Transcript Onsite
The Aerospace Clinic 2002
Team Members
Nick Hertl (Project Manager)
Will Berriel
Richard Fujiyama
Chip Bradford
Faculty Advisor
Professor Michael Erlinger
Aerospace Liaisons
Joseph Betser, PhD
Rayford Sims
Overview
• Background Information
• Tunnel
• Technical Approach
– Completed work
– Tunnel Demo
– Future work
• Questions
Background
•
•
•
•
•
TCP/IP
Network Security
Firewalls
BEEP
IDXP
TCP/IP
• Main protocols used over the Internet
• Provides reliable, full-duplex, peer-topeer communication
• Most current application protocols use
this directly: HTTP (web), SMTP
(email), etc.
• Multiple connections to the same
machine are handled using ports
Network Security
• Only authorized users should be able to
access private networks
• Some data and services should only be
available internally
• Firewalls are used in most corporations
to restrict access to network resources
Firewalls
• Set of rules to restrict network traffic
• Can filter by any combination of:
– Source IP
– Destination IP
– Port
– Protocol
• Rule sets are usually static
BEEP
• Blocks Extensible Exchange Protocol
• General framework for the rapid creation of
application-level protocols
• Requires an underlying transport protocol
• Provides a message framing mechanism and
many common service "profiles"
• Profiles provide transparent addition of
properties to a connection (i.e. security)
Existing BEEP Profiles
•
•
•
•
•
SSL/TLS
SASL
IDXP
Others that don’t apply to our system.
Tunnel (soon… :-)
IDXP
• Intrusion Detection eXchange Protocol
• Standard communication of Intrusion
Detection messages (IDMEF)
• Firewall must not block authorized
messages
Tunnel
• General purpose proxy routing BEEP
profile
• Our focus is Tunnel for IDXP message
Tunnel
• Uses XML messages to establish a tunnel:
<tunnel fqdn=“host1.example.com" port="10289">
<tunnel />
</tunnel>
• Other XML attributes allow routing by IP
address, service, or potentially user
defined extensions.
Alternatives to Tunnel
• SSH
– Application not intended for this purpose
• VPN
– Long lived
– Invasive to client
• IPsec
– Requires kernel modification
– Few organizations use this
Completed Work
• Evaluated Tunnel Specification
• Chose BEEP Implementations
• Implemented
– No-Hop Tunnel
– One-Hop Tunnel
• Some interoperability testing
Fall Schedule
Tunnel Evaluation
• No standard way to extend the DTD.
• Previously no IPv6 support in the DTD.
• Possibility for loops with misconfigured
servers.
• No way to specify a Time-To-Live when
using a dynamic route, ie: connecting to
a service rather than a host.
Beep Implementations:
• JAVA:
– PermaBEEP 0.8 (Better API)
– Beepcore–java 0.9.07 (TLS support)
• C
– Roadrunner 0.9 (More fully implemented)
– Beepcore–C 0.2 (Abandoned)
No-Hop Tunnel
• Profile and application can successfully
open a tunnel to a host with no firewall in
between.
One-Hop Tunnel
Let’s take a look.
Tunnel
host1.example.com
proxy.example.com
Transport Connect
Usually TCP
host2.example.com
Tunnel
host1.example.com
proxy.example.com
host2.example.com
Transport Connect
BEEP Greeting
Advertise services (Tunnel, maybe others)
Tunnel
host1.example.com
proxy.example.com
host2.example.com
Transport Connect
BEEP Greeting
Start Tunnel
<tunnel fqdn="host2.example.com" port="10288">
<tunnel />
</tunnel>
Tunnel
host1.example.com
host2.example.com
proxy.example.com
Transport Connect
BEEP Greeting
Start Tunnel
Transport Connect
Usually TCP
Tunnel
host1.example.com
host2.example.com
proxy.example.com
Transport Connect
BEEP Greeting
Start Tunnel
Transport Connect
BEEP Greeting
Advertise services (Tunnel, maybe others)
Tunnel
host1.example.com
host2.example.com
proxy.example.com
Transport Connect
BEEP Greeting
Start Tunnel
Transport Connect
BEEP Greeting
Start Tunnel
<tunnel />
Tunnel
host1.example.com
host2.example.com
proxy.example.com
Transport Connect
BEEP Greeting
Start Tunnel
Transport Connect
BEEP Greeting
Start Tunnel
OK
<ok />
Tunnel
host1.example.com
host2.example.com
proxy.example.com
Transport Connect
BEEP Greeting
Start Tunnel
Transport Connect
BEEP Greeting
Start Tunnel
OK
OK
<ok />
proxy now transparently forwards messages
Tunnel
host1.example.com
host2.example.com
proxy.example.com
Transport Connect
BEEP Greeting
Start Tunnel
Transport Connect
BEEP Greeting
Start Tunnel
OK
OK
BEEP Greeting
Advertise services (proxy now invisible)
Future Work
• Firewall daemon (Enforce Security
Policy)
• Multi–Hop Proxying
• More interoperability testing between C
and Java implementations.
• Support for java server as proxy?
• Bug squashing
• Final report
Spring Schedule
Questions?