tunneling TCP based protocols through Web proxy servers http://www.www.alternic.org/drafts/drafts-l-m/draft-luotonen-web-proxy-tunneling-01.txt The specification for the HTTP CONNECT method [7] Analysis of SSL 3.0 Protocol http://www.counterpane.com/ssl.html D. Wagner and B. Schneier's USENIX analysis of SSLv3 [8] HyperText Transfer Protocol (HTTP), Version 1.1 (Internet Draft) http://www.w3.org/Protocols/HTTP/1.1/draft-ietf-http-v11-spec-rev-06.txt The application layer protocol Apache+mod_ssl uses over SSL/TLS [9] HyperText Transfer Protocol (HTTP), Version 1.0 (RFC 1945) http://www.ietf.org/rfc/rfc1945.txt The application layer protocol Apache + mod_ssl uses over SSL/TLS Secure Content Switch/godavari

  37. References [10] Intel® IXA (Internet Exchange Architecture), http://developer.intel.com/design/ixa/index.htm [11] WindRiver Tornado Development Tools, http://www.windriver.com/products/html/tornado2.html [12] Tornado User’s Guide (Windows Version) 2.0 [13] WindRiver VxWorks, http://www.windriver.com/products/html/vxwks54.html Intel®, IXP-1200, IXP-12EB is the registered Trademarks of Intel Corporation Tornado, VxWorks is the registered Trademarks of Wind River Systems, Inc Linux, Apache, Openssl protected under the GNU General Public License Secure Content Switch/godavari

More Related