The Design and Implementation of a Secure Content Switch

Slides:



Advertisements
Similar presentations
Encrypting Wireless Data with VPN Techniques
Advertisements

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
9/26/2001Godavari Thesis Proposal SSL Proxy1 The Design and Implementation of a SSL Proxy for Content Switch Thesis Proposal by Ganesh Kumar Godavari Department.
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
11/2/2000Weihong Wang/Content Switch Page 1 Content Switch. Introduction of content web switch.. Some content switch products in the market.. Design of.
Design of Web Interface for Advanced Content Switch Thesis proposal by Jayant Patil Department of Computer Science Univ. of Colorado at Colorado Springs.
ClientHello ServerHello Certificate Establish protocol version, session- id, cipher suite, compression method. Certificate Request ServerHelloDone Certificate.
Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?
NPCSlli 1 DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB Presenter: Longhua Li Committee Members: Dr. C. Edward Chow Dr. Jugal K. Kalita Dr.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
The Design and Implementation of a SSL Proxy For Content Switch Thesis Proposal by Ganesh Kumar Godavari Department of Computer Science Univ. of Colorado.
Application Layer  We will learn about protocols by examining popular application-level protocols  HTTP  FTP  SMTP / POP3 / IMAP  Focus on client-server.
Network Address Translation, Remote Access and Virtual Private Networks BSAD 146 Dave Novak Sources: Network+ Guide to Networks, Dean 2013.
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Course 201 – Administration, Content Inspection and SSL VPN
CHAPTER 2 PCs on the Internet Suraya Alias. The TCP/IP Suite of Protocols Internet applications – client/server applications The client requested data.
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
INSTALLING MICROSOFT EXCHANGE SERVER 2003 CLUSTERS AND FRONT-END AND BACK ‑ END SERVERS Chapter 4.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols.
Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)
1 Apache. 2 Module - Apache ♦ Overview This module focuses on configuring and customizing Apache web server. Apache is a commonly used Hypertext Transfer.
Chapter 1: The Internet and the WWW CIS 275—Web Application Development for Business I.
CHAPTER 2 PCs on the Internet Suraya Alias. The TCP/IP Suite of Protocols Internet applications – client/server applications ◦The client requested data.
Tunneling and Securing TCP Services Nathan Green.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.
Understand Internet Security LESSON Security Fundamentals.
SSH. 2 SSH – Secure Shell SSH is a cryptographic protocol – Implemented in software originally for remote login applications – One most popular software.
VIRTUAL SERVERS Chapter 7. 2 OVERVIEW Exchange Server 2003 virtual servers Virtual servers in a clustering environment Creating additional virtual servers.
SSL: Secure Socket Layer By: Mike Weissert. Overview Definition History & Background SSL Assurances SSL Session Problems Attacks & Defenses.
1 Chapter 1 INTRODUCTION TO WEB. 2 Objectives In this chapter, you will: Become familiar with the architecture of the World Wide Web Learn about communication.
Network security Presentation AFZAAL AHMAD ABDUL RAZAQ AHMAD SHAKIR MUHAMMD ADNAN WEB SECURITY, THREADS & SSL.
Chapter 7: Using Windows Servers
TOPIC: HTTPS (Security protocol)
Web Security CS-431.
3.1 Types of Servers.
Data Virtualization Tutorial… SSL with CIS Web Data Sources
WWW and HTTP King Fahd University of Petroleum & Minerals
Cryptography and Network Security
Web Development Web Servers.
Apache Security with SSL Using FreeBSD
Secure Sockets Layer (SSL)
UNIT.4 IP Security.
E-commerce | WWW World Wide Web - Concepts
E-commerce | WWW World Wide Web - Concepts
Using MIS 2e Chapter 6 Appendix
Cryptography and Network Security Chapter 16
Content Switch Research Projects at UCCS Network Research Lab
SUBMITTED BY: NAIMISHYA ATRI(7TH SEM) IT BRANCH
Processes The most important processes used in Web-based systems and their internal organization.
Jayant Patil Department of Computer Science
Originally by Yu Yang and Lilly Wang Modified by T. A. Yang
Using SSL – Secure Socket Layer
Chapter 9 Windows on the Internet
Computer Communication & Networks
* Essential Network Security Book Slides.
Multimedia and Networks
Cryptography and Network Security
The Secure Sockets Layer (SSL) Protocol
AbbottLink™ - IP Address Overview
Transport Layer Security (TLS)
Applications Layer Functionality & Protocols
APACHE WEB SERVER.
Advanced Computer Networks
Chapter 7 Network Applications
Cryptography and Network Security
Presentation transcript:

The Design and Implementation of a Secure Content Switch Master Thesis Presentation Ganesh Kumar Godavari Department of Computer Science Univ. of Colorado at Colorado Springs 9/19/2018 Secure Content Switch/godavari

Secure Content Switch/godavari Outline of the Talk Content Switch and Overview of SSL Related Literature Design of Secure Content Switch (SCS) Performance of SCS implementation Lessons Learned and Future Directions Conclusion 9/19/2018 Secure Content Switch/godavari

Secure Content Switch/godavari Content Switch (CS) server1 home.htm client Content Switch server2 uccs.jpg . Index.htm . rocky.mid server9 Route packets based on high layer (Layer 5/7) headers and content. Examples: Direct Web traffic based on pattern of URLs, host tags, cookies. Can Route incoming email based on email address; Connect POP/IMAP based on login Web switches and Intel XML Director/accelerator are special cases of content switch. 9/19/2018 Secure Content Switch/godavari

What Services It Can Provide Enabling premium services for e-commerce, ISP, and Web hosting providers Load Balancing and High Available Server Clusters: Web, E-commerce, Email, Computing, File, SAN Policy-based networking, differential/QoS services. Firewall, Strengthening DoS protection, cache/firewall load-balancing ‘Flash-crowd' management Email Spam Protection, Virus Detection/Removal 9/19/2018 Secure Content Switch/godavari

Secure Content Switch/godavari About SSL Secure Sockets Layer (SSL) protocol developed by Netscape Communications to ensure private and authenticated communications put into the public domain for the Internet community 9/19/2018 Secure Content Switch/godavari

Secure Content Switch/godavari OpenSSL OpenSSL is based on the excellent SSLeay library developed by Eric A. Young and Tim J. Hudson. Open Source toolkit implementing the Secure Socket Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library Important Libraries SSL The OpenSSL ssl library implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols Crypto The OpenSSL crypto library implements a wide range of cryptographic algorithms used in various Internet standards. The services provided by this library are used by the OpenSSL implementations of SSL, TLS, and they have also been used to implement SSH, OpenPGP, and other cryptographic standards 9/19/2018 Secure Content Switch/godavari

Secure Content Switch/godavari Command Interface The Openssl program is a command line tool for using the various cryptography functions of OpenSSL's crypto library from the shell. It can be used for Creation of RSA, DH and DSA key parameters Creation of X.509 certificates, and Certificate Revocation List (CRL) Calculation of Message Digests o Encryption and Decryption with Ciphers SSL/TLS Client and Server Tests Handling of S/MIME signed or encrypted mail 9/19/2018 Secure Content Switch/godavari

Secure Content Switch(SCS) Secure content switch is a transparent proxy that can translate between encrypted and unencrypted data transport on socket connections. Need for secure network access and high performance e-commerce transactions require security Need high performance for better Quality of Service Solution: just plug in SCS between client and the server and thereby add Secure Socket Layer (SSL) support. 9/19/2018 Secure Content Switch/godavari

Goal & Design of Secure Content Switch In addition to the above, we need to be able to route requests based on content to a set of backend real servers. Design Considerations Our real Servers can be located at different places Efficiency must not be ruined Easy to understand/write content switching rules. Dynamic rule update Session Reusability 9/19/2018 Secure Content Switch/godavari

Secure Content Switch/godavari Related Literature [1]George Apostolopoulos, David Aubespin, Vinod Peris, Prashant Pradhan, Debanjan Saha, “ Design, Implementation and Performance of a Content-Based Switch”, Proc. Infocom2000, Tel Aviv, March 26 - 30, 2000, http://www.ieee-infocom.org/2000/papers/440.ps [2] Gregory Yerxa and James Hutchinson, “Web Content Switching” , http://www.networkcomputing.com. [3] “Release Notes for Cisco Content Engine Software”. http://www.cisco.com”. [4] “Foundry ServIron Installation and Configuration Guide,” May 2000.r http://www.foundrynetworks.com/techdocs/SI/index.html [5] “Intel IXA API SDK 4.0 for Intel PA 100,” http://www.intel.com/design/network/products/software/ixapi.htm and http://www.intel.com/design/ixa/whitepapers/ixa.htm#IXA_SDK 9/19/2018 Secure Content Switch/godavari

Design of Secure Content Switch 9/19/2018 Secure Content Switch/godavari

Advantages of Secure Content Switch Preferential Treatment Secure Content Switch has been developed to handle secure Content based routing of Requests. e.g. high purchase requests can be routed to the fast real server Security The Secure Content Switch establishes the secure connection if the Server doesn't support HTTPS 9/19/2018 Secure Content Switch/godavari

Architecture of Secure Content Switch The web browser makes a request to the secure content switch. The dispatcher module in the secure content switch forwards the request to the secure content switch child module. In the dynamic forking version of SCS the dispatcher module forks a child process. In Preforking version of SCS the dispatcher module forwards request to a free child. The secure content switch child module performs the handshake with the client and reads in the request. The secure content switch child module then sends the request to the Rule module, which performs rule matching and returns the name of the server by which the request can be served. The secure content switch child forwards the request to the real server based on the routing decision 9/19/2018 Secure Content Switch/godavari

Dynamic Forking Secure Content Switch Request From Web Browser to the SCS Dispatcher module fork () Secure Content Switch Child module Negotiate SSL Session No Existing SSL Session SSL Request Yes Decrypt Object Using SSL Session Information Yes Encrypt the Object Per Session Information and Send it over HTTPS to the Web Browser Send Object Information To Rule Matching Module Retrieve Server Information Rule Matching Module Retrieve Object From the Server Using Standard HTTP 9/19/2018 Secure Content Switch/godavari

Prefork Secure Content Switch Request From Web Browser to the SCS Dispatcher module assign assign assign Negotiate SSL Session Secure Content Switch Child Process 1 Secure Content Switch Child Process 2 Secure Content Switch Child Process n No SSL Request Existing SSL Session Yes Yes Decrypt Object Using SSL Session Information Encrypt the Object Per Session Information and Send it over HTTPS to the Web Browser Retrieve Object From the Server Using Standard HTTP Retrieve Server Information Rule Matching Module Send Object Information To Rule Matching Module 9/19/2018 Secure Content Switch/godavari

E-Commerce Example: 1. Client Client submits via HTTP/Post (or SOAP) the following purchase in XML: <purchase> <customerName>CCL</customerName> <customerID>111222333</customerID> <item><productID>309121544</productID> <productName>IBM Thinkpad T21</productName> <unitPrice>5000</unitPrice> <noOfUnits>10</noOfUnits> <subTotal>50000</subTotal> </item> <item><productID>309121538</productID> <productName>Intel wireless LAN PC Card</productName> <unitPrice>200</unitPrice> <subTotal>2000</subTotal> <totalAmount>52000</totalAmount> </purchase> 9/19/2018 Secure Content Switch/godavari

E-Commerce Example: 2. Content Switch Content switch receives the packet. Recognize it is a http post request from http request line POST /purchase.cgi HTTP/1.1 Recognize it is an XML document from the meta header content-type: TEXT/XML Parsing XML content Extract values of tag sequences: 52000 purchase/totalAmount CCL purchase/customerName Rule 1 is matched and packet is routed to one of highSpeedServers. Rule 1: if (xml.purchase/totalAmount > 5000) routeTo(highSpeedServers); Rule 2: if (xml.purchase/customerName == CCL) routeTo(specialCustomerServers); 9/19/2018 Secure Content Switch/godavari

Java-based Rule Editor Detect conflicts in content switch rule set Convert rules into LCS rule module. 9/19/2018 Secure Content Switch/godavari

Design of Rule Module Server How can I update rules Dynamically ? Make rule matching part as an separate process Design considerations will the rule module run locally on the machine as the SCS is running? cannot say depends on the user what is going to be the impact on performance ? need to study once in detail !! Current Design Rule module can run as a separate process on the same/different machine. Rule module is an iterative server1 because we found that encryption and decryption are the bottlenecks not rule matching (from the previous results) Updating Rule Module Shutdown the rule module, compile the rule module with new rule set and start up the rule module 1 an iterative server is one that can server one request at a time. 9/19/2018 Secure Content Switch/godavari

Rule Server Module Establish Connection with Rule Server Module Send Url, Src portno, Src IP, HTTP Headers, Data (if any) to the Rule Module Yes Secure Content Switch Child Process No IS (Method == Post) Establish Connection with Default Rule Server Module No Yes Yes IS (content type == x-www-form-urlencoded) No Perform rule matching and send back the Real Server Name, Address and Port # on which Real Server is listening Yes Decrypt the data And populate the rules with values (if any) 9/19/2018 Secure Content Switch/godavari

Secure Content Switch/godavari Test bed 9/19/2018 Secure Content Switch/godavari

Configuration of machines used in testbed Machine Spec IP Address O/S webserver a) calvin.uccs.edu DELL Dimension-4100, 933 MHz, 512MB b) oblib.uccs.edu HP Vectra VL 512 MHz, 512MB  (Content switch) 128.198.60.22    128.198.60.195 Redhat 7.2 (2.4.9-21) Apache 1.3.22 a) dilbert.uccs.edu b) wait.uccs.edu c) wind.uccs.edu  (Client) 128.198.60.23 128.198.60.202 128.198.60.204 a)WinNT-4.0 b)&c)Win-2000, Adv. Server N/A a) eca.uccs.edu b) frodo.uccs.edu c) bilbo.uccs.edu d) odorf.uccs.edu e) walrus.uccs.edu f) wallace.uccs.edu  HP Kayak, 233 MHz, 96MB RAM (Real Server) 128.198.60.188 128.198.60.183 128.198.60.182 128.198.60.196 128.198.60.197 128.198.60.208 Redhat 7.1 (2.4.3-12) Apache 1.3.19 9/19/2018 Secure Content Switch/godavari

SSL Processing Overhead Average SSL req./sec is 14.7 Average HTTP req./sec is 180 dilbert.uccs.edu eca.uccs.edu 9/19/2018 Secure Content Switch/godavari

Dynamic vs. Preforking SCS The performance of the Pre-forking SCS is better than Dynamic Forking SCS eca.uccs.edu dilbert.uccs.edu oblib.uccs.edu frodo.uccs.edu 9/19/2018 Secure Content Switch/godavari

Dynamic vs. Preforking SCS I found out that after one stage the child’s are created and killed immediately there by they are serving a single request, because the Pre-forked server is designed to see that child’s are created ahead of time and kill them if there are more number of child’s, I found that during the test that the child’s are being killed reason could be that more child’s are free which implies number of requests sent by the web-bench are irregular, there by affecting the overall performance of the pre-forked SSLProxy The performance of the Dynamic forking SCS is better than Pre-forked SCS Reason ? What is the advantage of using cluster ? eca.uccs.edu dilbert.uccs.edu calvin.uccs.edu frodo.uccs.edu 9/19/2018 Secure Content Switch/godavari

Performance of Prefork SCS on varying Startup Children Startup children => no of child Processes spawned ahead of time It is Suggested always to keep the Startup Children Small if you don’t expect heavy traffic Having about 25 pre spawned children is better if the traffic load is heavy eca.uccs.edu dilbert.uccs.edu calvin.uccs.edu frodo.uccs.edu 9/19/2018 Secure Content Switch/godavari

Impact of Rules on the performance of Dynamic SCS Clearly there is no impact of rules on the the performance of Dynamic Forking Secure Content Switch eca.uccs.edu dilbert.uccs.edu calvin.uccs.edu frodo.uccs.edu 9/19/2018 Secure Content Switch/godavari

Impact of Rules on the performance of Dynamic Non-SCS Clearly there is some impact of Rules on the the Performance of Dynamic Forking Non-Secure content Switch the smaller the rule set, better the performance No heavy impact of the performance of the Secure content Switch with increase in the number of rules 9/19/2018 Secure Content Switch/godavari

Impact of Real Servers on the Performance of Dynamic SCS Clearly there is no impact of Real Server on the the Performance of Dynamic Forking Secure content Switch Is Secure Content Switch the bottleneck ?? calvin.uccs.edu eca.uccs.edu dilbert.uccs.edu frodo.uccs.edu 9/19/2018 Secure Content Switch/godavari

Impact of Real Servers on the Performance of Dynamic Non-SCS Performance is not directly proportional to # of Real Servers !! Clearly there is impact of Real Server on the the Performance of Dynamic Forking Non-SSL Secure content Switch Performance was found to degrade when there is only one real server 9/19/2018 Secure Content Switch/godavari

Performance of SCS in Local Node situation Local Node => Web Server runs on the Content Switch machine, therefore the content Switch can serve the requests by routing requests internally calvin.uccs.edu No major gains if the real server runs locally or remotely dilbert.uccs.edu Apache Web Server 9/19/2018 Secure Content Switch/godavari

Lessons Learned: Conflicts among Different Servers on Same Machine While measuring results using web bench for local node situation for Pre-fork Non-secure content switch The apache is running on port 8000, SCS on 80. After serving a few requests SCS stopped serving Requests. I stopped Apache web server, SCS started Serving Requests again. I started the Apache Web server, after serving a few requests SCS stopped serving Requests. This process is continuing Probable conflict on who to serve the request is ruled out, as a request send to Secure Content Switch /APACHE is being handled perfectly well 9/19/2018 Secure Content Switch/godavari

Local vs. Remote Rule Module walrus.uccs.edu Pre-fork SCS Overtakes Dynamic forking SCS Dynamic forking SCS Performance was degraded by 100% eca.uccs.edu dilbert.uccs.edu frodo.uccs.edu Rule module 9/19/2018 Secure Content Switch/godavari calvin.uccs.edu

Secure Content Switch/godavari Future Directions Reducing bottleneck of SSL encryption / decryption by having Parallel Processing we need to maintain state across machine using cookies have server id parameter as a part of handshake (OpenSSL – 0.7 may have this feature) caching of web pages Tough to achieve in case of dynamic pages. Modify the Apache web server to include preferred treatment and do fair comparision have packet rewrite techniques. 9/19/2018 Secure Content Switch/godavari

Secure Content Switch/godavari Conclusion Preforking Secure Content Switch encryption and decryption are the major bottleneck no major gains if processor speed is increased. no major benefit if the number of real server or increased no major benefit if the number of the rules are increased Dynamic forking Secure Content Switch major gains if processor speed is increased. some impact if the number of the rules are increased Preforking version of SCS is better than Dynamic forking version of SCS 9/19/2018 Secure Content Switch/godavari

Secure Content Switch/godavari References [1] OpenSSL: The Open Source toolkit for SSL/TLS (http://www.openssl.org) [2] SSL and TLS, by Eric Rescorla [3] SSL and TLS Essentials, by Stephen Thomas [4] mod_ssl: The Apache Interface to OpenSSL (http://www.modssl.org) [5] HTTP Over TLS ftp://ftp.ietf.org/internet-drafts/draft-ietf-tls-https-02.txt The specification on how to run HTTP over SSL/TLS  [6] Tunneling TCP based protocols through Web proxy servers http://www.www.alternic.org/drafts/drafts-l-m/draft-luotonen-web-proxy-tunneling-01.txt The specification for the HTTP CONNECT method  [7] Analysis of SSL 3.0 Protocol http://www.counterpane.com/ssl.html D. Wagner and B. Schneier's USENIX analysis of SSLv3 [8] HyperText Transfer Protocol (HTTP), Version 1.1 (Internet Draft) http://www.w3.org/Protocols/HTTP/1.1/draft-ietf-http-v11-spec-rev-06.txt The application layer protocol Apache+mod_ssl uses over SSL/TLS [9] HyperText Transfer Protocol (HTTP), Version 1.0 (RFC 1945) http://www.ietf.org/rfc/rfc1945.txt The application layer protocol Apache + mod_ssl uses over SSL/TLS 9/19/2018 Secure Content Switch/godavari

Secure Content Switch/godavari References [10] Intel® IXA (Internet Exchange Architecture), http://developer.intel.com/design/ixa/index.htm [11] WindRiver Tornado Development Tools, http://www.windriver.com/products/html/tornado2.html [12] Tornado User’s Guide (Windows Version) 2.0 [13] WindRiver VxWorks, http://www.windriver.com/products/html/vxwks54.html Intel®, IXP-1200, IXP-12EB is the registered Trademarks of Intel Corporation Tornado, VxWorks is the registered Trademarks of Wind River Systems, Inc Linux, Apache, Openssl protected under the GNU General Public License 9/19/2018 Secure Content Switch/godavari

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.