Transcript Onsite
The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger Aerospace Liaisons Joseph Betser, PhD Rayford Sims Overview • Background Information • Tunnel • Technical Approach – Completed work – Tunnel Demo – Future work • Questions Background • • • • • TCP/IP Network Security Firewalls BEEP IDXP TCP/IP • Main protocols used over the Internet • Provides reliable, full-duplex, peer-topeer communication • Most current application protocols use this directly: HTTP (web), SMTP (email), etc. • Multiple connections to the same machine are handled using ports Network Security • Only authorized users should be able to access private networks • Some data and services should only be available internally • Firewalls are used in most corporations to restrict access to network resources Firewalls • Set of rules to restrict network traffic • Can filter by any combination of: – Source IP – Destination IP – Port – Protocol • Rule sets are usually static BEEP • Blocks Extensible Exchange Protocol • General framework for the rapid creation of application-level protocols • Requires an underlying transport protocol • Provides a message framing mechanism and many common service "profiles" • Profiles provide transparent addition of properties to a connection (i.e. security) Existing BEEP Profiles • • • • • SSL/TLS SASL IDXP Others that don’t apply to our system. Tunnel (soon… :-) IDXP • Intrusion Detection eXchange Protocol • Standard communication of Intrusion Detection messages (IDMEF) • Firewall must not block authorized messages Tunnel • General purpose proxy routing BEEP profile • Our focus is Tunnel for IDXP message Tunnel • Uses XML messages to establish a tunnel: <tunnel fqdn=“host1.example.com" port="10289"> <tunnel /> </tunnel> • Other XML attributes allow routing by IP address, service, or potentially user defined extensions. Alternatives to Tunnel • SSH – Application not intended for this purpose • VPN – Long lived – Invasive to client • IPsec – Requires kernel modification – Few organizations use this Completed Work • Evaluated Tunnel Specification • Chose BEEP Implementations • Implemented – No-Hop Tunnel – One-Hop Tunnel • Some interoperability testing Fall Schedule Tunnel Evaluation • No standard way to extend the DTD. • Previously no IPv6 support in the DTD. • Possibility for loops with misconfigured servers. • No way to specify a Time-To-Live when using a dynamic route, ie: connecting to a service rather than a host. Beep Implementations: • JAVA: – PermaBEEP 0.8 (Better API) – Beepcore–java 0.9.07 (TLS support) • C – Roadrunner 0.9 (More fully implemented) – Beepcore–C 0.2 (Abandoned) No-Hop Tunnel • Profile and application can successfully open a tunnel to a host with no firewall in between. One-Hop Tunnel Let’s take a look. Tunnel host1.example.com proxy.example.com Transport Connect Usually TCP host2.example.com Tunnel host1.example.com proxy.example.com host2.example.com Transport Connect BEEP Greeting Advertise services (Tunnel, maybe others) Tunnel host1.example.com proxy.example.com host2.example.com Transport Connect BEEP Greeting Start Tunnel <tunnel fqdn="host2.example.com" port="10288"> <tunnel /> </tunnel> Tunnel host1.example.com host2.example.com proxy.example.com Transport Connect BEEP Greeting Start Tunnel Transport Connect Usually TCP Tunnel host1.example.com host2.example.com proxy.example.com Transport Connect BEEP Greeting Start Tunnel Transport Connect BEEP Greeting Advertise services (Tunnel, maybe others) Tunnel host1.example.com host2.example.com proxy.example.com Transport Connect BEEP Greeting Start Tunnel Transport Connect BEEP Greeting Start Tunnel <tunnel /> Tunnel host1.example.com host2.example.com proxy.example.com Transport Connect BEEP Greeting Start Tunnel Transport Connect BEEP Greeting Start Tunnel OK <ok /> Tunnel host1.example.com host2.example.com proxy.example.com Transport Connect BEEP Greeting Start Tunnel Transport Connect BEEP Greeting Start Tunnel OK OK <ok /> proxy now transparently forwards messages Tunnel host1.example.com host2.example.com proxy.example.com Transport Connect BEEP Greeting Start Tunnel Transport Connect BEEP Greeting Start Tunnel OK OK BEEP Greeting Advertise services (proxy now invisible) Future Work • Firewall daemon (Enforce Security Policy) • Multi–Hop Proxying • More interoperability testing between C and Java implementations. • Support for java server as proxy? • Bug squashing • Final report Spring Schedule Questions?