Transcript Two
The Aerospace Clinic 2002
Team Members
Nick Hertl (Project Manager)
Will Berriel
Richard Fujiyama
Chip Bradford
Faculty Advisor
Professor Michael Erlinger
Aerospace Liaisons
Joseph Betser, PhD
Rayford Sims
Overview
• Background Information
• Tunnel
• Technical Approach
– Completed work
– Tunnel Demo
– Future work
• Questions
Background
•
•
•
•
•
TCP/IP
Network Security
Firewalls
BEEP
IDXP
TCP/IP
• Main protocols used over the Internet
• Provides reliable, full-duplex, peer-topeer communication
• Most current application protocols use
this directly: HTTP (web), SMTP
(email), etc.
• Multiple connections to the same
machine are handled using ports
Today’s Internet
Network Security
• Only authorized users should be able to
access private networks
• Some data and services should only be
available internally
• Firewalls are used in most corporations
to restrict access to network resources
Firewalls
• Set of rules to restrict network traffic
• Can filter by any combination of:
– Source IP
– Destination IP
– Port
– Protocol
• Rule sets are usually static
Today’s Internet with Firewalls
BEEP
• Blocks Extensible Exchange Protocol
• General framework for the rapid creation of
application-level protocols
• Provides a message framing mechanism and
many common services (profiles)
• Application chooses services (e.g. security)
or protocol (HTTP, IDXP)
• Requires an underlying transport protocol –
TCP
Tomorrow’s Internet with
BEEP
IDXP
• Intrusion Detection eXchange Protocol
• Standard communication of Intrusion
Detection messages (IDMEF)
• BEEP profile
• Firewall must not block authorized
messages
The Internet with Tunnel
Tunnel
• Our focus is Tunnel for IDXP messages
Tunnel
• Uses XML messages to establish a tunnel:
<tunnel fqdn=“host1.example.com" port="10289">
<tunnel />
</tunnel>
• Parsed at every host.
Tunnel
• Characteristics
– Poke a “controlled” hole in firewall – short lived
– Mutual authentication of client/server
– Application level security
• Differs from
– SSH which has one sided authentication
– VPNs which are long lived
– IPSec which requires OS modification
Problem Statement
• Evaluate and implement the Tunnel
specification as a BEEP profile in at
least two programming languages.
Deliverables
• Evaluation of Tunnel specification
– Will this work?
– What needs more clarification?
• Tunnel Implementation in C and Java
– Fully documented code tree for both
languages
– Sample Client/Server/Proxy Applications
Completed Work
• Evaluated Tunnel Specification
• Chose BEEP Implementations
• Implemented
– Host to Host Tunnel
– Single Firewall Tunnel
• Some interoperability testing
Fall Schedule
Tunnel Evaluation
• No standard way to extend the DTD.
• Previously no IPv6 support in the DTD.
• Possibility for loops with misconfigured
servers.
• No way to specify a Time-To-Live when
using a dynamic route, ie: connecting to
a service rather than a host.
BEEP Implementations:
• JAVA:
– PermaBEEP 0.8 (Better API)
– Beepcore–java 0.9.07 (TLS support)
• C
– Roadrunner 0.9 (More fully implemented)
– Beepcore–C 0.2 (Abandoned)
Host to Host Tunnel
• Profile and application can successfully
open a tunnel to a host with no firewall in
between.
Single Firewall Tunnel
Tunnel
host1.example.com
proxy.example.com
Transport Connect
TCP
host2.example.com
Tunnel
host1.example.com
proxy.example.com
host2.example.com
Transport Connect
BEEP Greeting
Advertise services (Tunnel, maybe others)
Tunnel
host1.example.com
proxy.example.com
host2.example.com
Transport Connect
BEEP Greeting
Start Tunnel
<tunnel fqdn="host2.example.com" port="10288">
<tunnel />
</tunnel>
Tunnel
host1.example.com
host2.example.com
proxy.example.com
Transport Connect
BEEP Greeting
Start Tunnel
Transport Connect
TCP
Tunnel
host1.example.com
host2.example.com
proxy.example.com
Transport Connect
BEEP Greeting
Start Tunnel
Transport Connect
BEEP Greeting
Advertise services (Tunnel, maybe others)
Tunnel
host1.example.com
host2.example.com
proxy.example.com
Transport Connect
BEEP Greeting
Start Tunnel
Transport Connect
BEEP Greeting
Start Tunnel
<tunnel />
Tunnel
host1.example.com
host2.example.com
proxy.example.com
Transport Connect
BEEP Greeting
Start Tunnel
Transport Connect
BEEP Greeting
Start Tunnel
OK
<ok />
Tunnel
host1.example.com
host2.example.com
proxy.example.com
Transport Connect
BEEP Greeting
Start Tunnel
Transport Connect
BEEP Greeting
Start Tunnel
OK
OK
<ok />
proxy now transparently forwards messages
Tunnel
host1.example.com
host2.example.com
proxy.example.com
Transport Connect
BEEP Greeting
Start Tunnel
Transport Connect
BEEP Greeting
Start Tunnel
OK
OK
BEEP Greeting
Advertise services (proxy now invisible)
Future Work
• Firewall daemon (Enforce Security
Policy)
• Multi-Firewall Support
• More interoperability testing between C
and Java implementations.
• Bug squashing
• Final report
Spring Schedule
Questions?