Cisco Confidential © 2011 Cisco and/or its affiliates. All rights reserved. 1 XMPP-Grid for SACM Information Transport XMPP Protocol Extensions for Use.

Slides:



Advertisements
Similar presentations
Whats New in Fireware XTM v New Features in Fireware XTM v Major Changes FireCluster with XTM 330 appliances Mobile VPN with SSL using multiple.
Advertisements

Computer Networks TCP/IP Protocol Suite.
Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
Internet Peer-to-Peer Application Infrastructure Darren New Invisible Worlds, Inc.
SIP and Instant Messaging. SIP Summit SIP and Instant Messaging What Does Presence Have to Do With SIP? How to Deliver.
IM May 24, 2000 Introduction to SIP Jonathan Rosenberg Chief Scientist.
Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
1 IEEE Media Independent Handoff Overview of services and scenarios for 3GPP2 Stefano M. Faccin Liaison officer to 3GPP2.
Implementation of a Validated Statistical Computing Environment Presented by Jeff Schumack, Associate Director – Drug Development Information September.
Document #07-12G 1 RXQ Customer Enrollment Using a Registration Agent Process Flow Diagram (Switch) Customer Supplier Customer authorizes Enrollment.
Adapted Multimedia Internet KEYing (AMIKEY): An extension of Multimedia Internet KEYing (MIKEY) Methods for Generic LLN Environments draft-alexander-roll-mikey-lln-key-mgmt-01.txt.
MicroKernel Pattern Presented by Sahibzada Sami ud din Kashif Khurshid.
©2003 aQute, All Rights Reserved Tokyo, August 2003 : 1 OSGi Service Platform Tokyo August 28, 2003 Peter Kriens CEO aQute, OSGi Fellow
18 Copyright © 2005, Oracle. All rights reserved. Distributing Modular Applications: Introduction to Web Services.
SOA for EGovernment 1 Emergency Services Enterprise Framework: A Service-Oriented Approach Sukumar Dwarkanath COMCARE Michael Daconta Oberon Associates.
Presented to: By: Date: Federal Aviation Administration Registry/Repository in a SOA Environment SOA Brown Bag #5 SWIM Team March 9, 2011.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Communicating over the Network
Presented by Brad Jacobson The Publisher on the Web Exploiting the new online sales channels.
INTERNET PROTOCOLS Class 9 CSCI 6433 David C. Roberts Entire contents copyright 2011, David C. Roberts, all rights reserved.
Auto-scaling Axis2 Web Services on Amazon EC2 By Afkham Azeez.
Server Access The REST of the Story David Cleary
Yammer Technical Solutions Overview
© SafeNet Confidential and Proprietary Administering SafeNet StorageSecure Smart Card Module 3: Lesson 5 SafeNet StorageSecure Storage Security Course.
Eligibility, Benefits, and Pre-certifications
Look, no forms! Integrating ESBRs into the IT Enterprise ATCO Seminar - May 10, 2005.
Chapter 1: Introduction to Scaling Networks
Copyright © 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Mobile Content Strategies and Deployment Best Practices.
The Platform as a Service Model for Networking Eric Keller, Jennifer Rexford Princeton University INM/WREN 2010.
1 Quality of Service Issues Network design and security Lecture 12.
Yunling Wang VoIP Security COMS 4995 Nov 24, 2008 XCAP The Extensible Markup Language (XML) Configuration Access Protocol (XCAP)
CACORE TOOLS FEATURES. caCORE SDK Features caCORE Workbench Plugin EA/ArgoUML Plug-in development Integrated support of semantic integration in the plugin.
1 Contract Inactivation & Replacement Fly-in Action ( Continue to Page Down/Click on each page…) Electronic Document Access (EDA)
25 July, 2014 Hailiang Mei, TU/e Computer Science, System Architecture and Networking 1 Hailiang Mei Remote Terminal Management.
IONA Technologies Position Paper Constraints and Capabilities for Web Services
31242/32549 Advanced Internet Programming Advanced Java Programming
1. 2 Captaris Workflow Microsoft SharePoint User Group 16 May 2006.
Executional Architecture
CA's Management Database (MDB): The EITM Foundation -WO108SN.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialBCMSN BCMSN Module 1 Lesson 1 Network Requirements.
PSIRP Publish-Subscribe Internet Routing Paradigm 08-Oct /27.
25 seconds left…...
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA TCP/IP Protocol Suite and IP Addressing Halmstad University Olga Torstensson
20&27 May Agenda 1.Highlight the difference between system flow of e- Invoice and paper invoice – 15 minutes 2.Demonstrate the operation procedure.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
VPN AND REMOTE ACCESS Mohammad S. Hasan 1 VPN and Remote Access.
MEF Reference Presentation November 2011
- 1 - Defense Security Service Background: During the Fall of 2012 Defense Security Service will be integrating ISFD with the Identity Management (IdM)
© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,
TCP/IP Protocol Suite 1 Chapter 18 Upon completion you will be able to: Remote Login: Telnet Understand how TELNET works Understand the role of NVT in.
PEAP & EAP-TTLS 1.EAP-TLS Drawbacks 2.PEAP 3.EAP-TTLS 4.EAP-TTLS – Full Example 5.Security Issues 6.PEAP vs. EAP-TTLS 7.Other EAP methods 8.Summary.
Jabber and Extensible Messaging and Presence Protocol (XMPP) Presenter: Michael Smith Cisc 856 Dec. 6, 2005.
THE JINI TECHNOLOGY Alessio Zumbo
Rheeve: A Plug-n-Play Peer- to-Peer Computing Platform Wang-kee Poon and Jiannong Cao Department of Computing, The Hong Kong Polytechnic University ICDCSW.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
An XMPP (Extensible Message and Presence Protocol) based implementation for NHIN Direct 1.
XMPP – Extensible Messaging and Presence Protocol Vidya Satyanarayanan.
XMPP Concrete Implementation Updates: 1. Why XMPP 2 »XMPP protocol provides capabilities that allows realization of the NHIN Direct. Simple – Built on.
CYBERINFRASTRUCTURE FOR THE GEOSCIENCES Data Replication Service Sandeep Chandra GEON Systems Group San Diego Supercomputer Center.
Jini Architecture Introduction System Overview An Example.
Presence Networking: XMPP and Jabber Joe Hildebrand Chief Architect Jabber, Inc. Networld+Interop 1 May 2003.
An Analysis of XMPP Security Team “Vision” Chris Nelson Ashwin Kulkarni Nitin Khatri Taulant Haka Yong Chen CMPE 209 Spring 2009.
GRID ANATOMY Advanced Computing Concepts – Dr. Emmanuel Pilli.
1 Active Directory Service in Windows 2000 Li Yang SID: November 2000.
Peer-to-peer networking
EMV® 3-D Secure - High Level Overview
2018 Real Cisco Dumps IT-Dumps
Presentation transcript:

Cisco Confidential © 2011 Cisco and/or its affiliates. All rights reserved. 1 XMPP-Grid for SACM Information Transport XMPP Protocol Extensions for Use in SACM Information Transport Syam Appala, Nancy Cam Winget 22 July 2014

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 XMPP-Grid Use-Case Design Considerations What is XMPP-Grid XMPP as XMPP-Grid Transport XMPP-Grid Controller & Control, Data Flow Segregations Client Authentication & Authorization XMPP-Grid Protocol Topics & Subtopics with message filters IF-MAP with XMPP-Grid

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 I have NBAR info! I need identity… I have firewall logs! I need identity… SIO I have sec events! I need reputation… I have NetFlow! I need entitlement… I have reputation info! I need threat data… I have MDM info! I need location… I have app inventory info! I need posture… I have identity & device-type! I need app inventory & vulnerability… I have application info! I need location & auth-group… I have threat data! I need reputation… I have location! I need identity…

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 Visibility into “who is connecting”, “who is accessing what” Centralized, policy-based authorization – “who can do what” Secure, bidirectional connectivity Mutual certs-based authentication Flexible consumption APIs – real-time, on-demand, bulk transfer Client contextual needs support through semantic, syntactic filtering Ability for peers to negotiate out-of-band, secure p2p connection Standardize schemas & information models through XML Scalable to thousands of nodes Platform agnostic

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 Policy-based Authorization Centralized control for authorization and client management Facilitates secure communication between authorized clients Scalable Architecture scales to thousands of clients/nodes Provide resilient, high availability support Agile Enable many different uses across the communication fabric i.e. context, policies … Should be platform agnostic (C/C++, Python, Java …) Negotiation for type of data plane communication & APIs Lightweight Client Enable adoption through small footprint & intuitive APIs Standards Enable adoption through standardization of schemas & information models Controller Transport XMPP-Grid Server

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 Scalable Architecture scales to 100K – 1M of nodes/clients Provide resilient, high availability support Reliable Provide message delivery guarantee Flexible Support semantic & syntactic filtering to serve contextual needs Support information time sensitivity needs Standards Enable adoption through standardization of schemas & information models

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 Open – standards-based, decentralized (no single point of failure) and federated architecture Real-time eventing – using publish, subscribe notifications Security – Domain segregations; federation support; strong security via SASL and TLS Flexibility – Custom functionality can be built on top of XMPP; Easily extensible Bi-directional - avoids firewall tunneling Scalable – supports cluster mode deployment and message routing Peer-to-peer – directed queries and OOB file transfer support + Presence, service and device capability discovery …

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 Plugs-in as external component to the XMPP server Responsible for – Account approvals of XMPP-Grid clients Authorization of client actions – subscribe, publish, query, bulk download Topic (information channel with publishers and subscribers sharing a well defined publisher data model) setup with subscription list Maintains directory of topics & topic subscriptions Communicates with other XMPP-Grid controller in cluster for HA Offers interfaces & statistics for management of clients & topics

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 Publisher XMPP- Grid Client XMPP-Grid Controller XMPP Server XMPP- Grid Client Subscriber Authorize Publisher to topic sequence Authorize Subscriber to topic sequence Add Publisher to topic Add Subscriber to topic Authenticate & allow XMPP-Grid Controller Communication Publisher Auth Status & Account Authenticate & allow XMPP-Grid Controller Communication Subscriber Auth Status & Account Publish Message to topic Publish Success Published Message to subscriber Subscribe Success CONTROLCONTROL Topic & Publisher Discovery Request Topic & Publisher JID Response Out-of-Band Bulk Download Query Request Out-of-band Bulk data byte stream INFRAINFRA Out-of-Band Bulk Download Query Authorization

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 Each XMPP-Grid client will go through the phases of authentication, registration and authorized access Certs-based mutual authentication between client and server using X.509 certificates Mutual authentication and tunnel establishment through XMPP “SASL External” If client certificate passes validation client registration requests are relayed only to XMPP-Grid controller for account approval If client certificate does not pass validation, the connection is terminated with XMPP standards-based error messages

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 Auto registration Clients with the right cert will have their accounts auto created after authentication Clients can specify authorization group of interest Manual registration Administrator has to approve/decline client accounts after their authentication Administrator can assign authorization group to the client resulting in client logoff and logging back in for the group change to take effect 3 layer security model – Mutual-cert based authentication + account approval + authorization group assignment with policy control

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12 Client XMPP-Grid Controller XMPP Server TLS Connect(username, cert) Track(User name, cert) Register(username, cert) Register(username) Approve & Authorize Account Create User Account (username) Registration Successful Login() Pub/Sub/Query Logout()

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13 Authorization policies can be based on attributes such as Authorization group, Topic name, client name, device type, operation … Controller authorizes clients to publish or subscribe to a topic at “subscribe” time Publisher, when it receives a directed (peer-to-peer) or bulk download query from a subscriber, asks the controller for authorization using XMPP- Grid client identity

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 Publisher/Subsc riber XMPP-Grid Controller XMPP Server Publish or Subscribe is authorized? (identity, publish/ subscribe) Publish or Subscribe extract identity

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 Subscriber Publisher query request query response is authorized? (identity, cert chain, service) extract Identity, certificate chain XMPP-Grid

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16 Infrastructure protocol that enables client application to be agnostic to data plane protocol, XMPP Makes use of the XMPP transport and introduces an application layer protocol leveraging XML and XMPP extensions to define the protocol Provides interfaces for Register, login, logout Query to discover topics, capability provider discovery, directed peer-to-peer Register as a publisher or subscriber to topic (information channel with publishers and subscribers sharing a well defined publisher data model) XMPP-Grid clients connect to the XMPP-Grid using the XMPP-Grid Protocol Capability providers extend the XMPP-Grid Protocol infrastructure model and define capability specific models, allowing a cleaner separation of infrastructure and capabilities that can run on XMPP-Grid

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 / / Capability Provider Discovery Request com.domain.ise.session.SessionQuery / / Capability Provider Discovery Response

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18 Capability provider publishes information with a defined schema on XMPP topic(s) Capability provider defines XML schema, topic version, available queries and notifications for each topic Capability provider publishes the messages to one or more XMPP topics depending on – Mutually exclusive schemas – create one topic per schema Same schema, but subscribers desire only a subset of attributes and values – XMPP- Grid creates subtopics and uses message filters to deliver filtered information Topics are discoverable on XMPP-Grid through XMPP-Grid protocol query

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19 Capability provider specifies semantic filters such as location, domain etc it supports for a given topic at subscribe time to the controller Subscribers discover the topics & supported message filters, and specify filters of interest to them to the controller Controller groups subscribers based on the expressed message filters, creates subtopics under the main topic and notifies the Publisher about the created subtopic Publisher publishes a message on the main topic and on the subtopics, after applying the message filter

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20 Controller cleans up the subtopics if subscription list is 0, to avoid proliferation of subtopics Pub/Sub, directed and bulk query can be supported for subtopics also – it all depends on the capability provider Message filters can be applied on XMPP-Grid server side instead –instead of publishing on subtopic, capability provider publishes on main topic and XMPP-Grid Pub/Sub component can apply filter messages Server-side message filters and specific message filter mechanisms such as XPATH are beyond the scope of this specification

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21 XMPP-Grid to substitute the SOAP-based IF-MAP standard interface between the MAP server and other elements in the network IF-MAP data models for use-cases such as network security can be overlaid on XMPP-Grid transport to achieve model consistency for both IF-MAP enabled and XMPP-Grid enabled deployment scenarios MAP Server will be the participant in both the IF-MAP enabled network and the XMPP-Grid enabled network serving as aggregator and publisher of information MAP server can play the role of subscribers and/or publishers depending on the MAP graphs and the contextual metadata to be aggregated and/or published

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22 PDPPEP MAP Server Flow Controllers Sensors Others IF-MAP PDPPEP Flow Controllers Sensors Others XMPP- Grid Server Cluster XMPP-Grid IF-MAP Enabled Devices XMPP-Grid Enabled Devices

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 MAP Server XMPP- Grid Server XMPP-Grid Flow Controller s Sensors XMPP-Grid PDP PEP XMPP-Grid MAP Server XMPP- Grid Server XMPP-Grid Flow Controller s Sensors XMPP-Grid PDP PEP XMPP-Grid Region 1Region 2 XMPP

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24 MAP Server could publish the MAP graph attribute changes to interested subscribers Message filter criteria supported for subtopics could be based on metadata types metadata-identifier linkage attributes metadata class existing IF-MAP search criteria

Cisco Confidential © 2011 Cisco and/or its affiliates. All rights reserved. 25 Backup 25

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26 Client XMPP-Grid Controller XMPP Server Subscribe with filter Translate & validate filter Check if sub-topic for filter exists Create subtopic if it does not exist Subscribe Success Add Publisher & Subscriber to subtopic Capability Provider Notify Publisher

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27 Client XMPP-Grid Controller XMPP Server Register as Publisher Add Publisher to main topic & all subtopics Publish message to main topic Return registration success & list of subtopics with filtering criteria Publish message to main topic Check filtering criteria & identity subtopics to publish Capability Provider Publish message to subtopic that matched the filter Notify

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.