NPCSlli 1 DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB Presenter: Longhua Li Committee Members: Dr. C. Edward Chow Dr. Jugal K. Kalita Dr.

Slides:

Advertisements

Similar presentations

Encrypting Wireless Data with VPN Techniques

Advertisements

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

SSL Protocol By Oana Dini. Overview Introduction to SSL SSL Architecture SSL Limitations.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.

Bradley Cowie, Barry Irwin and Richard Barnett Security and Networks Research Group Department of Computer Science Rhodes University MANAGEMENT, PROCESSING.

Securing Network Communication. 2 Security Issues in Communication Privacy  Anyone can see content Integrity  Someone might alter content Authentication.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

12/2/2003chow1 Network and System Support for Multi-Level Security C. Edward Chow Department of Computer Science University of Colorado At Colorado Springs.

9/26/2001Godavari Thesis Proposal SSL Proxy1 The Design and Implementation of a SSL Proxy for Content Switch Thesis Proposal by Ganesh Kumar Godavari Department.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

11/2/2000Weihong Wang/Content Switch Page 1 Content Switch. Introduction of content web switch.. Some content switch products in the market.. Design of.

Design of Web Interface for Advanced Content Switch Thesis proposal by Jayant Patil Department of Computer Science Univ. of Colorado at Colorado Springs.

11/2/2000Weihong Wang/Content Switch Page 1 Content Web Switch Weihong Wang.

Content Switch. Introduction of content web switch.. Some content switch products in the market.. Design of a content switch.

Cyber Security and Key Management Models Smart Grid Networks The Network System Key Management and Utilization Why Hardware Security Christopher Gorog,

1 Design and Implementation of A Content-aware Switch using A Network Processor Li Zhao, Yan Luo, Laxmi Bhuyan University of California, Riverside Ravi.

ClientHello ServerHello Certificate Establish protocol version, session- id, cipher suite, compression method. Certificate Request ServerHelloDone Certificate.

Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 1 Intel IXP1200 Network Processor q Lab 12, Introduction to the Intel IXA q Jonathan Gunner, Sruti.

11/2/2000Weihong Wang/Content Switch Page 1 Content Web Switch Weihong Wang.

Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.

Hands-On Microsoft Windows Server 2003 Networking Chapter 1 Windows Server 2003 Networking Overview.

The Design and Implementation of a SSL Proxy For Content Switch Thesis Proposal by Ganesh Kumar Godavari Department of Computer Science Univ. of Colorado.

Seguridad en Sistemas de Información Francisco Rodríguez Henríquez SSL/TLS: An Introduction.

Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.

CSCI 6962: Server-side Design and Programming

Using ns-3 emulation to experiment with Wireless Mesh Network Routing: Lessons learned José Núñez-Martínez Research Engineer Centre Tecnologic de Telecomunicacions.

Securing Data at the Application Layer Planning Authenticity and Integrity of Transmitted Data Planning Encryption of Transmitted Data.

SSL and https for Secure Web Communication CSCI 5857: Encoding and Encryption.

32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.

SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.

1 Apache. 2 Module - Apache ♦ Overview This module focuses on configuring and customizing Apache web server. Apache is a commonly used Hypertext Transfer.

Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),

Introduction to Secure Sockets Layer (SSL) Protocol Based on:

Web Security : Secure Socket Layer Secure Electronic Transaction.

Hour 7 The Application Layer 1. What Is the Application Layer? The Application layer is the top layer in TCP/IP's protocol suite Some of the components.

Cryptography and Network Security (SSL)

Lecture 11 Page 1 Advanced Network Security Cryptography and Networks: IPSec and SSL/TLS Advanced Network Security Peter Reiher August, 2014.

SSL (TLS) Part 2 Generating the Premaster and Master Secrets + Encryption.

An Architecture and Prototype Implementation for TCP/IP Hardware Support Mirko Benz Dresden University of Technology, Germany TERENA 2001.

Washington System Center © 2005 IBM Corporation August 25, 2005 RDS Training Secure Socket Layer (SSL) Overview z/Series Security (Mary Sweat, Greg Boyd)

A record and replay mechanism using programmable network interface cards Laurent Lefèvre INRIA / LIP (UMR CNRS, INRIA, ENS, UCB)

Virtual Machines Created within the Virtualization layer, such as a hypervisor Shares the physical computer's CPU, hard disk, memory, and network interfaces.

SMUCSE 5349/7349 SSL/TLS. SMUCSE 5349/7349 Layers of Security.

Network and Internet Security Prepared by Dr. Lamiaa Elshenawy

Understand Internet Security LESSON Security Fundamentals.

Encryption protocols Monil Adhikari. What is SSL / TLS? Transport Layer Security protocol, ver 1.0 De facto standard for Internet security “The primary.

SSL(HandShake) Protocol By J.STEPHY GRAFF IIM.SC(C.S)

1 Chapter 7 WEB Security. 2 Outline Web Security Considerations Secure Socket Layer (SSL) and Transport Layer Security (TLS) Secure Electronic Transaction.

IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.

Lecture 6 (Chapter 16,17,18) Network and Internet Security Prepared by Dr. Lamiaa M. Elshenawy 1.

Secure Socket Layer Protocol Dr. John P. Abraham Professor, UTRGV.

Cryptography CSS 329 Lecture 13:SSL.

Lecture 10 Page 1 CS 236 Online SSL and TLS SSL – Secure Socket Layer TLS – Transport Layer Security The common standards for securing network applications.

SSL: Secure Socket Layer By: Mike Weissert. Overview Definition History & Background SSL Assurances SSL Session Problems Attacks & Defenses.

Web Server Management: Securing Access to Web Servers Jon Warbrick University of Cambridge Computing Service.

UNIT.4 IP Security.

Visit for more Learning Resources

Jayant Patil Department of Computer Science

Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls

The Secure Sockets Layer (SSL) Protocol

Implementing an OpenFlow Switch on the NetFPGA platform

Presentation transcript:

NPCSlli 1 DESIGN AND IMPLEMENTATION OF CONTENT SWITCH ON IXP1200EB Presenter: Longhua Li Committee Members: Dr. C. Edward Chow Dr. Jugal K. Kalita Dr. Charles M. Shub Dec. 3 rd, 2002

NPCS lli 2 Content-Based Switch

NPCS lli 3 Content Switch Architecture (Infocom 2000, Apostolopoulos et al) Client Hash Table Step 1. Controller finds there is no entry in Hash Table, Route request to content switch processor Real Server 1 Step2. CS processor a. Extract content/Match CS rules b.Route request c. Setup Sequence# modification on server side port CS Rules pkt Modification info Step 3. At server side port, Return pkts are modified Sequence#/IP addr/Chksum Route back to client

NPCS lli 4 Commercial Content Switches Cisco Content Engine (Arrowpoint) Foundry Networks’ ServerIron Products F5’s Big-IP. Nortel Networks Alteon Web Switches Intel XML Director Phobe In-Switch

NPCS lli 5 Content Switch Operations Incoming Packets Content Switching Rule Matching Algorithm Header Content Extraction Packet Classification Content Switch Rules Packet Routing (Load Balancing) CS Rule Editor Forward Packet To Servers Network Path Info Server Load Status

NPCS lli 6 Secure Socket Layer (SSL) Protocol We need SSL for secure communications between client and server. SSL Protocol allows – the exchange of certificates for the authentication of servler and potentially the clients – cipher suites and selection of session keys for encryption

NPCS lli 7 Overview of SSL Procedure SSL Messages Client Server 1. Client hello----> < Server hello < Certificate (Optional) < Certificate request (Optional) < Server key exchange (Optional) < Server hello done 7. Certificate (Optional)-----> 8. Client key exchange-----> 9. Certificate verify (Optional) -----> 10. Change cipher spec-----> 11. Finished-----> < Change cipher spec < Finished 14. Encrypted data< Encrypted data

NPCS lli 8 OpenSSL An Open Source Toolkit for SSL/TLS Implements the Secure Sockets Layer protocol (SSL v2/v3), theTransport Layer Security (TLS v1) protocol Implements Cryptographic algorithms: message digest algorithms symmetric ciphers public key cryptography

NPCS lli 9 Intel IXP1200 NP and IXP12EB The IXP Network Processor: Highly integrated RISC architecture The IXP12EB Evaluation Board: – PCI form factor board based on IXP1200 Network Processor – eight 10/100 Mbps ports – two Gigabit Ethernet ports – PCI back-plane and an Ethernet Network Interface Card (NIC)

NPCS lli 10 IXP 1200 Network Processor

NPCS lli 11 Development Environment Intel Developer Workbench (for Microengines) WindRiver Tornador IDE (for StrongARM)

NPCS lli 12 Design of IXP1200-Based Secure Content Switch (NPCS) Purpose of this design – Study resource constrains (memory) on content switch design. – Learn the impact of real time embedded OS. – Understand the porting issues (from Linux to VxWorks) Assumptions – Security – Certificates

NPCS lli 13 Design of NPCS (Hardware set up)

NPCS lli 14 Design of NPCS (Software layers)

NPCS lli 15 Design of NPCS (Modules)

NPCS lli 16 Implementation of NPCS The implementation of NPCS is divided into three parts: – Packets Receiving and Transmitting – Porting OpenSSL – Porting Linux-base Secure Content Switch and Implementing it on IXP12EB

NPCS lli 17 Hardware & Software Environments Host machine: dilbert Set up IXP12EB tgtsvr.exe –n IXP1200EB –m –V –B Wdbrpc –redirectIO Real Servers: – frodo.uccs.edu ( ) – eca.uccs.edu ( )

NPCS lli 18 The Prototype of NPCS Packets Receiving and Transmitting – Microengine Reception and Transmission – Pseudo Device Driver Porting OpenSSL Porting and Implementing Secure Content Switch on IXP1200EB

NPCS lli 19 Packets Receiving & Transmitting

NPCS lli 20 Porting OpenSSL No public domain OpenSSL for VxWork. Two major libraries: CryptoLib and SSLLib Makefiles Size of the libraries

NPCS lli 21 Porting and Implementing Secure Content Switch on IXP12EB Three major tasks (two modules): – Controller – Request Processor – Rule Matcher

NPCS lli 22 The Controller

NPCS lli 23 The Request Processor

NPCS lli 24 The Rule Matcher

NPCS lli 25 Test Results and Analysis Three test scenarios: – Both SSL Proxy and Rule Module running on the IXP12EB. Real servers are two Linux machines. – SSL Proxy running on IXP12EB with Rule Module running on a Linux machine. Real servers are two Linux machines. – Test response time according to different xml doc request size for NPCS and Intel 7280 XML parser.

NPCS lli 26 Test bed set up

NPCS lli 27 Test Results and Analysis

NPCS lli 28 Test Results and Analysis (Cont.)

NPCS lli 29 Test Results and Analysis (Cont.)

NPCS lli 30 Limitation of NPCS and Possible Future Works Communication between tasks Rule Module File store (no hard drive) Utilization of Microengines Sizes of Libraries CryptoLib and SSLLib

NPCS lli 31 Lessons Learned Hardware configuration Memory cache size Building VxWorks images Debugging Building libraries Testing local OpenSSL implementation on IXP ssldump

NPCS lli 32 Conclusion This NPCS is a prototype of a secure content switch that performs the functions of a web switch at the Application Layer on IXP1200 Network Processor Evaluation Board. The security part of this implementation currently used the software package OpenSSL version 0.9.6b ported onto VxWorks. The packets receiving is used the modified microengine reference design codes and PETH driver. Its performance not to be satisfactory for good reason. Based on the architecture of the IXP1200 Network Processor and the test results, there are some possible improvement that could be done in the future.

NPCS lli 33 Demo launch IXP12EB and open a shell window Download ssl_proxy.out and rulemodule.out to IXP At shell window, type > init >PethDrvInit >sslproxy Open another shell window, type >rulemodule Go to test page: :