Extensible Networking Platform 1 1 - IWAN 2005 Extensible Network Configuration and Communication Framework Todd Sproull and John Lockwood {todd,lockwood}@arl.wustl.edu 7 th International Working Conference on Active and Programmable Networks (IWAN) November 2005 http://www.arl.wustl.edu/arl/projects/fpx/
12
Embed
Extensible Networking Platform 1 1 - IWAN 2005 Extensible Network Configuration and Communication Framework Todd Sproull and John Lockwood {todd,lockwood}@arl.wustl.edu.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Extensible Networking Platform 1 1 - IWAN 2005
Extensible Network Configuration and
Communication Framework
Todd Sproull and John Lockwood{todd,lockwood}@arl.wustl.edu
7th International Working Conference on Active and Programmable Networks (IWAN)
November 2005
http://www.arl.wustl.edu/arl/projects/fpx/
Extensible Networking Platform 2 2 - IWAN 2005
Overview
• Background– Project motivation
• Extensible Network Configuration Architecture
• Experimental Results – Initial results using the Emulab testbed
• Conclusions
Extensible Networking Platform 3 3 - IWAN 2005
Background
• Administrators currently overwhelmed securing networks
WirelessRouter
Traffic Shaper
Intrusion Prevention System (IPS)
NAT / Firewall
Intrusion DetectionSystem (IDS)
• Security devices in the network help combat the problem– Intrusion Detection or Prevention
Systems (IDS) or (IPS) – Packet shapers– Firewalls
• Overhead associated with managing these devices is fairly high– Require manual configuration– Lack interoperability with other
security devices
Extensible Networking Platform 4 4 - IWAN 2005
Problem Statement
• Objective– Develop generic infrastructure for management of
security devices• Challenges
– Need an abstraction for communication between heterogeneous security devices
– Need to provide interfaces to configure key components of a security device
• Example: Ability to update rules on each firewall supported in the overlay
• Proposed Solution– Deploy an overlay network of security devices – Allow nodes to communicate through eXtensible Markup
Language (XML) – Create generic abstractions of a device are advertised to
peers• Example: “Advertisement: I provide firewall capabilities”
Extensible Networking Platform 5 5 - IWAN 2005
Description of Framework
• Create overlay network of security devices
• Devices subscribe to events of interest– Administrative Updates– Virus Signatures– Malicious IP flows to rate limit
• Administrator joins overlay to issue updates– Messages sent to each peer or a single group
• Nodes communicate with each other through services
• Nodes discover services in each group
?
?
?
??
• Nodes create and join groups of interest– Administrative – Firewall– Anomaly Detection
• Overlay software interfaces directly with applications executing on the node– Modifying configuration files– Restarting processes
WirelessRouter
Traffic Shaper
Intrusion Prevention System (IPS)
NAT / Firewall
Intrusion DetectionSystem (IDS)
Extensible Networking Platform 6 6 - IWAN 2005
Implementation
• Overlay network built using the JXTA API– Provides open infrastructure to create Peer-to-Peer (P2P) networks
• Protocols built into JXTA include– Peer Discovery
• Discover peers, groups, and service in the overlay– Endpoint Routing
• Provide route information to peers, simplifying communication behind firewalls and NAT
– Pipe Binding• Creates communication channels for sending and receiving XML
messages
• Supports various programming languages– Java (J2SE)– C– Mobile Java (J2ME)– Ruby
Extensible Networking Platform 7 7 - IWAN 2005
Example Security Nodes
• Current research explores three hardware platforms
Wireless Router Workstation Extensible Switch
Intrusion Detection or Prevention
Snort with limited ruleset
Snort or Bro FPGA Snort Lite
Quality of Service Linksys QoS Support
Hierarchical Token Buckets (HTB)
FPGA Queue Manager
Anomaly or Event Detection
None SPADE FPGA Worm Detector
FPX with FPGA Hardware
Pentium M Embedded Processor
200MHz MIPS
Extensible Networking Platform 8 8 - IWAN 2005
Experimental Setup• Testbed experiment evaluates overhead in Processing and Routing XML Messages in JXTA
– XML Publish/Subscribe– JXTA Pipes Creation– JXTA Message Notification
• Traffic Generator sends XML messages to Publisher• Publisher parses XML messages and forwards message to clients based on individual
service subscription• Experiment created in Emulab testbed