Surachai CHITPINITYON Kasom KOHT-ARSA Surasak SANGUANPONG Anan PHONPHOEM Pirawat WATANAPONGSE Chalermpol CHUPAMPUN Office of Computer Services Kasetsart.

Slides:

Advertisements

Similar presentations

Personal Computers and Applications

Advertisements

Chapter 13: I/O Systems I/O Hardware Application I/O Interface

Computer Networks TCP/IP Protocol Suite.

1 UNIT I (Contd..) High-Speed LANs. 2 Introduction Fast Ethernet and Gigabit Ethernet Fast Ethernet and Gigabit Ethernet Fibre Channel Fibre Channel High-speed.

Network Programming and Java Sockets

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 1 Embedded Computing.

Transparent Firewall for Wireless Network

1 Experiences in Deploying Machines Registration and Integrated Linux Firewall with Traffic Shaper for Large Campus Network Kasom Koth-arsa 1, Surasak.

Security Issues In Mobile IP

1 Building a Fast, Virtualized Data Plane with Programmable Hardware Bilal Anwer Nick Feamster.

Unleashing the Power of IP Communications Calling Across The Boundaries Mike Burkett, VP Products April 25, 2002.

CSF4 Meta-Scheduler Tutorial 1st PRAGMA Institute Zhaohui Ding or

Business Transaction Management Software for Application Coordination 1 Business Processes and Coordination.

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

OPERATING SYSTEMS Lecturer: Szabolcs Mikulas Office: B38B

Chapter 1 Introduction Copyright © Operating Systems, by Dhananjay Dhamdhere Copyright © Introduction Abstract Views of an Operating System.

VARUN GUPTA Carnegie Mellon University 1 Partly based on joint work with: Anshul Gandhi Mor Harchol-Balter Mike Kozuch (CMU) (CMU) (Intel Research)

The Impact of Soft Resource Allocation on n-tier Application Scalability Qingyang Wang, Simon Malkowski, Yasuhiko Kanemasa, Deepal Jayasinghe, Pengcheng.

Communicating over the Network

Video Services over Software-Defined Networks

The Internet and the World Wide Web. Una DooneySlide 2Internet and WWW What is the Internet? This is the physical infrastructure or backbone of computers,

Protocol layers and Wireshark Rahul Hiran TDTS11:Computer Networks and Internet Protocols 1 Note: T he slides are adapted and modified based on slides.

Streaming Video over the Internet

Chapter 1 Data Communications and NM Overview 1-1 Chapter 1

Jennifer Rexford Princeton University MW 11:00am-12:20pm Logically-Centralized Control COS 597E: Software Defined Networking.

SE-292 High Performance Computing

Configuration management

A P RACTICAL A PPROACH TO M ANAGE P HISHING I NCIDENT WITH URL F ILTERING Kasom Koth-Arsa, Surachai Chitpinityon, Julllawadee Maneesilp Kasetsart University,

Mehdi Naghavi Spring 1386 Operating Systems Mehdi Naghavi Spring 1386.

The IP Revolution. Page 2 The IP Revolution IP Revolution Why now? The 3 Pillars of the IP Revolution How IP changes everything.

Searching over Many Sites in Jeremy Stribling Joint work with: Jinyang Li, M. Frans Kaashoek, Robert Morris MIT Computer Science and Artificial Intelligence.

Zhiyun Qian, Z. Morley Mao (University of Michigan)

Chapter 1: Introduction to Scaling Networks

Application Layer: functionality and Protocols

ABC Technology Project

Mohamed ABDELFATTAH Vaughn BETZ. 2 Why NoCs on FPGAs? Embedded NoCs Power Analysis

1 Sizing the Streaming Media Cluster Solution for a Given Workload Lucy Cherkasova and Wenting Tang HPLabs.

Countering DoS Attacks with Stateless Multipath Overlays Presented by Yan Zhang.

1 Undirected Breadth First Search F A BCG DE H 2 F A BCG DE H Queue: A get Undiscovered Fringe Finished Active 0 distance from A visit(A)

Johan Garcia Karlstads Universitet Datavetenskap 1 Datakommunikation II Signaling/Voice over IP / SIP Based on material from Henning Schulzrinne, Columbia.

Making Time-stepped Applications Tick in the Cloud Tao Zou, Guozhang Wang, Marcos Vaz Salles*, David Bindel, Alan Demers, Johannes Gehrke, Walker White.

1 Breadth First Search s s Undiscovered Discovered Finished Queue: s Top of queue 2 1 Shortest path from s.

© 2012 National Heart Foundation of Australia. Slide 2.

Network Fundamentals – Chapter 4 Sandra Coleman, CCNA, CCAI

Processes Management.

RED-PD: RED with Preferential Dropping Ratul Mahajan Sally Floyd David Wetherall.

25 seconds left…...

Introduction to Queuing Theory

REGISTRATION OF STUDENTS Master Settings STUDENT INFORMATION PRABANDHAK DEFINE FEE STRUCTURE FEE COLLECTION Attendance Management REPORTS Architecture.

1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.1 Module 11 TCP/IP Transport and Application Layers.

Aeonix & Ingate Role in Enterprise

We will resume in: 25 Minutes.

©Brooks/Cole, 2001 Chapter 12 Derived Types-- Enumerated, Structure and Union.

SE-292 High Performance Computing Memory Hierarchy R. Govindarajan

Connecting LANs, Backbone Networks, and Virtual LANs

PSSA Preparation.

By Rasmussen College. 1. What majors or programs do you offer? 2. What is the average length of your programs? 3. What percentage of your students graduate?

1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.1 Module 1 Introduction to Networking.

TCP/IP Protocol Suite 1 Chapter 18 Upon completion you will be able to: Remote Login: Telnet Understand how TELNET works Understand the role of NVT in.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Surachai CHITPINITYON Kasom KOHT-ARSA Surasak SANGUANPONG Anan Phonphoem Office of Computer Services Kasetsart University

1 Part VII Component-level Performance Models for the Web © 1998 Menascé & Almeida. All Rights Reserved.

Presentation transcript:

Surachai CHITPINITYON Kasom KOHT-ARSA Surasak SANGUANPONG Anan PHONPHOEM Pirawat WATANAPONGSE Chalermpol CHUPAMPUN Office of Computer Services Kasetsart University Design and Implementation of Large Scale URL Filtering APAN, Xian, Network Security, 29 th August 2007 This work is partially supported by Commission of Higher Education (CHE), UniNET, Thailand

2 Network Operation Center Kasetsart University Office of Computer Services Agenda Why Need URL Filtering? Filtering Techniques TCP Revisited Proposed Solution Performance Facts Current Deployment Scalability Planning for 10Gbps

3 Network Operation Center Kasetsart University Office of Computer Services Agenda

4 Network Operation Center Kasetsart University Office of Computer Services Why Need URL Filtering? Access Policy Enforcement Parental Control Other restricted website by Policy Suspected Harmful Website (on-demand filtering) Spyware, Phishing Embedded Scripting Websites intend to attack OS/Software Vulnerabilities

5 Network Operation Center Kasetsart University Office of Computer Services Agenda

6 Network Operation Center Kasetsart University Office of Computer Services Gateway Filtering Engine Client Internet Pass-Through Web Filtering Traffics must pass through the filtering engine (Firewall, Proxy, Application Gateway) Create a queue of processing with delay Delay is depend on traffic volume and machine performance ? ? Allow Block Unknown 4

7 Network Operation Center Kasetsart University Office of Computer Services Pass-by Web Filtering Traffics are captured and passed by without queuing Zero delay, independent from traffic volume Ease of Installation (No Traffic Interruption) Non Blocking Traffic Stream No Single Point of Failure Scalable Gateway Filtering Engine Client Internet 3 ? ? 12 2

8 Network Operation Center Kasetsart University Office of Computer Services Agenda

9 Network Operation Center Kasetsart University Office of Computer Services TCP Connection Establishment & Data Transfer SYN J SYN K, ACK J+1 ACK K+1SYN_SENT ESTABLISED SYN_RCVD ESTABLISED Data (request) Data (reply) Client Server

10 Network Operation Center Kasetsart University Office of Computer Services TCP Connection Termination FIN L ACK L+1CLOSE_WAIT FIN_WAIT_1 FIN_WAIT_2 Client Server LAST_ACK FIN M ACK M+1 TIME_WAIT CLOSED

11 Network Operation Center Kasetsart University Office of Computer ServicesFiltering TCP Session Hijacking SYN J SYN K, ACK J+1 ACK K+1 FIN L Client Server Data (request) Data (reply) Packet will be ignored Faked FIN by Filtering Engine

12 Network Operation Center Kasetsart University Office of Computer Services Agenda

13 Network Operation Center Kasetsart University Office of Computer Services Proposed Solution Pass by method incorporated with 2 techniques Session Hijacking Session Hijacking Fast Sequence Number Interception Fast Sequence Number Interception Keywords Capturing in Application Request Packet Keywords Capturing in Application Request Packet URL Processing Designed to URL Processing Designed to Handle Hundred Million of URLs list Handle Hundred Million of URLs list Very fast access to URLs repository Very fast access to URLs repository

14 Network Operation Center Kasetsart University Office of Computer Services Session Hijacking FIN L Client Server Filtering Data (request) Data (reply) Successful filtering ACK L+1 Faked FIN FIN Mignored Unsuccessful filtering ACK M+1 FIN L Faked FIN

15 Network Operation Center Kasetsart University Office of Computer Services GET 3 Keyword Capturing Gateway Filtering Engine Client Internet GET/PUT/POST 1 GET search ? ? Matching 5 FIN 2 GET 4 FIN Black Lists 2 GET

16 Network Operation Center Kasetsart University Office of Computer Services URL Management Technique Key design URL Compression Techniques In-Memory Balanced Tree of URLs Utilize KSpider s Core Architecture (URL Manager Module) Benefits 69% Averaged Compression Ratio of URLs Length (currently supported Max 268 Millions URLs List under 8 GB RAM) Almost Linear Access Speed (10 microseconds by averaged

17 Network Operation Center Kasetsart University Office of Computer Services URL Buffer Queue URL Buffer Queue Scheduler URL Manager URL Storage Manager URL Storage Manager On Disk Parallel DNS Parallel DNS In-memory Storage KSpiders Architecture URL Filter Data Streamer URL Processor URL Extractor URL Buffer Queue URL Buffer Queue Scheduler Communicator Cluster Communicator Cluster Communicator Data Collector URL Buffer Queue URL Buffer Queue Storage Manager Data Compressor Data Decompressor HTTP Data Collector HTTP Data Collector Stats Collector Online indexer Other processing To Communicator Storage

18 Network Operation Center Kasetsart University Office of Computer Services URL Compression Technique Prefix Balance Search Tree Webscreen List 0http://

19 Network Operation Center Kasetsart University Office of Computer Services Agenda

20 Network Operation Center Kasetsart University Office of Computer Services Performance Hijack Activation under 0.6 msec Test Record 268 Million URLs with 8 GB Avg. Search Time 10 µsec (350 µsec MAX with 268 Million URLs) Memory Requirement 34M URL/GB Performance collected under Dell 2900, Intel Xeon 5160(3Ghz) 69% compression ratio with average 26.5 bytes per URL

21 Network Operation Center Kasetsart University Office of Computer Services Agenda

22 Network Operation Center Kasetsart University Office of Computer Services Reference Site 3 Gbps2 Gbps EtherChannel 2 Gbps Ethernet 1 Gbps CPU : 2xDual Core Opteron 2.4 Ghz RAM : 8 GB HD : SAS 146 GB WebScreen Agent Multiple Links/Interfaces Operations since December 2005 Inter. GW CAT Telecom 8 gigabit links span to 8 gigabit interfaces in 4 machine

23 Network Operation Center Kasetsart University Office of Computer Services Collected Statistics Avg. 110 request/s Dropping rate (9.5 M per day) Peak 250 request/s Dropping rate 4.6 Gbps aggregated traffic 1.6 M packet/s incoming packets 64 K packet/s http request packets

24 Network Operation Center Kasetsart University Office of Computer Services Agenda

25 Network Operation Center Kasetsart University Office of Computer Services Scalability Planning for 10Gbps Solutions for 10 Gbps Link Deploy Traffic Distribution Device (1x10 Gbps to 10x1 Gbps) Currently on the test of GigaVUE GigaVUE1 LAN Mirror port THAISARNUNINET GigaVUE2 Typical servers can handle up to 800 Mbps bit rate per 1 Gbps interface 1G 10G 1G 10G

26 Network Operation Center Kasetsart University Office of Computer Services Q&A

27 Network Operation Center Kasetsart University Office of Computer Services Thank You