Implementing Network File System Policies with FileWall Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode Department.

Slides:

Advertisements

Similar presentations

Distributed Systems Major Design Issues Presented by: Christopher Hector CS8320 – Advanced Operating Systems Spring 2007 – Section 2.6 Presentation Dr.

Advertisements

Dr. Kalpakis CMSC 621, Advanced Operating Systems. Fall 2003 URL: Distributed System Architectures.

Department of Computer Science and Engineering University of Washington Brian N. Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,

Optimizing Windows Vista Performance Lesson 10. Skills Matrix Technology SkillObjective DomainObjective # Introducing ReadyBoostTroubleshoot performance.

Tam Vu Remote Procedure Call CISC 879 – Spring 03 Tam Vu March 06, 03.

A Server-less Architecture for Building Scalable, Reliable, and Cost-Effective Video-on-demand Systems Jack Lee Yiu-bun, Raymond Leung Wai Tak Department.

Using DSVM to Implement a Distributed File System Ramon Lawrence Dept. of Computer Science

An Adaptable Benchmark for MPFS Performance Testing A Master Thesis Presentation Yubing Wang Advisor: Prof. Mark Claypool.

Web Caching Schemes1 A Survey of Web Caching Schemes for the Internet Jia Wang.

FileWall : Implementing File Access Policies Using Dynamic Access Context Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode DiscoLab Department of Computer.

Shadow Configurations: A Network Management Primitive Richard Alimi, Ye Wang, Y. Richard Yang Laboratory of Networked Systems Yale University.

OCT1 Principles From Chapter One of “Distributed Systems Concepts and Design”

An Overlay Multicast Infrastructure for Live/Stored Video Streaming Visual Communication Laboratory Department of Computer Science National Tsing Hua University.

Implementing ISA Server Caching. Caching Overview ISA Server supports caching as a way to improve the speed of retrieving information from the Internet.

SIMPLEStone – A presence server performance benchmarking standard SIMPLEStone – A presence server performance benchmarking standard Presented by Vishal.

The Future of the Internet Jennifer Rexford ’91 Computer Science Department Princeton University

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

Architectural Design Establishing the overall structure of a software system Objectives To introduce architectural design and to discuss its importance.

Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.

A Web Services Based Streaming Gateway for Heterogeneous A/V Collaboration Hasan Bulut Computer Science Department Indiana University.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Windows ® Powered NAS. Agenda Windows Powered NAS Windows Powered NAS Key Technologies in Windows Powered NAS Key Technologies in Windows Powered NAS.

Distributed File Systems Concepts & Overview. Goals and Criteria Goal: present to a user a coherent, efficient, and manageable system for long-term data.

©2003–2008 Check Point Software Technologies Ltd. All rights reserved. CheckPoint new security architecture and R70 highlights.

Interposed Request Routing for Scalable Network Storage Darrell Anderson, Jeff Chase, and Amin Vahdat Department of Computer Science Duke University.

Module 5: Managing Public Folders. Overview Managing Public Folder Data Managing Network Access to Public Folders Publishing an Outlook 2003 Form Discussion:

Adapting Legacy Computational Software for XMSF 1 © 2003 White & Pullen, GMU03F-SIW-112 Adapting Legacy Computational Software for XMSF Elizabeth L. White.

Distributed Systems. Interprocess Communication (IPC) Processes are either independent or cooperating – Threads provide a gray area – Cooperating processes.

PCGRID ‘08 Workshop, Miami, FL April 18, 2008 Preston Smith Implementing an Industrial-Strength Academic Cyberinfrastructure at Purdue University.

Division of IT Convergence Engineering Towards Unified Management A Common Approach for Telecommunication and Enterprise Usage Sung-Su Kim, Jae Yoon Chung,

Cluster Reliability Project ISIS Vanderbilt University.

20411B 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role Presentation: 60 minutes Lab: 60 minutes After completing this module,

A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.

Composing Adaptive Software Authors Philip K. McKinley, Seyed Masoud Sadjadi, Eric P. Kasten, Betty H.C. Cheng Presented by Ana Rodriguez June 21, 2006.

©NEC Laboratories America 1 Huadong Liu (U. of Tennessee) Hui Zhang, Rauf Izmailov, Guofei Jiang, Xiaoqiao Meng (NEC Labs America) Presented by: Hui Zhang.

TELE 301 Lecture 10: Scheduled … 1 Overview Last Lecture –Post installation This Lecture –Scheduled tasks and log management Next Lecture –DNS –Readings:

What is a Distributed File System?? Allows transparent access to remote files over a network. Examples: Network File System (NFS) by Sun Microsystems.

Module 11: Implementing ISA Server 2004 Enterprise Edition.

CH1. Hardware: CPU: Ex: compute server (executes processor-intensive applications for clients), Other servers, such as file servers, do some computation.

A semi autonomic infrastructure to manage non functional properties of a service Pierre de Leusse Panos Periorellis Paul Watson Theo Dimitrakos UK e-Science.

A Measurement Based Memory Performance Evaluation of High Throughput Servers Garba Isa Yau Department of Computer Engineering King Fahd University of Petroleum.

Chapter 15 – Part 2 Networks The Internal Operating System The Architecture of Computer Hardware and Systems Software: An Information Technology Approach.

A Firewall for Routers: Protecting Against Routing Misbehavior1 June 26, A Firewall for Routers: Protecting Against Routing Misbehavior Jia Wang.

Université du Québec École de technologie supérieure Department of software and IT engineering Real-time multi-user transcoding for push to talk over cellular.

CCNA4 v3 Module 6 v3 CCNA 4 Module 6 JEOPARDY K. Martin.

FRAC: Implementing Role-Based Access Control for Network File Systems Aniruddha Bohra, Stephen Smaldone, and Liviu Iftode Department of Computer Science.

A Standards-Based Approach for Supporting Dynamic Access Policies for a Federated Digital Library K. Bhoopalam, K. Maly, F. McCown, R. Mukkamala, M. Zubair.

1 Requirements for Internet Routers (Gateways) and Hosts Relates to Lab 3. (Supplement) Covers the compliance requirements of Internet routers and hosts.

Full-Text Support in a Database Semantic File System Kristen LeFevre & Kevin Roundy Computer Sciences 736.

End-to-End Principle Brad Karp UCL Computer Science CS 6007/GC15/GA07 25 th February, 2009.

Manish Kumar,MSRITSoftware Architecture1 Remote procedure call Client/server architecture.

Computer Science Lecture 3, page 1 CS677: Distributed OS Last Class: Communication in Distributed Systems Structured or unstructured? Addressing? Blocking/non-blocking?

Improving the Reliability of Commodity Operating Systems Michael M. Swift, Brian N. Bershad, Henry M. Levy Presented by Ya-Yun Lo EECS 582 – W161.

Distributed File Systems Questions answered in this lecture: Why are distributed file systems useful? What is difficult about distributed file systems?

May 7-8, 2007ICVCI 2007 RTP Autonomic Approach to IT Infrastructure Management in a Virtual Computing Lab Environment H. Abdel SalamK. Maly R. MukkamalaM.

A System for Monitoring and Management of Computational Grids Warren Smith Computer Sciences Corporation NASA Ames Research Center.

DISTRIBUTED FILE SYSTEM- ENHANCEMENT AND FURTHER DEVELOPMENT BY:- PALLAWI(10BIT0033)

Towards a High Performance Extensible Grid Architecture Klaus Krauter Muthucumaru Maheswaran {krauter,

SDN challenges Deployment challenges

Module Overview Installing and Configuring a Network Policy Server

The Development Process of Web Applications

July 3, 2015 MuSIC (co-located with ICME) 2015, Torino, Italy

H.264/SVC Video Transmission Over P2P Networks

Operating Systems Bina Ramamurthy CSE421 11/27/2018 B.Ramamurthy.

Chapter 15 – Part 2 Networks The Internal Operating System

Outline Announcements Lab2 Distributed File Systems 1/17/2019 COP5611.

Outline Review of Quiz #1 Distributed File Systems 4/20/2019 COP5611.

Towards Unified Management

Web Servers (IIS and Apache)

Last Class: Communication in Distributed Systems

Presentation transcript:

Implementing Network File System Policies with FileWall Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode Department of Computer Science Rutgers University

2 File System Evolution Single user (desktop) FS to shared infrastructures –Centrally managed –24/7 –Shared access –High maintenance requirements –Interoperability: standards Unprecedented growth –Size of storage infrastructures Today - Tera Tomorrow - Peta, Exa, ??? User density: user consolidation Data sources –File sharing, document management, , IM, VOIP

3 File System Management Problems Monitoring: –Minimal built-in support for statistical monitoring (e.g., nfsstat) –Administrators required to gather data from many sources Access control: –Access control maintained per file at the discretion of the owner –Administrators must enforce access control to shared resources despite ignorant non-malicious users Maintenance: –Patching newly exposed bugs in the file system –Debugging, testing, and deployment of new code –Administrator error impact much larger Evolution: –New functionality cannot be introduced without code extensions

4 File System Management Problems Monitoring: –Minimal built-in support for statistical monitoring (e.g., nfsstat) –Administrators required to gather data from many sources Access control: –Access control maintained per file at the discretion of the owner –Administrators must enforce access control to shared resources despite ignorant non-malicious users Maintenance: –Patching newly exposed bugs in the file system –Debugging, testing, and deployment of new code –Administrator error impact much larger Evolution: –New functionality cannot be introduced without code extensions Management tools have not evolved to match administrator needs

5 Policy vs. Data Access Data Access: –Evolves independently –Performance enhancement –Protocol optimization –Acceptable to most Policy: –Evolves due to functionality requirements –Difficult to specify and reason about –Administration requirements differ between installations and must be implemented independent of user requirements

6 Policy vs. Data Access Data Access: –Evolves independently –Performance enhancement –Protocol optimization –Acceptable to most Policy: –Evolves due to functionality requirements –Difficult to specify and reason about –Administration requirements differ between installations and must be implemented independent of user requirements File systems implement a minimal set of management functionality

7 Monitoring Policy : Example

8

9

10 Monitoring Policy : Example

11 Monitoring Policy : Example

12 Our Goal We propose a novel approach to implement network file system policies externally, without modifying the client or server, by transforming messages flowing between them.

13 Network File Systems FS_OP NFS_REQ() NFS_REQ RPC Transport read() NFS_OP() NFS_RSP RPC Transport

14 Observations All file system access are performed through messages –Message transformations can be used to enforce policies –File system state can be constructed using information contained in messages All state relevant to file system accesses is available in messages –Policies can use file attributes contained in messages in policy evaluation –Statistical information can also be used

15 FileWall Model FS_OP NFS_READ() NFS_REQ RPC Transport FS_OP NFS_READ() NFS_RSP RPC Transport NFS_REQ RPC Transport NFS_RSP RPC Transport

16 Monitoring Policy: Revisited

17 Monitoring Policy: Revisited

18 Monitoring Policy: Revisited

19 Monitoring Policy: Revisited FileWall enables the separation of concerns of network aware policy enforcement and the file systems

20 Outline Motivation Design Implementation Evaluation Related Work Conclusions

21 Design Guidelines Specification –Ease of specify and reason about policies Protocol semantics –Message reordering and aggregation –Retransmissions and lost bytes Performance –In critical path  cannot have large delays Fault tolerance and availability –Cannot maintain “hard-state” –Limited access to stable storage

22 FileWall Design Overview Specification –Policies specified using macro-like language –Message transformation State Maintenance (Access Context) –Local policy state and global environment –Read-only state specified by the administrator –State generated and stored by policies during execution –Time, available disk space, CPU load, etc. Execution –Policy scheduling and execution –Logging and debugging

23 FileWall Architecture FS Client File Server FileWall Engine Access Context Policies FileWall M M’ RR’

24 FileWall Policies Transform messages (requests and replies) –REQ handler –RSP handler Use: –File attributes contained in messages –Access context

25 FileWall Policy Example Policy: “Show files accessed today” For each client-visible file: –Access Time = TODAY Transform directory listing messages –READDIR and READDIRPLUS

26 FileWall Policy Example FileWall Engine Access Context Policies FileWall

27 FileWall Policy Example FileWall Engine Access Context Policies FileWall READDIR

28 FileWall Policy Example FileWall Engine Access Context Policies FileWall READDIR

29 FileWall Policy Example FileWall Engine Access Context Policies FileWall READDIR

30 FileWall Policy Example READDIRPLUS FileWall Engine Access Context Policies FileWall READDIR

31 FileWall Policy Example FileWall Engine Access Context Policies FileWall READDIRPLUS

32 FileWall Policy Example FileWall Engine Access Context Policies FileWall READDIRPLUS

33 FileWall Policy Example FileWall Engine Access Context Policies FileWall READDIRPLUS

34 FileWall Policy Example FileWall Engine Access Context Policies FileWall READDIRPLUSREADDIR

35 Policy Chains Defined by administrator –Lists policies in order of request processing Scheduler –Determines policy execution schedule Fowarder –Forwards messages between policies –Determines next policy in chain as a message flows along the policy chain –Discards messages Default Policies –RECV Policy (start), SEND Policy (end)

36 Policy Chains

37 Outline Motivation Design Implementation Evaluation Related Work Conclusions

38 Implementation FileWall –Click Modular Router –NFS over UDP Unmodified Linux NFS client and server Policies –Statistics monitoring policy –Temporal Access Control –File Handle Security –Client Transparent Failover

39 Outline Motivation Design Implementation Evaluation Related Work Conclusions

40 Fstress Performance (2.4 GHz Server)

41 Interposition Overheads

42 Varying Network Delay

43 Fstress Performance (Overloaded Server)

44 Scalability

45 Related Work Distributed and Extensible File Systems: –FiST [Zadok ’00] –Interposed Request Routing [Anderson ’02] –SFS [Mazieres ’99] Extensible Policies: –SPIN [Sirer ’95] –VINO [Seltzer ’96] –Exokernel [Engler ’95] –Infokernel [Arpaci-Dusseau ’03] –LGI [Minsky ’00], [He ’05] Composable Network Processing: –Packet filters [Bos ’04] –x-kernel [Hutchinson ’91] –Scout [Montz ’94] –Click [Kohler ’00]

46 Future Work High-Level Policy language –Constraints –Debugging and logging

47 Future Work High-Level Policy language –Constraints –Debugging and logging User study –Real deployment –Behavior models

48 Future Work High-Level Policy language –Constraints –Debugging and logging User study –Real deployment –Behavior models Data transformations –Censorship –Protocol translations NFS -> CIFS Recipe-based file system (CASPER) IP -> RDMA –Video encoding –Content adaptation

49 Conclusions FileWall –Architecture, Design, and Implementation Policy enforcement through message transformation Implementation of four real-world policies Policy implementations are portable Interposition overheads are low Given sufficient resources, relative to an NFS server, FileWall imposes minimal overheads

50 Acknowlegements Fabio Picconi (Universite de Paris 6) Cristian Ungureanu (NEC Labs)

Thank You Questions?