1.06k likes | 1.19k Views
A Secure SOHO/Home Gateway supporting Internet Phone and Services (SGIPS) Preliminary Design Review (PDR). JUNE, 2000 ISMP Lab. & AMIT Inc. Agenda. Applying Light-Weight CMMI Models. Reporter :. Light-Weight CMMI Models. Business objectives Reliable system which is practical
E N D
A Secure SOHO/Home Gateway supporting Internet Phone and Services(SGIPS)Preliminary Design Review (PDR) JUNE, 2000 ISMP Lab. & AMIT Inc.
Applying Light-Weight CMMI Models Reporter:
Light-Weight CMMI Models • Business objectives • Reliable system which is practical • Knowledge management • Cost and schedule control • System integration • Technology innovation
Process Management (1) Organizational Process Focus (OPF) (L3) Organizational Process Definition (OPD) (L3) Organizational Training (OT) (L3) Organizational Process Performance (OPP) (L4) Organizational Innovation and Deployment (OID)(L5) Project Planning (PP) (L2) Project Monitoring and Control (PMC) (L2) Supplier Agreement Management (SAM) (L2) Integrated Project Management (IPPD) (L3) Integrated Teaming (IT) (L3) Risk Management (RSKM) (L3)Quantitative Project Management (QMP) (L4) Project Management (2) Engineering (6) Requirements Management (REQM) (L2) Requirements Development (RD) (L3) Technical Solution (TS) (L3) Product Integration (PI) (L3) Verification (VER) (L3) Validation (VAL) (L3) Support (3) Configuration Management (CM) (L2) Process and Product Quality Assurance (PPQA)2 Measurement and Analysis (M&A) (L2) Causal Analysis and Resolution (CAR) (L5) Decision Analysis and Resolution (DAR) (L3) Organizational Environment for Integration (OEI) (L3) Category Continuous Organization of PAs
PDR Marketing AMIT’s requirements ISMP’s requirements Products Documents Papers Support (CM, MA, PPQA) PMC RD TS PI Ver Val RM PP Focused PAs for SGIPS project
Review Introduction Reporter:
Review Objectives • The preliminary design review (PDR) evaluates: • The readiness of the project, system, subsystems… to proceed with implementation. It assesses the requirements, project planning and the compliance of the preliminary design with applicable requirements • The effectiveness of applying CMMI processes for this project
Review Success Criteria • Plans for resolving remaining problems are consistent with available resources and risk policy • The requirement are complete and adequately defined • The functions are appropriately assigned to subsystems • The preliminary design meets the requirements • The internal and external interface definition and design are complete and adequately defined
Board Guidelines • Provide Documents System Requirement Specification (SRS) , Project Execution Plan (PEP) and presentation material to Review Boards no less than five working days before the review • The Board meeting will be held immediately following the presentation • Time constraints will necessitate Request for Actions (RFAs) being written in lieu of lengthy discussion
A Secure SOHO/Home Gateway supporting Internet Phone and Services (SGIPS) Overview Reporter:
SGIPS Description • The objectives of SGIPS is to • Reduce the gap of the academic and industry • Integrate and innovate Internet technologies for Information Technologies industry • Target product is a multi-functional SOHO gateway with: • Reliable and high performance Internet platform • Asymmetric Digital Subscriber Line (ADSL) • Secure homeland and office network • Phone services on Internet
SGIPS Functional Requirement • High performance, extensible, reliable, and low cost networking platform • Asymmetric Digital Subscriber Line (ADSL) networking ability • Quality of services • Low-cost secure communication with remote host and network • Filtering the internet packets against the security policy • Intelligent network intrusion detection • Foreign exchange office telephone services • Secure foreign exchange station telephone services • Audio conference
Allocate SGIPS Functional Requirement • High Performance Embedded System (HPES) • High performance, extensible, reliable, and low cost networking platform • SOHO/Home ADSL Gateway (SHAG) • Asymmetric Digital Subscriber Line (ADSL) networking ability • Quality of services • Intelligent Secure Environment Core (ISEC) • Filtering the internet packets against the security policy • Intelligent network intrusion detection • High Quality Internet Phone (HQIP) • Foreign exchange office telephone services • Secure foreign exchange station telephone services • Audio conference
SGIPS Architecture Design • Decision Criteria • Cost (weight : 0.3) • Ease of Development (weight : 0.2) • Performance (weight : 0.2) • Extensibility (weight : 0.2) • Flexibility (weight : 0.1) • Comparison level • Limited (grade : 0) • It may be not easy to modified by programmer • Improved (grade : 1) • It may be possible to be modified by programmer • Excellent (grade : 2) • It may be the best between options • Evaluation function
SGIPS 1.0.0 Subsystem ISEC 1.3.0 Subsystem HQIP 1.4.0 API API API API API Subsystem HPES 1.1.0 Subsystem SHAG 1.2.0 API Data Channel file system End-User External Interface SGIPS Architecture Design • Option1:The Interactive Model
SGIPS 1.0.0 Subsystem HQIP 1.4.0 Subsystem ISEC 1.3.0 Subsystem SHAG 1.2.0 API API API Subsystem HPES 1.1.0 API Data Channel file system End-User External Interface SGIPS Architecture Design (Cont.) • Option2:The Centralized-Control Model
SGIPS Architecture Design (Cont.) • Evaluation • Option1 : EV = 0.7 • Option2 : EV = 1.5
Operating System selection • Selected Operating system • Option1:WinCE (EV = 0.5) • Option2 : Linux (EV = 1.7) • Option3 : MT! + USNet (EV = 0.8)
SGIPS Interface Requirement • Internal • HPES performs the Common Application Program Interface (API) • The SGIPS should be able to transmit and receive date through HPES • External • The SGIPS should be able to transmit and receive date from the devices (Telephone, Fax, Network interface)
SGIPS Performance Requirement • Transmission rate of USB device shall have 12M bps • Transmission rate of UART device shall have 9600 bps • Transmission rate of ethernet shall be at least 80Mb/s • Transmission error shall be less than 0.1% • Should offer 16 ADSL connections at the same time • Should offer ADSL downlink throughput more than 6Mb/s • Should offer ADSL uplink throughput more than 512Kb/s • Shall support at least 50 rules for packet filtering • Shall support 253 local host network address translation • Shall support at least 20 virtual services • Shall offer 4 phone connection at the same time • Shall offer the loss rate of phone packets less than 30% • Shall offer the transmission of a FAX page within 15 seconds • Shall keep the buffering delay of voice date less than 60ms
SGIPS ATM switch ISEC Internet SHAG HPES VPN tunnel SGIPS Operational Concept • Basic Internet networking ability • ADSL • Virtual Private Network
SGIPS packet filter ISEC against security policy SHAG attacker analysis report security alert HPES SGIPS Operational Concept (cont.) • Internet Firewall • Intrusion Detection System
SGIPS VPN tunnel HQIP ISEC SHAG HPES SGIPS Operational Concept (cont.) • Internet Phone Service • Secure Internet Phone Service
SGIPS Test Environment • Hardware • Network advisor • VoIP/Security compliant products • Telephone/FAX • General PC • Software • Attack programs • Qcheck • Network • TCP/IP、Ethernet • ATM and VoIP services provided by ISP
High Performance Embedded System Subsystem (HPES) Reporter:Jong-Shing Wang
HPES Description • HPES is responsible for processing communication with any subsystem and dealing with hardware data to (or from) any subsystem. • HPES should provides some feature as fallow: • Joint system call for device driver • Scheduler • M.M (Memory Management) • Recovery mechanism
HPES Functional Requirement • It provides functions as fallow: • Process Scheduler :it schedule all process in read-list queue • Memory Management :it manages memory space assigned by process • Device Module :it provides “device frame” for all created itself device driver • Inter-Process Communication :it is responsible for communicating with process
HPES Interface Requirement • Internal • All device driver should send data for embedded system • Embedded system should store (or load) data (or instruction) for (or from) memory. • External • It provides API which can access the memory. • It provides API which can use MCU. • It provides API which can use the specific device.
HPES Performance Requirement • Device transfer rate • The Ethernet device shall have 100M bps • The USB device shall have 12M bps • The UART device shall have 9600 bps • System hardware performance • MCU must have 133M Hz • Memory Bus must have 66M Hz • Timer must have “micro-second” resolution • Embedded system performance • Context switch time must be between 100us and 200 us • MCU utilization rate must have above 70%
HPES Operational Concept ISEC Device HPES SHAG HQIP • Data communications between communication devices and each subsystem
HPES Test Environment • Hardware: • smdk2510(includes ARM9,8M SDRAM, 1M ROM,AMBA,DES,I2C,1.1 Host USB,1.1 Device USB,10M/100M Ethernet port, UART port) • Software: • USNET, MT!, test basic program • Network • Ethernet communication must be setup
SOHO/Home ADSL Gateway(SHAG) Reporter : Koung-Ron Lee
SHAG Description • The objective is that offer data transmission and routing service on Internet. • The service include ATM channel connection and data fragment/re-fragment.
SHAG Functional Requirement • Channels connection and management • The configuration setup for each channel (CBR/VBR, QoS) • Packets translation (IP/ATM, Ethernet/ATM, PPP/ATM) • The control of transmission flows
SHAG Interface Requirement • Internal • Data Dealer should receive ATM cell from IpoA translator • Data Dealer should receive ATM cell from MpoA translator • Data Dealer should receive ATM cell from PPPoA translator • Data Dealer should receive Ethernet cell from PPPoE translatorIpo • A translator should receive ATM cell from Data Dealer • MpoA translator should receive ATM cell from Data Dealer • PPPoA translator should receive ATM cell from Data Dealer • PPPoE translator should receive Ethernet cell from Data Dealer • 8946 SAR API should receive configure command from Initiating Configure • 8946 SAR API should receive configure command from Channel Management
SHAG Interface Requirement • External • The SHAG should have the external interfaces to HPES • IpoA should use HPES as the common interface to receive/send IP Packets from/to IP Layer • MpoA should use HPES as the common interface to receive/send IP Packets from/to IP Layer • PPPoA should use HPES as the common interface to receive/send PPP Packets from/to PPP Layer • PPPoE should use HPES as the common interface to receive/send PPP Packets from/to PPP Layer • Data Dealer should use HPES as the common interface to receive/send data from/to 8946 SAR API
SHAG Performance Requirement • The SHAG should offer 16 connection at the same time. • The SHAG should offer the loss rate of IP Packet less than 0.1%. • The SHAG should offer the throughput of downlink more than 6MHz. • The SHAG should offer the throughput of downlink more than 512KHz. • The SHAG should connect PPP channels and implement PPP Authentication. • The SHAG should execute PPP Challenge Handshake Authentication Protocol • The SHAG should connect FTP channel • The SHAG should connect Http channel • The SHAG should connect Telnet channel
SHAG Operational Concept www ATM SHAG ATM www ATM LAN www
Environment ATM test platform Equipment hardware PC Network analyizer Speaker Software Network sniffer SHAG Test Environment
Intelligent Secure Environment Core (ISEC) Reporter:Chien-Chung Su
ISEC Description • Intelligent Security Environment Core Subsystem (ISEC) is responsible for security core technologies of SGIPS.
ISEC Functional Requirement • ISEC performs the following functions: • Internet Firewall Service (IF) • Drop the illegal (against the security policy) internet packets • Perform network address translation (NAT) • Provide virtual services • Intrusion Detection Agent Service (IDA) • Detect the malicious intrusions • Virtual Private Network Service (VPN) • Provide secure channel from local subnet to remote users or subnets through public network • Hardware Crypto Accelerator (HCA) • Perform the data encryption/decryption more effectively • System Innovation • New technologies and algorithms are researched to improve the system functionalities and performance
ISEC Interface Requirement • Internal • The IF shall send the legal internet packets to IDA for intrusion detection. External • The IDA shall add the security practices in IF when intrusion detected • External • Control hardware crypto accelerator via HPES • Data and information transfer via HPES
ISEC Performance Requirement • Packet Filtering • Shall not reduce above 5% of network bit rate • Shall support at least 50 rules for packet filtering • Network Address Translation • Shall not reduce above 5% of network bit rate • Shall support 253 local host network address translation • Shall support at least 20 virtual services • Pattern Matching and Network Traffic Analysis • Shall use less than 5% of system memory • Shall not reduce above 5% of network bit rate • Hardware Data Encryption and Decryption • Shall improve at least 30% of encryption/decryption performance
ISEC 1.3.0 ASIC Security processor Network Interface HPES 1.1.0 Common API ISEC 1.3.3 Virtual Private Network (VPN) ISEC 1.3.1 Internet Firewall (IF) ISEC 1.3.4 Hardware Crypto Accelerator (HCA) ISEC 1.3.2 Intrusion Detection Agent (IDA) External Interface with HPES Security configuration database ISEC Architecture Design
IF illegal traffic legal traffic DROP IDA ISEC Operational Concept • Internet Firewall (IF)