Extensible Network Configuration and Communication Framework

1
Extensible Network Configuration and
Communication Framework

• Todd Sproull and John Lockwood
• todd,lockwood_at_arl.wustl.edu
• 7th International Working Conference on Active
  and Programmable Networks (IWAN)
• November 2005http//www.arl.wustl.edu/arl/projec
  ts/fpx/

2
Overview

• Background
• Project motivation
• Extensible Network Configuration Architecture
• Experimental Results
• Initial results using the Emulab testbed
• Conclusions

3
Background
Intrusion Detection System (IDS)

• Administrators currently overwhelmed securing
  networks

• Security devices in the network help combat the
  problem
• Intrusion Detection or Prevention Systems (IDS)
  or (IPS)
• Packet shapers
• Firewalls

NAT / Firewall
Intrusion Prevention System (IPS)
Wireless Router
Traffic Shaper

• Overhead associated with managing these devices
  is fairly high
• Require manual configuration
• Lack interoperability with other security devices

4
Problem Statement

• Objective
• Develop generic infrastructure for management of
  security devices
• Challenges
• Need an abstraction for communication between
  heterogeneous security devices
• Need to provide interfaces to configure key
  components of a security device
• Example Ability to update rules on each firewall
  supported in the overlay
• Proposed Solution
• Deploy an overlay network of security devices
• Allow nodes to communicate through eXtensible
  Markup Language (XML)
• Create generic abstractions of a device are
  advertised to peers
• Example Advertisement I provide firewall
  capabilities

5
Description of Framework

• Create overlay network of security devices

Intrusion Detection System (IDS)

• Nodes create and join groups of interest
• Administrative
• Firewall
• Anomaly Detection

?

• Nodes discover services in each group

NAT / Firewall

• Devices subscribe to events of interest
• Administrative Updates
• Virus Signatures
• Malicious IP flows to rate limit

?
Intrusion Prevention System (IPS)
?

• Administrator joins overlay to issue updates
• Messages sent to each peer or a single group

Wireless Router
Traffic Shaper
?
?

• Nodes communicate with each other through
  services

• Overlay software interfaces directly with
  applications executing on the node
• Modifying configuration files
• Restarting processes

6
Implementation

• Overlay network built using the JXTA API
• Provides open infrastructure to create
  Peer-to-Peer (P2P) networks
• Protocols built into JXTA include
• Peer Discovery
• Discover peers, groups, and service in the
  overlay
• Endpoint Routing
• Provide route information to peers, simplifying
  communication behind firewalls and NAT
• Pipe Binding
• Creates communication channels for sending and
  receiving XML messages
• Supports various programming languages
• Java (J2SE)
• C
• Mobile Java (J2ME)
• Ruby

7
Example Security Nodes

• Current research explores three hardware platforms

FPX with FPGA Hardware
Pentium M Embedded Processor
8
Experimental Setup

• Testbed experiment evaluates overhead in
  Processing and Routing XML Messages in JXTA
• XML Publish/Subscribe
• JXTA Pipes Creation
• JXTA Message Notification
• Traffic Generator sends XML messages to Publisher
• Publisher parses XML messages and forwards
  message to clients based on individual service
  subscription
• Experiment created in Emulab testbed
• 2GHz Pentium 4 nodes
• 100Mbit/sec Ethernet links

Publisher
XML Traffic Generator
Subscribers
Network B
Network A
9
Experimental Results

• Experiments performed measure packet loss as
  packets per second (pps) increase
• XML Traffic Generator increases pps to Publisher
• Publisher forwards relevant messages to a single
  subscriber
• All messages forwarded in this experiment
• Loss represents packets not received by
  subscriber
• Relatively low performance deal with overhead in
  JXTA creating an output pipe for each
  connection
• The overhead is approximately 40ms per connection
• Potential optimizations
• Creating output pipe once per node, assuming the
  peer is available
• Utilizing JXTA sockets instead of JXTA pipes

10
Future Work

• Evaluate security functions of the overlay
• Example Benchmark nodes ability to update
  firewall rules in the presence of an attack
• Deploy all three platforms in one testbed
  environment
• Utilize Open Network Labs
• Testbed for developing high performance network
  applications
• Investigate Hardware Plug-ins

11
Conclusions

• Proposed Architecture for Network Configuration
  and Communication
• Overlay network distributing XML messages between
  devices
• Developed and deployed framework in network
  testbed
• Obtained Preliminary Results
• Quantified overhead of JXTA protocol and XML
  message parsing in publish subscribe network

12
Acknowledgments

• Research Group
• Reconfigurable Network Grouphttp//arl.wustl.edu/
  projects/fpx/reconfig.htm