Transcript Extensible Network Configuration and

Extensible Network
Configuration and
Communication Framework
Todd Sproull and John Lockwood
{todd,lockwood}@arl.wustl.edu
7th International Working Conference on
Active and Programmable Networks (IWAN)
November 2005
http://www.arl.wustl.edu/arl/projects/fpx/
1Extensible
- IWAN 2005Networking
Platform
1
Overview
• Background
– Project motivation
• Extensible Network Configuration
Architecture
• Experimental Results
– Initial results using the Emulab testbed
• Conclusions
2Extensible
- IWAN 2005Networking
Platform
2
Background
•
•
•
Intrusion
Detection
System (IDS)
Administrators currently overwhelmed
securing networks
Security devices in the network help
combat the problem
– Intrusion Detection or Prevention
Systems (IDS) or (IPS)
– Packet shapers
– Firewalls
NAT / Firewall
Intrusion
Prevention
System (IPS)
Wireless
Router
Traffic Shaper
Overhead associated with managing
these devices is fairly high
– Require manual configuration
– Lack interoperability with other
security devices
3Extensible
- IWAN 2005Networking
Platform
3
Problem Statement
• Objective
– Develop generic infrastructure for management of
security devices
• Challenges
– Need an abstraction for communication between
heterogeneous security devices
– Need to provide interfaces to configure key components
of a security device
• Example: Ability to update rules on each firewall supported
in the overlay
• Proposed Solution
– Deploy an overlay network of security devices
– Allow nodes to communicate through eXtensible Markup
Language (XML)
– Create generic abstractions of a device are advertised to
peers
• Example: “Advertisement: I provide firewall capabilities”
4Extensible
- IWAN 2005Networking
Platform
4
Description of Framework
•
•
Create overlay network of security devices
Nodes create and join groups of interest
– Administrative
– Firewall
– Anomaly Detection
•
Nodes discover services in each group
•
Devices subscribe to events of interest
•
•
•
Intrusion
Detection
System (IDS)
?
NAT / Firewall
– Administrative Updates
– Virus Signatures
– Malicious IP flows to rate limit
Administrator joins overlay to issue updates
– Messages sent to each peer or a single group
Intrusion
Prevention
System (IPS)
?
?
Wireless
Router
?
?
Traffic Shaper
Nodes communicate with each other through
services
Overlay software interfaces directly with
applications executing on the node
– Modifying configuration files
– Restarting processes
5Extensible
- IWAN 2005Networking
Platform
5
Implementation
•
Overlay network built using the JXTA API
– Provides open infrastructure to create Peer-to-Peer (P2P) networks
•
Protocols built into JXTA include
– Peer Discovery
• Discover peers, groups, and service in the overlay
– Endpoint Routing
• Provide route information to peers, simplifying communication behind
firewalls and NAT
– Pipe Binding
• Creates communication channels for sending and receiving XML
messages
•
Supports various programming languages
– Java (J2SE)
– C
– Mobile Java (J2ME)
– Ruby
6Extensible
- IWAN 2005Networking
Platform
6
Example Security Nodes
• Current research explores three hardware
platforms
Pentium M
Embedded Processor
FPX with
FPGA Hardware
200MHz
MIPS
Wireless Router
Workstation
Extensible Switch
Intrusion
Detection or
Prevention
Snort with limited
ruleset
Snort or Bro
FPGA Snort Lite
Quality of Service
Linksys QoS
Support
Hierarchical
Token Buckets
(HTB)
FPGA Queue Manager
Anomaly or Event
Detection
None
SPADE
FPGA Worm Detector
7Extensible
- IWAN 2005Networking
Platform
7
Experimental Setup
•
•
•
•
Testbed experiment evaluates overhead in Processing and Routing XML Messages in JXTA
–
–
–
XML Publish/Subscribe
JXTA Pipes Creation
JXTA Message Notification
Traffic Generator sends XML messages to Publisher
Publisher parses XML messages and forwards message to clients based on individual service
subscription
Experiment created in Emulab testbed
–
–
2GHz Pentium 4 nodes
100Mbit/sec Ethernet links
XML Traffic Generator
Publisher
Subscribers
Network A
8Extensible
- IWAN 2005Networking
Platform
Network B
8
Experimental Results
•
Experiments performed measure packet
loss as packets per second (pps)
increase
– XML Traffic Generator increases pps
to Publisher
– Publisher forwards relevant
messages to a single subscriber
– Loss represents packets not received
by subscriber
•
Relatively low performance deal with
overhead in JXTA creating an “output
pipe” for each connection
–
•
The overhead is approximately 40ms per
connection
90.00%
80.00%
Packet Loss %
• All messages forwarded in this
experiment
100.00%
70.00%
60.00%
50.00%
40.00%
30.00%
20.00%
10.00%
0.00%
0
100
200
300
400
500
600
700
Packets per Second
Potential optimizations
–
–
Creating output pipe once per node,
assuming the peer is available
Utilizing JXTA sockets instead of JXTA
pipes
9Extensible
- IWAN 2005Networking
Platform
9
Future Work
• Evaluate security functions of the overlay
– Example: Benchmark nodes ability to update
firewall rules in the presence of an attack
• Deploy all three platforms in one testbed
environment
– Utilize Open Network Labs
• Testbed for developing high performance
network applications
– Investigate Hardware Plug-ins
Extensible
Networking
10
- IWAN 2005
Platform
10
Conclusions
• Proposed Architecture for Network Configuration
and Communication
– Overlay network distributing XML messages between
devices
• Developed and deployed framework in network
testbed
• Obtained Preliminary Results
– Quantified overhead of JXTA protocol and XML
message parsing in publish subscribe network
Extensible
Networking
11
- IWAN 2005
Platform
11
Acknowledgments
• Research Group
– Reconfigurable Network Group
http://arl.wustl.edu/projects/fpx/reconfig.htm
Extensible
Networking
12
- IWAN 2005
Platform
12