1 / 12

Extensible Network Configuration and Communication Framework

Extensible Network Configuration and Communication Framework. Todd Sproull and John Lockwood {todd,lockwood}@arl.wustl.edu 7 th International Working Conference on Active and Programmable Networks (IWAN) November 2005 http://www.arl.wustl.edu/arl/projects/fpx/. Overview. Background

liz
Download Presentation

Extensible Network Configuration and Communication Framework

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Extensible Network Configuration and Communication Framework Todd Sproull and John Lockwood {todd,lockwood}@arl.wustl.edu 7th International Working Conference on Active and Programmable Networks (IWAN) November 2005http://www.arl.wustl.edu/arl/projects/fpx/

  2. Overview • Background • Project motivation • Extensible Network Configuration Architecture • Experimental Results • Initial results using the Emulab testbed • Conclusions

  3. Background • Administrators currently overwhelmed securing networks Intrusion Detection System (IDS) • Security devices in the network help combat the problem • Intrusion Detection or Prevention Systems (IDS) or (IPS) • Packet shapers • Firewalls NAT / Firewall Intrusion Prevention System (IPS) Wireless Router Traffic Shaper • Overhead associated with managing these devices is fairly high • Require manual configuration • Lack interoperability with other security devices

  4. Problem Statement • Objective • Develop generic infrastructure for management of security devices • Challenges • Need an abstraction for communication between heterogeneous security devices • Need to provide interfaces to configure key components of a security device • Example: Ability to update rules on each firewall supported in the overlay • Proposed Solution • Deploy an overlay network of security devices • Allow nodes to communicate through eXtensible Markup Language (XML) • Create generic abstractions of a device are advertised to peers • Example: “Advertisement: I provide firewall capabilities”

  5. Description of Framework • Create overlay network of security devices Intrusion Detection System (IDS) • Nodes create and join groups of interest • Administrative • Firewall • Anomaly Detection ? • Nodes discover services in each group NAT / Firewall • Devices subscribe to events of interest • Administrative Updates • Virus Signatures • Malicious IP flows to rate limit ? Intrusion Prevention System (IPS) ? • Administrator joins overlay to issue updates • Messages sent to each peer or a single group Wireless Router Traffic Shaper ? ? • Nodes communicate with each other through services • Overlay software interfaces directly with applications executing on the node • Modifying configuration files • Restarting processes

  6. Implementation • Overlay network built using the JXTA API • Provides open infrastructure to create Peer-to-Peer (P2P) networks • Protocols built into JXTA include • Peer Discovery • Discover peers, groups, and service in the overlay • Endpoint Routing • Provide route information to peers, simplifying communication behind firewalls and NAT • Pipe Binding • Creates communication channels for sending and receiving XML messages • Supports various programming languages • Java (J2SE) • C • Mobile Java (J2ME) • Ruby

  7. Example Security Nodes 200MHz MIPS • Current research explores three hardware platforms Pentium M Embedded Processor FPX with FPGA Hardware

  8. Experimental Setup • Testbed experiment evaluates overhead in Processing and Routing XML Messages in JXTA • XML Publish/Subscribe • JXTA Pipes Creation • JXTA Message Notification • Traffic Generator sends XML messages to Publisher • Publisher parses XML messages and forwards message to clients based on individual service subscription • Experiment created in Emulab testbed • 2GHz Pentium 4 nodes • 100Mbit/sec Ethernet links XML Traffic Generator Publisher Subscribers Network B Network A

  9. Experimental Results • Experiments performed measure packet loss as packets per second (pps) increase • XML Traffic Generator increases pps to Publisher • Publisher forwards relevant messages to a single subscriber • All messages forwarded in this experiment • Loss represents packets not received by subscriber • Relatively low performance deal with overhead in JXTA creating an “output pipe” for each connection • The overhead is approximately 40ms per connection • Potential optimizations • Creating output pipe once per node, assuming the peer is available • Utilizing JXTA sockets instead of JXTA pipes

  10. Future Work • Evaluate security functions of the overlay • Example: Benchmark nodes ability to update firewall rules in the presence of an attack • Deploy all three platforms in one testbed environment • Utilize Open Network Labs • Testbed for developing high performance network applications • Investigate Hardware Plug-ins

  11. Conclusions • Proposed Architecture for Network Configuration and Communication • Overlay network distributing XML messages between devices • Developed and deployed framework in network testbed • Obtained Preliminary Results • Quantified overhead of JXTA protocol and XML message parsing in publish subscribe network

  12. Acknowledgments • Research Group • Reconfigurable Network Grouphttp://arl.wustl.edu/projects/fpx/reconfig.htm

More Related