We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byAngelo Alls
Modified over 2 years ago
Cisco Confidential © 2011 Cisco and/or its affiliates. All rights reserved. 1 XMPP-Grid for SACM Information Transport XMPP Protocol Extensions for Use in SACM Information Transport http://tools.ietf.org/html/draft-salowey-sacm-xmpp-grid-00 Syam Appala, Nancy Cam Winget 22 July 2014
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 XMPP-Grid Use-Case Design Considerations What is XMPP-Grid XMPP as XMPP-Grid Transport XMPP-Grid Controller & Control, Data Flow Segregations Client Authentication & Authorization XMPP-Grid Protocol Topics & Subtopics with message filters IF-MAP with XMPP-Grid
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 I have NBAR info! I need identity… I have firewall logs! I need identity… SIO I have sec events! I need reputation… I have NetFlow! I need entitlement… I have reputation info! I need threat data… I have MDM info! I need location… I have app inventory info! I need posture… I have identity & device-type! I need app inventory & vulnerability… I have application info! I need location & auth-group… I have threat data! I need reputation… I have location! I need identity…
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 Visibility into “who is connecting”, “who is accessing what” Centralized, policy-based authorization – “who can do what” Secure, bidirectional connectivity Mutual certs-based authentication Flexible consumption APIs – real-time, on-demand, bulk transfer Client contextual needs support through semantic, syntactic filtering Ability for peers to negotiate out-of-band, secure p2p connection Standardize schemas & information models through XML Scalable to thousands of nodes Platform agnostic
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 Policy-based Authorization Centralized control for authorization and client management Facilitates secure communication between authorized clients Scalable Architecture scales to thousands of clients/nodes Provide resilient, high availability support Agile Enable many different uses across the communication fabric i.e. context, policies … Should be platform agnostic (C/C++, Python, Java …) Negotiation for type of data plane communication & APIs Lightweight Client Enable adoption through small footprint & intuitive APIs Standards Enable adoption through standardization of schemas & information models Controller Transport XMPP-Grid Server
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 Scalable Architecture scales to 100K – 1M of nodes/clients Provide resilient, high availability support Reliable Provide message delivery guarantee Flexible Support semantic & syntactic filtering to serve contextual needs Support information time sensitivity needs Standards Enable adoption through standardization of schemas & information models
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 Open – standards-based, decentralized (no single point of failure) and federated architecture Real-time eventing – using publish, subscribe notifications Security – Domain segregations; federation support; strong security via SASL and TLS Flexibility – Custom functionality can be built on top of XMPP; Easily extensible Bi-directional - avoids firewall tunneling Scalable – supports cluster mode deployment and message routing Peer-to-peer – directed queries and OOB file transfer support + Presence, service and device capability discovery …
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 Plugs-in as external component to the XMPP server Responsible for – Account approvals of XMPP-Grid clients Authorization of client actions – subscribe, publish, query, bulk download Topic (information channel with publishers and subscribers sharing a well defined publisher data model) setup with subscription list Maintains directory of topics & topic subscriptions Communicates with other XMPP-Grid controller in cluster for HA Offers interfaces & statistics for management of clients & topics
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 Publisher XMPP- Grid Client XMPP-Grid Controller XMPP Server XMPP- Grid Client Subscriber Authorize Publisher to topic sequence Authorize Subscriber to topic sequence Add Publisher to topic Add Subscriber to topic Authenticate & allow XMPP-Grid Controller Communication Publisher Auth Status & Account Authenticate & allow XMPP-Grid Controller Communication Subscriber Auth Status & Account Publish Message to topic Publish Success Published Message to subscriber Subscribe Success CONTROLCONTROL Topic & Publisher Discovery Request Topic & Publisher JID Response Out-of-Band Bulk Download Query Request Out-of-band Bulk data byte stream INFRAINFRA Out-of-Band Bulk Download Query Authorization
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 Each XMPP-Grid client will go through the phases of authentication, registration and authorized access Certs-based mutual authentication between client and server using X.509 certificates Mutual authentication and tunnel establishment through XMPP “SASL External” If client certificate passes validation client registration requests are relayed only to XMPP-Grid controller for account approval If client certificate does not pass validation, the connection is terminated with XMPP standards-based error messages
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 Auto registration Clients with the right cert will have their accounts auto created after authentication Clients can specify authorization group of interest Manual registration Administrator has to approve/decline client accounts after their authentication Administrator can assign authorization group to the client resulting in client logoff and logging back in for the group change to take effect 3 layer security model – Mutual-cert based authentication + account approval + authorization group assignment with policy control
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12 Client XMPP-Grid Controller XMPP Server TLS Connect(username, cert) Track(User name, cert) Register(username, cert) Register(username) Approve & Authorize Account Create User Account (username) Registration Successful Login() Pub/Sub/Query Logout()
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13 Authorization policies can be based on attributes such as Authorization group, Topic name, client name, device type, operation … Controller authorizes clients to publish or subscribe to a topic at “subscribe” time Publisher, when it receives a directed (peer-to-peer) or bulk download query from a subscriber, asks the controller for authorization using XMPP- Grid client identity
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 Publisher/Subsc riber XMPP-Grid Controller XMPP Server Publish or Subscribe is authorized? (identity, publish/ subscribe) Publish or Subscribe extract identity
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 Subscriber Publisher query request query response is authorized? (identity, cert chain, service) extract Identity, certificate chain XMPP-Grid
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16 Infrastructure protocol that enables client application to be agnostic to data plane protocol, XMPP Makes use of the XMPP transport and introduces an application layer protocol leveraging XML and XMPP extensions to define the protocol Provides interfaces for Register, login, logout Query to discover topics, capability provider discovery, directed peer-to-peer Register as a publisher or subscriber to topic (information channel with publishers and subscribers sharing a well defined publisher data model) XMPP-Grid clients connect to the XMPP-Grid using the XMPP-Grid Protocol Capability providers extend the XMPP-Grid Protocol infrastructure model and define capability specific models, allowing a cleaner separation of infrastructure and capabilities that can run on XMPP-Grid
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 / / Capability Provider Discovery Request com.domain.ise.session.SessionQuery / / Capability Provider Discovery Response firstname.lastname@example.org/syam-mac http://jaxb.dev.java.net/array'
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18 Capability provider publishes information with a defined schema on XMPP topic(s) Capability provider defines XML schema, topic version, available queries and notifications for each topic Capability provider publishes the messages to one or more XMPP topics depending on – Mutually exclusive schemas – create one topic per schema Same schema, but subscribers desire only a subset of attributes and values – XMPP- Grid creates subtopics and uses message filters to deliver filtered information Topics are discoverable on XMPP-Grid through XMPP-Grid protocol query
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19 Capability provider specifies semantic filters such as location, domain etc it supports for a given topic at subscribe time to the controller Subscribers discover the topics & supported message filters, and specify filters of interest to them to the controller Controller groups subscribers based on the expressed message filters, creates subtopics under the main topic and notifies the Publisher about the created subtopic Publisher publishes a message on the main topic and on the subtopics, after applying the message filter
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20 Controller cleans up the subtopics if subscription list is 0, to avoid proliferation of subtopics Pub/Sub, directed and bulk query can be supported for subtopics also – it all depends on the capability provider Message filters can be applied on XMPP-Grid server side instead –instead of publishing on subtopic, capability provider publishes on main topic and XMPP-Grid Pub/Sub component can apply filter messages Server-side message filters and specific message filter mechanisms such as XPATH are beyond the scope of this specification
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21 XMPP-Grid to substitute the SOAP-based IF-MAP standard interface between the MAP server and other elements in the network IF-MAP data models for use-cases such as network security can be overlaid on XMPP-Grid transport to achieve model consistency for both IF-MAP enabled and XMPP-Grid enabled deployment scenarios MAP Server will be the participant in both the IF-MAP enabled network and the XMPP-Grid enabled network serving as aggregator and publisher of information MAP server can play the role of subscribers and/or publishers depending on the MAP graphs and the contextual metadata to be aggregated and/or published
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22 PDPPEP MAP Server Flow Controllers Sensors Others IF-MAP PDPPEP Flow Controllers Sensors Others XMPP- Grid Server Cluster XMPP-Grid IF-MAP Enabled Devices XMPP-Grid Enabled Devices
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 MAP Server XMPP- Grid Server XMPP-Grid Flow Controller s Sensors XMPP-Grid PDP PEP XMPP-Grid MAP Server XMPP- Grid Server XMPP-Grid Flow Controller s Sensors XMPP-Grid PDP PEP XMPP-Grid Region 1Region 2 XMPP
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24 MAP Server could publish the MAP graph attribute changes to interested subscribers Message filter criteria supported for subtopics could be based on metadata types metadata-identifier linkage attributes metadata class existing IF-MAP search criteria
Cisco Confidential © 2011 Cisco and/or its affiliates. All rights reserved. 25 Backup 25
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26 Client XMPP-Grid Controller XMPP Server Subscribe with filter Translate & validate filter Check if sub-topic for filter exists Create subtopic if it does not exist Subscribe Success Add Publisher & Subscriber to subtopic Capability Provider Notify Publisher
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27 Client XMPP-Grid Controller XMPP Server Register as Publisher Add Publisher to main topic & all subtopics Publish message to main topic Return registration success & list of subtopics with filtering criteria Publish message to main topic Check filtering criteria & identity subtopics to publish Capability Provider Publish message to subtopic that matched the filter Notify
An XMPP (Extensible Message and Presence Protocol) based implementation for NHIN Direct 1.
Chapter 1: Introduction to Scaling Networks
Yunling Wang VoIP Security COMS 4995 Nov 24, 2008 XCAP The Extensible Markup Language (XML) Configuration Access Protocol (XCAP)
18 Copyright © 2005, Oracle. All rights reserved. Distributing Modular Applications: Introduction to Web Services.
Internet Peer-to-Peer Application Infrastructure Darren New Invisible Worlds, Inc.
IONA Technologies Position Paper Constraints and Capabilities for Web Services
PSIRP Publish-Subscribe Internet Routing Paradigm 08-Oct /27.
Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.
An Analysis of XMPP Security Team “Vision” Chris Nelson Ashwin Kulkarni Nitin Khatri Taulant Haka Yong Chen CMPE 209 Spring 2009.
XMPP Concrete Implementation Updates: 1. Why XMPP 2 »XMPP protocol provides capabilities that allows realization of the NHIN Direct. Simple – Built on.
Communicating over the Network
Presented to: By: Date: Federal Aviation Administration Registry/Repository in a SOA Environment SOA Brown Bag #5 SWIM Team March 9, 2011.
XMPP – Extensible Messaging and Presence Protocol Vidya Satyanarayanan.
©2003 aQute, All Rights Reserved Tokyo, August 2003 : 1 OSGi Service Platform Tokyo August 28, 2003 Peter Kriens CEO aQute, OSGi Fellow
CA's Management Database (MDB): The EITM Foundation -WO108SN.
MEF Reference Presentation November 2011
Server Access The REST of the Story David Cleary
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialBCMSN BCMSN Module 1 Lesson 1 Network Requirements.
MicroKernel Pattern Presented by Sahibzada Sami ud din Kashif Khurshid.
IM May 24, 2000 Introduction to SIP Jonathan Rosenberg Chief Scientist.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
TCP/IP Protocol Suite 1 Chapter 18 Upon completion you will be able to: Remote Login: Telnet Understand how TELNET works Understand the role of NVT in.
Eligibility, Benefits, and Pre-certifications
25 seconds left…...
Jabber and Extensible Messaging and Presence Protocol (XMPP) Presenter: Michael Smith Cisc 856 Dec. 6, 2005.
25 July, 2014 Hailiang Mei, TU/e Computer Science, System Architecture and Networking 1 Hailiang Mei Remote Terminal Management.
1. 2 Captaris Workflow Microsoft SharePoint User Group 16 May 2006.
GRID ANATOMY Advanced Computing Concepts – Dr. Emmanuel Pilli.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
Copyright © 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Mobile Content Strategies and Deployment Best Practices.
31242/32549 Advanced Internet Programming Advanced Java Programming
Whats New in Fireware XTM v New Features in Fireware XTM v Major Changes FireCluster with XTM 330 appliances Mobile VPN with SSL using multiple.
VPN AND REMOTE ACCESS Mohammad S. Hasan 1 VPN and Remote Access.
Presence Networking: XMPP and Jabber Joe Hildebrand Chief Architect Jabber, Inc. Networld+Interop 1 May 2003.
Implementation of a Validated Statistical Computing Environment Presented by Jeff Schumack, Associate Director – Drug Development Information September.
Yammer Technical Solutions Overview
Presented by Brad Jacobson The Publisher on the Web Exploiting the new online sales channels.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
1 Contract Inactivation & Replacement Fly-in Action ( Continue to Page Down/Click on each page…) Electronic Document Access (EDA)
Look, no forms! Integrating ESBRs into the IT Enterprise ATCO Seminar - May 10, 2005.
Document #07-12G 1 RXQ Customer Enrollment Using a Registration Agent Process Flow Diagram (Switch) Customer Supplier Customer authorizes Enrollment.
PEAP & EAP-TTLS 1.EAP-TLS Drawbacks 2.PEAP 3.EAP-TTLS 4.EAP-TTLS – Full Example 5.Security Issues 6.PEAP vs. EAP-TTLS 7.Other EAP methods 8.Summary.
CYBERINFRASTRUCTURE FOR THE GEOSCIENCES Data Replication Service Sandeep Chandra GEON Systems Group San Diego Supercomputer Center.
SOA for EGovernment 1 Emergency Services Enterprise Framework: A Service-Oriented Approach Sukumar Dwarkanath COMCARE Michael Daconta Oberon Associates.
The Platform as a Service Model for Networking Eric Keller, Jennifer Rexford Princeton University INM/WREN 2010.
© SafeNet Confidential and Proprietary Administering SafeNet StorageSecure Smart Card Module 3: Lesson 5 SafeNet StorageSecure Storage Security Course.
CACORE TOOLS FEATURES. caCORE SDK Features caCORE Workbench Plugin EA/ArgoUML Plug-in development Integrated support of semantic integration in the plugin.
- 1 - Defense Security Service Background: During the Fall of 2012 Defense Security Service will be integrating ISFD with the Identity Management (IdM)
© 2017 SlidePlayer.com Inc. All rights reserved.