120 likes | 297 Views
Extensible Network Configuration and Communication Framework. Todd Sproull and John Lockwood {todd,lockwood}@arl.wustl.edu 7 th International Working Conference on Active and Programmable Networks (IWAN) November 2005 http://www.arl.wustl.edu/arl/projects/fpx/. Overview. Background
E N D
Extensible Network Configuration and Communication Framework Todd Sproull and John Lockwood {todd,lockwood}@arl.wustl.edu 7th International Working Conference on Active and Programmable Networks (IWAN) November 2005http://www.arl.wustl.edu/arl/projects/fpx/
Overview • Background • Project motivation • Extensible Network Configuration Architecture • Experimental Results • Initial results using the Emulab testbed • Conclusions
Background • Administrators currently overwhelmed securing networks Intrusion Detection System (IDS) • Security devices in the network help combat the problem • Intrusion Detection or Prevention Systems (IDS) or (IPS) • Packet shapers • Firewalls NAT / Firewall Intrusion Prevention System (IPS) Wireless Router Traffic Shaper • Overhead associated with managing these devices is fairly high • Require manual configuration • Lack interoperability with other security devices
Problem Statement • Objective • Develop generic infrastructure for management of security devices • Challenges • Need an abstraction for communication between heterogeneous security devices • Need to provide interfaces to configure key components of a security device • Example: Ability to update rules on each firewall supported in the overlay • Proposed Solution • Deploy an overlay network of security devices • Allow nodes to communicate through eXtensible Markup Language (XML) • Create generic abstractions of a device are advertised to peers • Example: “Advertisement: I provide firewall capabilities”
Description of Framework • Create overlay network of security devices Intrusion Detection System (IDS) • Nodes create and join groups of interest • Administrative • Firewall • Anomaly Detection ? • Nodes discover services in each group NAT / Firewall • Devices subscribe to events of interest • Administrative Updates • Virus Signatures • Malicious IP flows to rate limit ? Intrusion Prevention System (IPS) ? • Administrator joins overlay to issue updates • Messages sent to each peer or a single group Wireless Router Traffic Shaper ? ? • Nodes communicate with each other through services • Overlay software interfaces directly with applications executing on the node • Modifying configuration files • Restarting processes
Implementation • Overlay network built using the JXTA API • Provides open infrastructure to create Peer-to-Peer (P2P) networks • Protocols built into JXTA include • Peer Discovery • Discover peers, groups, and service in the overlay • Endpoint Routing • Provide route information to peers, simplifying communication behind firewalls and NAT • Pipe Binding • Creates communication channels for sending and receiving XML messages • Supports various programming languages • Java (J2SE) • C • Mobile Java (J2ME) • Ruby
Example Security Nodes 200MHz MIPS • Current research explores three hardware platforms Pentium M Embedded Processor FPX with FPGA Hardware
Experimental Setup • Testbed experiment evaluates overhead in Processing and Routing XML Messages in JXTA • XML Publish/Subscribe • JXTA Pipes Creation • JXTA Message Notification • Traffic Generator sends XML messages to Publisher • Publisher parses XML messages and forwards message to clients based on individual service subscription • Experiment created in Emulab testbed • 2GHz Pentium 4 nodes • 100Mbit/sec Ethernet links XML Traffic Generator Publisher Subscribers Network B Network A
Experimental Results • Experiments performed measure packet loss as packets per second (pps) increase • XML Traffic Generator increases pps to Publisher • Publisher forwards relevant messages to a single subscriber • All messages forwarded in this experiment • Loss represents packets not received by subscriber • Relatively low performance deal with overhead in JXTA creating an “output pipe” for each connection • The overhead is approximately 40ms per connection • Potential optimizations • Creating output pipe once per node, assuming the peer is available • Utilizing JXTA sockets instead of JXTA pipes
Future Work • Evaluate security functions of the overlay • Example: Benchmark nodes ability to update firewall rules in the presence of an attack • Deploy all three platforms in one testbed environment • Utilize Open Network Labs • Testbed for developing high performance network applications • Investigate Hardware Plug-ins
Conclusions • Proposed Architecture for Network Configuration and Communication • Overlay network distributing XML messages between devices • Developed and deployed framework in network testbed • Obtained Preliminary Results • Quantified overhead of JXTA protocol and XML message parsing in publish subscribe network
Acknowledgments • Research Group • Reconfigurable Network Grouphttp://arl.wustl.edu/projects/fpx/reconfig.htm