Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Experiences in Deploying Machines Registration and Integrated Linux Firewall with Traffic Shaper for Large Campus Network Kasom Koth-arsa 1, Surasak.

Similar presentations


Presentation on theme: "1 Experiences in Deploying Machines Registration and Integrated Linux Firewall with Traffic Shaper for Large Campus Network Kasom Koth-arsa 1, Surasak."— Presentation transcript:

1 1 Experiences in Deploying Machines Registration and Integrated Linux Firewall with Traffic Shaper for Large Campus Network Kasom Koth-arsa 1, Surasak Sanguanpong 2, Pirawat Watanpongse 2, Surachai Chitpinityon 3, Chalermpol Chatampan 3 {Kasom.K, Surasak.S, Pirawat.W, Surachai.Ch, cpccpc}@ku.ac.th 1 Engineering Computer Center, Faculty of Engineering 2 Department of Computer Engineering, Faculty of Engineering 3 Office of Computer Services Kasetsart University APAN, Xian, Network Security, 29 th August 2007 This work is partially supported by Commission of Higher Education (CHE), UniNET, Thailand

2 2 Kasetsart University Established in 1943 A.D. Established in 1943 A.D. 7 campuses with ~43,000 students, ~9600 academic and supported staffs 7 campuses with ~43,000 students, ~9600 academic and supported staffs

3 3 NontriNet Quick Facts University Network - NontriNet University Network - NontriNet 41,992 MAC addresses (As of 2007/08/28) 41,992 MAC addresses (As of 2007/08/28) 8,852 Clients (Personal, Wired) 8,852 Clients (Personal, Wired) 3,269 Clients (Service, Wired) 3,269 Clients (Service, Wired) 29,342 Clients (Wireless) 29,342 Clients (Wireless) 495 Servers 495 Servers 34 misc. devices 34 misc. devices Avg. In/out Traffic Avg. In/out Traffic 550/490 Mbps 550/490 Mbps 1 Gbps ThaiSARN UniNet 1 Gbps (backup) 1 Gbps 34 Mbps Bangkhen SriRacha Kampaengsaen SakonNakhon 2 Mbps Supan Buri 630 Mbps Internet 45 Mbps JGN TIEN2 155 Mbps 10 GigE

4 4 Obstacles & Opportunities Large number of hosts Large number of hosts Hard to keep track Hard to keep track Non-productive bandwidth usage Non-productive bandwidth usage P2P file sharing P2P file sharing QoS issues QoS issues Security issues Security issues

5 5 Special Requirements Fully-integrated information database Fully-integrated information database Low cost Low cost Customizable Customizable Extensible Extensible Scalable Scalable

6 6 Our Designed Features Web-based Machines Registration Web-based Machines Registration Linux Firewall & Traffic Shaper extension Linux Firewall & Traffic Shaper extension

7 7 SMART (Simple Machine Address Registration Tool) Mandatory Web-based Machines Registration Mandatory Web-based Machines Registration Registration Enforcement Agent: The Overlord Registration Enforcement Agent: The Overlord Centralized Database: Command Center Centralized Database: Command Center Distributed Data Entry: the Interface Distributed Data Entry: the Interface

8 8 SMART: Architecture Diagram Command-CenterOverlordObserver Detected Incident Sniffed Packets Policies Detection Rules Statistics Sniffed Packets Injected Packets (TCP hijacking) Target Subnetwork

9 9 Command Center Command-Center Overlord Observer Policies Statistics Detection Rules Detected Incident Administrators Users Web Interface Communicator Database Manager MAC Policy Users Overlords, Observers Logs Network Anomaly Detection Rules StatisticsDocuments

10 10 Overlord (TCP Hijack) Command Center Overlord Policies Statistics Table of MACs Policy + Statistics Target Subnetwork Packet Sniffer Packet Injector Policy Checker Communicator Sniffed Packets Injected Packets (TCP hijacking)

11 11 Observer Command Center Observer Detection Rules Detected Incident Table of Detection Rules Target Subnetwork Packet Sniffer Pattern Matcher Communicator Sniffed Packets

12 12 Linux Firewall & Traffic Shaper Extension Intelligent Master Controller Intelligent Master Controller User-friendly configuration interface User-friendly configuration interface Automatic egress SYN-flood/P2P blocking Automatic egress SYN-flood/P2P blocking Per-host traffic shaping Per-host traffic shaping

13 13 Mechanism Use Linux server as a bridge Use Linux server as a bridge Traffic classification through iptables Traffic classification through iptables Traffic control through tc Traffic control through tc Use IPP2P and our in-house daemon to identify P2P traffic Use IPP2P and our in-house daemon to identify P2P traffic Use our in-house daemon to detect some problematic network pattern Use our in-house daemon to detect some problematic network pattern

14 14 Hardware Dell Power Edge 2900 Dell Power Edge 2900 Xeon 5160 Dual core(3.0GHz) Xeon 5160 Dual core(3.0GHz) 1 GB of RAM 1 GB of RAM 160 GB SATA hard disk 160 GB SATA hard disk 2 x SUN 10 Gigabit Ethernet Controller PCI Express Card (SR module) 2 x SUN 10 Gigabit Ethernet Controller PCI Express Card (SR module)

15 15 Software Linux 2.6.18-8.1.8.el5 (CentOSs stocked kernel) on CentOS 5 (64 bit) Linux 2.6.18-8.1.8.el5 (CentOSs stocked kernel) on CentOS 5 (64 bit) bridge-utils bridge-utils ebtables ebtables iptables iptables IPP2P IPP2P Our in-house developed daemon for automatically adjust the shaping/blocking policy. Our in-house developed daemon for automatically adjust the shaping/blocking policy.

16 16 Traffic Shaper/ Firewall (Bridge) Gateway Router (OSPF/BGP) Core Router (OSPF) Bypass/failover path for IPv4, main connection for IPv6 and multicast IPv4. NECTEC UniNet Simplified Network Diagram Gigabit Ethernet Link 10 GigE Gigabit Ethernet Link Gigabit Ethernet Links 10 GigE

17 17 How we shape the traffic Use iptables MARK target to mark the class of traffic for every packets Use iptables MARK target to mark the class of traffic for every packets Hierarchical Token Bucket (HTB) as packet shaper Hierarchical Token Bucket (HTB) as packet shaper Stochastic Fairness Queuing (SFQ) as queuing algorithm Stochastic Fairness Queuing (SFQ) as queuing algorithm

18 18 Traffic Classification Port-based Port-based Content based (L7) Content based (L7) using IPP2P through iptables using IPP2P through iptables Automatically adjust iptables rules using our daemon Automatically adjust iptables rules using our daemon

19 19 Sample Reports - Bandwidth Turn off shaping during Friday morning to Monday morning Incoming Traffic Outgoing Traffic Stop ShapingRestart Shaping

20 20 Sample Reports - Packet Turn off shaping during Friday morning to Monday morning Incoming Traffic Outgoing Traffic Stop ShapingRestart Shaping

21 21 Sample Reports - SYN Flood Blocking A host infected with an Internet worm send a large amount of SYN packets at 9:19. Bandwidth Packet Real Outgoing Traffic Attempt Outgoing Traffic

22 22 Sample Reports - Shaping by Classes Traffic shaping was turned off during 21:21 to 21:53.

23 23 Sample Reports - Shaping by Classes P2P Traffic allow in the night. No P2P allow P2P allow in the night

24 24 Misc. reports Last seen IP matrix Detected hosts Number of last seen hosts

25 25 Conclusions Complete control of unregistered machines Complete control of unregistered machines Prevent unauthorized/unregistered net usage Prevent unauthorized/unregistered net usage Automatic co-operate between registration and firewall/traffic shaping Automatic co-operate between registration and firewall/traffic shaping Complete control of P2P traffics under desired policy (class, usage period, bandwidth, etc.) Complete control of P2P traffics under desired policy (class, usage period, bandwidth, etc.) Prevent our machines from becoming a source of SYN-flood attack Prevent our machines from becoming a source of SYN-flood attack

26 26 Conclusions (cont.) Free up NOC officers time Free up NOC officers time Real-world, low-cost, high-efficiency implementation (currently online) Real-world, low-cost, high-efficiency implementation (currently online)

27 27 References The Official BitTorrent Home Page http://www.bittorrent.org/ The Official BitTorrent Home Page http://www.bittorrent.org/ Kazaa http://www.kazaa.com/ Kazaa http://www.kazaa.com/ Netfilter/iptables project homepage http://www.netfilter.org/ Netfilter/iptables project homepage http://www.netfilter.org/ Official IPP2P homepage http://www.ipp2p.org/ Official IPP2P homepage http://www.ipp2p.org/ HTB home http://luxik.cdi.cz/~devik/qos/htb/ HTB home http://luxik.cdi.cz/~devik/qos/htb/ SFQ queuing discipline http://www.opalsoft.net/qos/DS-25.htm SFQ queuing discipline http://www.opalsoft.net/qos/DS-25.htm

28 28 Questions?

29 29 Thank you


Download ppt "1 Experiences in Deploying Machines Registration and Integrated Linux Firewall with Traffic Shaper for Large Campus Network Kasom Koth-arsa 1, Surasak."

Similar presentations


Ads by Google