Architecture of distributed network processors: specifics of application in information security systems



Similar documents
Computer Networks. Definition of LAN. Connection of Network. Key Points of LAN. Lecture 06 Connecting Networks

Exhibit n.2: The layers of a hierarchical network

ESSENTIALS. Understanding Ethernet Switches and Routers. April 2011 VOLUME 3 ISSUE 1 A TECHNICAL SUPPLEMENT TO CONTROL NETWORK

Region 10 Videoconference Network (R10VN)

Data Communication Networks and Converged Networks

Computer Network. Interconnected collection of autonomous computers that are able to exchange information

Computer Networking Networks

CCNA R&S: Introduction to Networks. Chapter 5: Ethernet

Unit of Learning # 2 The Physical Layer. Sergio Guíñez Molinos sguinez@utalca.cl

Local-Area Network -LAN

MOC 6435A Designing a Windows Server 2008 Network Infrastructure

IP Networking. Overview. Networks Impact Daily Life. IP Networking - Part 1. How Networks Impact Daily Life. How Networks Impact Daily Life

Communication Networks. MAP-TELE 2011/12 José Ruela

IPv6 SECURITY. May The Government of the Hong Kong Special Administrative Region

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

APPLICATION NOTE 211 MPLS BASICS AND TESTING NEEDS. Label Switching vs. Traditional Routing

VoIP Reliability in Managed Service Deployments

Internet Packets. Forwarding Datagrams

STANDPOINT FOR QUALITY-OF-SERVICE MEASUREMENT

LAN Switching Computer Networking. Switched Network Advantages. Hubs (more) Hubs. Bridges/Switches, , PPP. Interconnecting LANs

CHAPTER 6. VOICE COMMUNICATION OVER HYBRID MANETs

The IP Transmission Process. V1.4: Geoff Bennett

2. What is the maximum value of each octet in an IP address? A. 28 B. 255 C. 256 D. None of the above

EE4367 Telecom. Switching & Transmission. Prof. Murat Torlak

Computer Networks Vs. Distributed Systems

CCT vs. CCENT Skill Set Comparison

Lecture 17 - Network Security

Communications and Computer Networks

A Study of Network Security Systems

Transport and Network Layer

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Three Key Design Considerations of IP Video Surveillance Systems

Chapter 9. IP Secure

Extending Networking to Fit the Cloud

OVERLAYING VIRTUALIZED LAYER 2 NETWORKS OVER LAYER 3 NETWORKS

Basic Networking Concepts. 1. Introduction 2. Protocols 3. Protocol Layers 4. Network Interconnection/Internet

What is VLAN Routing?

Computer Networks CS321

2. What is the maximum value of each octet in an IP address? A. 128 B. 255 C. 256 D. None of the above

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

AERONAUTICAL COMMUNICATIONS PANEL (ACP) ATN and IP

LAN Switching and VLANs

Performance Evaluation of Linux Bridge

hp ProLiant network adapter teaming

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

VLAN 802.1Q. 1. VLAN Overview. 1. VLAN Overview. 2. VLAN Trunk. 3. Why use VLANs? 4. LAN to LAN communication. 5. Management port

Communication Systems Internetworking (Bridges & Co)

Performance Evaluation of AODV, OLSR Routing Protocol in VOIP Over Ad Hoc

R2. The word protocol is often used to describe diplomatic relations. How does Wikipedia describe diplomatic protocol?

SBSCET, Firozpur (Punjab), India

Written examination in Computer Networks

A NOVEL RESOURCE EFFICIENT DMMS APPROACH

Network System Design Lesson Objectives

High-Performance IP Service Node with Layer 4 to 7 Packet Processing Features

Network Design. Yiannos Mylonas

ELEC3030 (EL336) Computer Networks. How Networks Differ. Differences that can occur at network layer, which makes internetworking difficult:

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Cisco Integrated Services Routers Performance Overview

Hyper Node Torus: A New Interconnection Network for High Speed Packet Processors

VXLAN: Scaling Data Center Capacity. White Paper

FLORIDA STATE COLLEGE AT JACKSONVILLE COLLEGE CREDIT COURSE OUTLINE

DESIGN AND VERIFICATION OF LSR OF THE MPLS NETWORK USING VHDL

CSET 4750 Computer Networks and Data Communications (4 semester credit hours) CSET Required IT Required

SSVP SIP School VoIP Professional Certification

Network Simulation Traffic, Paths and Impairment

Quality of Service in the Internet. QoS Parameters. Keeping the QoS. Traffic Shaping: Leaky Bucket Algorithm

Demystifying Wireless for Real-World Measurement Applications

Chapter 9A. Network Definition. The Uses of a Network. Network Basics

What is CSG150 about? Fundamentals of Computer Networking. Course Outline. Lecture 1 Outline. Guevara Noubir noubir@ccs.neu.

Protocol Data Units and Encapsulation

Interplanetary Internet (IPN): An Architectural Definition

Interconnection Networks. Interconnection Networks. Interconnection networks are used everywhere!

Glossary of Terms and Acronyms for Videoconferencing

Protocols and Architecture. Protocol Architecture.

Networking Devices. Lesson 6

UPPER LAYER SWITCHING

TYLER JUNIOR COLLEGE School of Continuing Studies 1530 SSW Loop 323 Tyler, TX

Lecture 8. IP Fundamentals

Network Services Internet VPN

Data Communication and Computer Network

ADVANCED NETWORK CONFIGURATION GUIDE

Quality of Service Routing Network and Performance Evaluation*

Optimizing Data Center Networks for Cloud Computing

- Hubs vs. Switches vs. Routers -

Advanced VSAT Solutions Bridge Point-to-Multipoint (BPM) Overview

Data Link Protocols. TCP/IP Suite and OSI Reference Model

packet retransmitting based on dynamic route table technology, as shown in fig. 2 and 3.

ETHERNET ENCRYPTION MODES TECHNICAL-PAPER

Technical papers Virtual private networks

AN OVERVIEW OF QUALITY OF SERVICE COMPUTER NETWORK

BASIC ANALYSIS OF TCP/IP NETWORKS

IT Data Communication and Networks (Optional)

GR2000: a Gigabit Router for a Guaranteed Network

PART II. OPS-based metro area networks

Scaling 10Gb/s Clustering at Wire-Speed

Software Defined Networking (SDN) - Open Flow

The OSI and TCP/IP Models. Lesson 2

Transcription:

Architecture of distributed network processors: specifics of application in information security systems V.Zaborovsky, Politechnical University, Sait-Petersburg, Russia vlad@neva.ru 1. Introduction Modern telematic networks or Internet are distributed hierarchical systems consisting of basic components: nodes and communication lines. Telematic network nodes are computers with network interfaces employed for data exchange. A node with several network interfaces is called the router or network processor (NP). Each NP interface is provided by one or several identifiers called addresses. There are several types of addresses: physical or MAC, network or IP, application or Port Number. The set of network addresses forms specific space with its topology and metric. Topology is the measure of nearness in the network. The metric is defined by communication line. If the number of addresses that connected by the line is more than two, the communication line is termed broadcasting. The number of communication lines determines the distance between nodes. The distance between the nodes without network addresses is undefined. By combining nodes into a telematic network, one can provide information exchange among computer applications, which are executed at the network nodes. Information exchange is based on forwarding and receiving network packets. A packet is a specific logical sequential/recursive structure, which is formed at network nodes to execute information exchange. The sequential part of this structure consists of two, header and payload, fields. The recursiveness of a packet stems from the fact that the payload itself may be another packet with its specific structure and addresses (Fig.1). A packet originating from an application running on a node and destined to node in different network, arrives at a NP and is forwarded by it to the appropriate network on the basis of destination addresses in the packet s header. Sequence of binary bits Fig.1. The lines in telematic network used for bits transmission only. No data processing is executed in a communication line itself. The processing culminates in selection of the NP network interface from which the packet will be sent into the network. Should the processing produce a decision not to send the packet into the network, it is assumed that the packet has reached the required network node, or it will be dropped. Thus, the basic functionality of a NP or router is determined by two sequential processing stages of packets after their arrival from a communication line, namely, store-and-forward. However, with extensively growing in size and shifting into more and more sophisticated applications, NP become more complex and incorporated new functionality. The hundreds of scientific papers are being published proposing changes to existing NP architecture or introducing new communication mechanisms. In practice only very few modifications to the current Internet are deployed. One reason is that most improvements require that current routers have to be replaced. We are considering here a new approach to selecting the NP architecture, by which extension of functional demands on the various packet processing stages in particular, those involved in addressing information security issues, is executed by distributing the procedures of their execution among different network devices. One of the key issues in this approach is that the devices logically belongs to one NP. The specific feature of this distribution lies in that it does not interfere with the existing address connections or routing policy among the network nodes. This means that new devices that do not change network address space supplement expensive routing equipment that is already in place. Using a special functioning mode called the stealth mode attains the address invariance of the transformation of NP under the extension of their functionality. 2. Trends in telematics systems progress As the data transfer rate over communication lines increases and the protocol spectrum broadens, we are witnessing a growth in demands on the performance of the NP employed in packet handling at network nodes. The architecture and specific features of operation of such processing engines has become a subject of a large number of studies [1--3]. Rather than drawing on a systematic analysis of the various specific requirements and design alternatives, however, most of these studies invoked the well-known results of application of multi-processor architectures to increasing the speed of data flow processing. The solutions proposed to improve the functionality of the router now include firewalls, network address translaters, means for implementing quality-ofservice (QoS) guarantees to different packets flows and other mechanisms. Such implementations based on several

primary operations with packets: parse, search, resolve, and modify (Fig.2). To implemented all this operations in real-time mode on general purpose processor (GPP) often becoming unfeasible due to performance requirements. This issue motivates solutions where packet-processing functionality of NP is implemented in specific pooled and pipeline hardware. Such a decision has restricted flexibility. Complex nature of packets operations favour software based implementations on GPP. To address these conflicting issues and organizing the stages in packet processing, recently a new store--process-and-forward scenario has been proposed. Fig.3. Fig.2. In a general case, all solutions may be separated in two classes. Grouped in the first class are the solutions aimed at boosting the pure router performance. The main parameters governing the router operation are the packet destination addresses, and, therefore, the solutions chosen are directed at accelerating data search in the router lookup tables. The second class of solutions involves implementation of various procedures without routing decisions: packet classification, data processing, providing the required QoS, bandwidth allocation, and so on. In principle, this separation of the handling processes permits one to break up the integrated performance of a NP into components that can be distributed among the individual processes. So, if a packet operation among such components occurs without the use of routing decision, they can be functionally assigned to communication lines. This approach modifies the basic network scenario from storeand-forward to process store-and-forward. This scenario offer a solution to providing necessary flexibility in telematic network by keeping basic routing operation, adding new functionality without changing network topology and redistributing computation power between all components of network. 3. Information security issues The principle underlying modern computer-based telecommunications is packet switching (Fig.3). In practice, this principle actually uses the open-system interaction (OSI) model to provide several control levels. At each level special data structures or packets are controlled by specific rules. The corresponding control processes can be broken down into the following stages: (1) collection of a data to be transmitted through the network; (2) configuring a structure to quantitatively determine the volume of the data to be transmitted; (3) attaching to the data a special header specifying the set of parameters to be used in handling the packet in network nodes; (4) formation of a frame meeting the requirements of the communication line hardware; and (5) frame transmission over the communication line connecting two network nodes. Packets are transmitted over network nodes of several types, more specifically, generation nodes, nodes handling packet headers only, and nodes to process both headers and data. The routing or selection of the interface where the packet is forwarded after processing is a process of a local character, i.e., it is executed on each network node through which a packet passes. Routing is based on the packet destination node address which is specified in the corresponding header field and on the lookup table relating the network node addresses to the router interface numbers. The above process is prone to various malicious actions which are capable of interfering with the standard procedure of packet transmission or of substituting packets on the way from their generation to reception. One can conceive of the following basic protection measures: (1) designing a special packet path through the network nodes which support processing rules denying

transmission of packets with preset addresses and header parameters; (2) executing the tunneling mode, in which the packet to be protected is transmitted in the data field of another network packet; and (3) using special packet transmission modes in which the header parameters are protected cryptographic algorithms. All these protective measures can be implemented by several means, which can be divided into methods of packet filtration, and of cryptographic data processing. The first group of methods protect the network address space by means of special NP called firewall network processors (FNP) [3]. In common configuration FNP does not becomes an end point of packet transmission and have to be installed in the network segments crossed by packet flows. These segments are customarily placed between the protected network and the interface of the router connected to this network. To keep the basic functionality of telematic network we need to have routing policy to be invariant to the place where FNP has been placed. It is possible if network metrics does not changes by FNP due to filtering interfaces have no physical and network addresses. Protective measures of the second type require designing special network gateways supporting the tunneling mode, with packet encoding being optional in this case. If such gateways are provided by routing functions, one of the promising network protocols may in this case be IPSec. This protocol permits different implementation possibilities one of which is based on approach that separate routing and cryptographic tasks between different processes which formed specific processor network connected by communication lines (Fig.4). While telecommunication industry featuring an excess throughput of physical lines, experiences nevertheless an ever-increasing demand for efficient packet processing methods. These demands have stimulated a broad spectrum of studies dealing with development of special NP for use in the network security systems. Development of such NPs should be carried out taking into account the trends predicting the growth of throughput of communication lines based on optical media and wave division multiplexing technologies. General solutions to the problem of boosting NP performance may be found in network technologies or by mean of spreading out needed power between different nodes. The well known possible means can be judiciously divided into the following groups: development of NPs based on parallel processors with a shared RAM; development of pipeline NPs with RAM resources distributed between different processing phases; hybrid network specific architectures, in which the stages of sequential and parallel processing are matched to the number of independent data flows. The efficiency of such solutions is fully determined by the specific algorithmic features of the problems to be solved and the way the relevant data are supplied. In the case of packet processing in network security systems, the factors of particular significance are: the parallel character of the flow in time space, in which the number of simultaneously processed connections depends on that of nodes with different network addresses, and the sequential character of packet transmission in network address space. Because the transmission of packets is executed in an asynchronous mode, i.e., it is initiated independently by each node, the number of logical connections passing through the routers is a random quantity obeying a fractal distribution function [4]. The packet switching processes having a complex character, the nominal number of parallel processors in the architecture of an NP does not determine fully its performance, so that the optimum number of pipeline processing stages depends on the actual character of the problem awaiting solution and, thus, can vary. All these factors stimulate a search for new approaches to a better organization of network packet processing. Fig.4. 4. Distributed NP architecture Development of NPs for security systems can be based on separation of packet processing functions into base and additional operations. Among the base operations is packet routing, and to the additional ones one could assign the other packet operations connected with extension of the NP functionality, for instance, packet filtration. The proposed separation permits one to consider a network node as a part of a special packet processing network. The connection topology of the processing devices should be such that packet transmission among them does not involve the addresses of the nodes included into the routing lookup table. Application of this approach to information security issues allows the use of the network control technologies based on the security through protection of protection devices system principle. This principle places the significance of the two key aspects of information security underlying standard Common Criteria, namely, functionality and

confidence, on equal footing. Adhering to this principle implies that the devices employed to protect information in a computer network should incorporate efficient mechanisms to ensure their own security in the stages of both development and operation itself. To reach this goal, one should undertake at several levels of OSI model measures which would make localization of the protection devices in the network address space by remote monitoring impossible. This concealment of functioning gives rise to a modification of the protection model using NP without addressing interfaces (NP in stealth mode), because most of the existing means of network attacks and destructive interference are based on remote neutralization of the devices employed to protect information resources in a network. or IP address space is the same on both sides of the firewall. Fig.6. Fig.5 Development of protective devices in the stealth mode with the use of distributed NPs becomes possible because such devices do not act in most of their operational regimes as sources or destinations of network packets. Therefore, network interfaces of these devices may have no physical or logical addresses altogether and, hence, transmission of IP packets or MAC frames through them becomes similar in character to their passing through a HUB or cable line segments used in packets exchange. To operate successfully, a NP should work like a sophisticated parallel bundle of network cables or a transparent but secure logical channel between the network nodes (Fig 5). The next step of decomposition based on sequential-parallel-sequential stages in packet-handling processes. This offers a possibility to cut packet delays in the packet reception and processing mode. Operation sequence in the second mode can be integrating into a specialized pipeline cluster and spread out between its nodes (Fig.6). In this scheme, a NP can either bridge or route traffic. In the first case, the NP functions as a layer-2 network bridge with IP transparent or stealth interfaces. This means that each interface has MAC address but network This method of concealing the network address of information protection devices, on the one hand, provides conditions necessary for execution of the protection functions, while on the other, because of the packet processing device network interfaces having no addresses, does not require any changes in the network connection topology and in the already accepted packet routing policy. Security devices based on the stealth technologies have a number of assets not only due to their concealed functioning but also from the standpoint of the scalability of performance and enhanced reliability of operation. The improved performance originates from the use of sequential/parallel character of the network traffic employed, where independent logical connections form through pipeline transmission of packets with definite addresses of message sources and receivers (fig.6). Operation with network devices based on IEEE 802.3 Ethernet technologies in the stealth mode permits packet processing in the kernel of the built-in operating system without using the TCP/IP protocol stack. This method of processing reduces the packet buffering delay fluctuation level, which likewise improves concealment of the location of protection devices. 6. Conclusion Application of network processors with a distributed architecture broadens substantially the range of use of information protection systems in telematic networks. The concealed character of operation of the protection devices offers a possibility of integrating additional packet processing procedures into the standard switching process while not changing in any way the routing policy. Application of the stealth technology cuts the costs of network upgrading, because its implementation permits redistribution of the required processing power among various network devices. The NP clusterization technology

provides a possibility of scaling up the performance of network nodes and increase the overall system reliability. REFERENCES 1. Intel Corp. Intel Second Generation Network Processor,http://www.intel.com/design/network/produ cts/npfamily/ixp2400.htm 2. V.S. Zaborovsky «Multiscale Network Processes: Fractal and p-adic analysis», Proceedings of 10-th International Conference on telecommunications ICT`2003, University of Haute Alsace, Colmar, France, 2003. 3. V.S. Zaborovsky, Y. A. Shemanin, Jim A.McCombs, A. Sigalov «Firewall Network Processors: Concept, Model and Platform», Proceedings of International Conference on Networking (ICN 04), Guadeloupe, 2004. 4. N. O. Vil chevskii, V. S. Zaborovsky, V. E. Klavdiev, and Yu. A. Shemanin, Methods of Evaluating the Efficiency of Control and Protection of Traffic Connections in High-Speed Computer Networks, Proc. Conf. Mathematics and the Security of Information Technologies (MaBIT-03), Lomonosov MSU, October 23--24, 2003.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information