IU-ATC Network Security and Resilience Monitoring (Theme 4) Policy-driven Resilience Simulator Alberto Schaeffer-Filho, Paul Smith and Andreas Mauthe Lancaster University India-UK Centre of Excellence in Next Generation Networks EPSRC-DST Project Workshop, Mysore January 25 th -26 th, 2011
Introduction Basic idea Difficult to evaluate resilience strategies Involve the interplay between a number of detection and remediation mechanisms Must be activated on demand, according to events observed in the network Integrate network simulator and Policy framework Simulation of policy-based resilience strategies Policies applied based on conditions observed during run-time High link utilisation Malicious attacks Equipment failures Observe how policies affect operation of simulated components Understand how real policies affect the operation of resilience mechanisms Evaluate resilience strategies before deployment in the network, e.g. routers Gamer & Mayer, 2009: Integrated detection mechanisms into network simulator Our work is complementary, but focuses on remediation 2
Policy-based Management Management of network components in the infrastructure Decouple hard-wired implementation from the management strategy Modify management strategy without interrupting system operation Reconfiguration of operational parameters Dynamic activation/deactivation of mechanisms P. Smith, A. Schaeffer-Filho, A. Ali, M. Schöller, N. Kheir, A. Mauthe and D. Hutchison. "Strategies for Network Resilience: Capitalising on Policies". In: 4th International Conference on Autonomous Infrastructure, Management and Security (AIMS 2010), Springer, ser. LNCS. Zurich, Switzerland. June 2010. 3
Policy-driven Network Simulation Objects in simulation can be manipulated Setting flags, dropping connections, adding extra delay to packets, etc Evaluate effects of remediation mechanisms Integration techniques (Mayer & Gamer, 2008) Socket connection Sockets in simulation connect to third-party app No source code changes CPU/synchronisation problems Source code integration Only for simple applications No time distortions Difficult due to build dependencies Shared libraries Similar to source code integration Separated building environments Thread scheduling problems A. Schaeffer-Filho, P. Smith and A. Mauthe. Policy-driven Network Simulation: a Resilience Case Study. To appear in: 26th ACM Symposium on Applied Computing (SAC 2011), ACM, Taichung, Taiwan. March 2011. 4
Network Simulators NS-2 High coupling between C++ and Otcl, steep learning curve, poor scalability Extensible library of public available network models NS-3 Major revision, focus on scalability, extensibility and modularity Still short of network models OMNeT++ Modular, extensible Good scalability and large library of network models SSFNet Implementations both in Java and C++, large number of models Discontinued in 2004 OPNET Source code of simulator is not publicly available Hard to extend to implement resilience mechanisms 5
Prototype Integration between OMNeT++/SSFNet and Ponder2 framework Ponder2 Both obligation and authorisation policies Policies written in terms of managed objects, kept in a domain structure Different communication protocols supported, e.g. RMI, HTTP Command interpreter and PonderTalk for configuration and control OMNeT++ Modelling and simulation of networks at and above link layer Realistic topologies, generation of background and attack traffic (ReaSE) Self-similar behaviour: different traffic profiles, such as Web traffic, name server traffic, and streaming traffic Resilience mechanisms: instrumented objects in the simulation Link monitor, flow exporter, rate limiter, IDS, etc Mechanisms export a management interface as a call-back proxy 6
Prototype Integration between OMNeT++/SSFNet and Ponder2 framework Instrumented objects in the simulation Most are additions to the standard Router module Integration based on XMLRPC Simulation platform that permits Experiment different topologies Analysis of anomaly scenarios Implement resilience strategies adapttohigh := factory/ecapolicy create. adapttohigh event: event/highutil. adapttohigh condition: [ :value value >= 75 ]. adapttohigh action: [rate_limiter_xyz setbitrate: 0.001. ]. 7
Prototype Policy-based DDoS remediation Topology: 2 stub Autonomous Systems connected by 1 transit AS Victim AS attacked by 35 DDoSZombie hosts 1000 hosts generate background traffic to a number of other servers Resilience functions carried out at the edge of the AS network Progressive detection and tailored remediation of the attack Attack starts Rate limit the entire link Rate limit all traffic towards the victim Rate limit only the attack flow All attack flows is successfully classified 8
Demonstration Instructions online Download, installation, running (OMNeT++ & Ponder2) Straightforward to change policies in Ponder2 Activate/deactivate policies Adapt their thresholds Observe how these different policies adapt the network behaviour More interesting extensions Development of additional policy-enabled modules Available at: https://forge.comp.lancs.ac.uk/ hosted/resilience/policy-resilience-simulator/ 9
Related Publications C. Peoples, G. Parr, A. Schaeffer-Filho and A. Mauthe, Towards the Simulation of Energy- Efficient Resilience Management. To appear in: 4th International ICST Conference on Simulation Tools and Techniques (SIMUTools 2011), ACM/ICST, Barcelona, Spain. March 2011. A. Schaeffer-Filho, P. Smith and A. Mauthe. Policy-driven Network Simulation: a Resilience Case Study. To appear in: 26th ACM Symposium on Applied Computing (SAC 2011), ACM, Taichung, Taiwan. March 2011. P. Smith, A. Schaeffer-Filho, A. Ali, M. Schöller, N. Kheir, A. Mauthe and D. Hutchison. "Strategies for Network Resilience: Capitalising on Policies". In: 4th International Conference on Autonomous Infrastructure, Management and Security (AIMS 2010), Springer, ser. LNCS. Zurich, Switzerland. June 2010. A. Ali, A. Schaeffer-Filho, P. Smith and D. Hutchison. "Justifying a Policy Based Approach for DDoS Remediation: A Case Study". In: 11th Annual PostGraduate Symposium on the Convergence of Telecommunications, Networking and Broadcasting (PGNet 2010), Liverpool, UK. June 2010. 10