the aerospace clinic 2002 team members nick hertl (project manager) will berriel richard fujiyama...
Post on 18-Dec-2015
214 views
TRANSCRIPT
![Page 1: The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649d235503460f949f9f8b/html5/thumbnails/1.jpg)
The Aerospace Clinic 2002
Team Members
Nick Hertl (Project Manager)
Will Berriel
Richard Fujiyama
Chip Bradford
Faculty Advisor
Professor Michael Erlinger
Aerospace Liaisons
Joseph Betser, PhD
Rayford Sims
![Page 2: The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649d235503460f949f9f8b/html5/thumbnails/2.jpg)
Overview:
• Background Information
• Alternatives to Tunnel
• Technical Approach– Completed work– Future work
• Questions
![Page 3: The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649d235503460f949f9f8b/html5/thumbnails/3.jpg)
Background
• TCP/IP
• Firewalls
• Security
• BEEP
• IDXP
• Tunnel
![Page 4: The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649d235503460f949f9f8b/html5/thumbnails/4.jpg)
TCP/IP
• Main protocols used over the Internet
• Provides reliable, full-duplex, peer-to-peer communication
• Most current application protocols use this directly: HTTP (web), SMTP (email), etc.
• Multiple connections to the same machine are handled using ports
![Page 5: The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649d235503460f949f9f8b/html5/thumbnails/5.jpg)
Firewalls
• Set of rules to restrict TCP/IP traffic
• Can filter by any combination of source and destination IP address and port
• Rule sets are usually static—not easy to handle "only allow Joe's messages through" if Joe doesn't always connect from the same computer
![Page 6: The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649d235503460f949f9f8b/html5/thumbnails/6.jpg)
Security
• Firewalls attempt to ensure this• To allow Joe access, he must first prove he
is who he claims to be (login/authenticate)• SSH Tunnel is a common solution—
handles authentication• SSH not without drawbacks, however
(discussed later)• Tunnel is a better solution, but first...
![Page 7: The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649d235503460f949f9f8b/html5/thumbnails/7.jpg)
BEEP
• General framework for rapidly creating application-level protocols
• Requires an underlying transport protocol (TCP)
• Provides a message framing mechanism and many common service "profiles"
• Profiles provide transparent addition of properties to a connection (i.e. security)
![Page 8: The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649d235503460f949f9f8b/html5/thumbnails/8.jpg)
IDXP
• Intrusion Detection eXchange Protocol• BEEP profile used to transfer intrusion
detection alert information from various sensors within a large network to a central repository where an administrator or correlation program can take actions against an attack if needed
• Firewall must not block messages
![Page 9: The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649d235503460f949f9f8b/html5/thumbnails/9.jpg)
Tunnel
• General purpose proxy routing BEEP profile
• Our focus is Tunnel for IDXP message
F ig u re 1 : C o nc e ptua l L a y o utL ig h t B lu e : 3 r d p a r t y ID SY e l lo w : A s s u m e d t o w o rk p ro p e r lyG re e n : T h e fo c u s o f o u r c lin ic
![Page 10: The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649d235503460f949f9f8b/html5/thumbnails/10.jpg)
Tunnel
• Uses XML messages to establish a tunnel:<tunnel fqdn="host2.example.com" port="10288">
<tunnel /></tunnel>
• Example...
![Page 11: The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649d235503460f949f9f8b/html5/thumbnails/11.jpg)
Tunnel
host1.example.com proxy.example.com host2.example.comTransport Connect
Usually TCP
![Page 12: The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649d235503460f949f9f8b/html5/thumbnails/12.jpg)
Tunnel
host1.example.com proxy.example.com host2.example.comTransport Connect
BEEP Greeting
Advertise services (Tunnel, maybe others)
![Page 13: The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649d235503460f949f9f8b/html5/thumbnails/13.jpg)
Tunnel
host1.example.com proxy.example.com host2.example.comTransport Connect
BEEP GreetingStart Tunnel
<tunnel fqdn="host2.example.com" port="10288"><tunnel />
</tunnel>
![Page 14: The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649d235503460f949f9f8b/html5/thumbnails/14.jpg)
Tunnel
host1.example.com proxy.example.com host2.example.comTransport Connect
BEEP GreetingStart Tunnel
Transport Connect
Usually TCP
![Page 15: The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649d235503460f949f9f8b/html5/thumbnails/15.jpg)
Tunnel
host1.example.com proxy.example.com host2.example.comTransport Connect
BEEP GreetingStart Tunnel
Transport Connect
BEEP Greeting
Advertise services (Tunnel, maybe others)
![Page 16: The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649d235503460f949f9f8b/html5/thumbnails/16.jpg)
Tunnel
host1.example.com proxy.example.com host2.example.comTransport Connect
BEEP GreetingStart Tunnel
Transport Connect
BEEP GreetingStart Tunnel
<tunnel />
![Page 17: The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649d235503460f949f9f8b/html5/thumbnails/17.jpg)
Tunnel
host1.example.com proxy.example.com host2.example.comTransport Connect
BEEP GreetingStart Tunnel
Transport Connect
BEEP GreetingStart Tunnel
OK
<ok />
![Page 18: The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649d235503460f949f9f8b/html5/thumbnails/18.jpg)
Tunnel
host1.example.com proxy.example.com host2.example.comTransport Connect
BEEP GreetingStart Tunnel
OK
Transport Connect
BEEP GreetingStart Tunnel
OK
<ok />
proxy now transparently forwards messages
![Page 19: The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649d235503460f949f9f8b/html5/thumbnails/19.jpg)
Tunnel
host1.example.com proxy.example.com host2.example.comTransport Connect
BEEP GreetingStart Tunnel
OK
Transport Connect
BEEP GreetingStart Tunnel
OK
BEEP Greeting
Advertise services (proxy now invisible)
![Page 20: The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649d235503460f949f9f8b/html5/thumbnails/20.jpg)
Alternatives to Tunnel
• SSL/TLS
• SASL
• SSH
• VPN
• IPsec
![Page 21: The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649d235503460f949f9f8b/html5/thumbnails/21.jpg)
SSH (Secure Shell) Tunnelling• Client/Server applications• Provides encryption, client authentication• Mass adoption leaves port 22 open• Commonly used to tunnel through firewalls• Application dependency on SSH• Explicit endpoint connections• Lacks host authentication• Tunnel offers auth/encry details, address anonymity,
doesn't require explicit endpoint
![Page 22: The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649d235503460f949f9f8b/html5/thumbnails/22.jpg)
SSL v3 / TLS v1(RFC 2246)
• HTTPS, NNTP, IMAP, POP
• Lives between TCP and application• API is similar to BSD socket API• Encryption• Server authentication and optional host• Simple client configuration – no AC• Certificate spoofing, man-in-the-middle attacks
![Page 23: The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649d235503460f949f9f8b/html5/thumbnails/23.jpg)
SASL (RFC 2222)(Simple Authentication and
Security Layer)• SSL with an A?• Framework for adding auth/encry/integrity• Allows network admin to configure proper
security levels for the environment• BEEP makes use of SASL
![Page 24: The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649d235503460f949f9f8b/html5/thumbnails/24.jpg)
VPN(Virtual Private Network)
• Secure, private, transparent network• Encryption, strong authentication• Intrusive on the client• Tunnel is easier to deploy and administer,
allows more policy flexibility
![Page 25: The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649d235503460f949f9f8b/html5/thumbnails/25.jpg)
IPsec(IP Security)
• Protects everything running on top of IP, including TCP and UDP
• Requires kernel modification• No recompiling necessary to get benefit• IPsec does not work with NAT• Tunnel is easier to deploy, works with
NAT, and configurable
![Page 26: The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649d235503460f949f9f8b/html5/thumbnails/26.jpg)
Completed Work
• Proposal Submitted
• Tunnel Evaluated
• Beep Implementations Chosen
• No – Hop Tunnel Implementation
![Page 27: The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649d235503460f949f9f8b/html5/thumbnails/27.jpg)
Tunnel Issues:
• No IPv6 support in the DTD or a standard way to extend the DTD.
• Possibility for loops with misconfigured servers.
• No way to specify a Time-To-Live when using a dynamic route, ie: connecting to a service rather than a host.
![Page 28: The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649d235503460f949f9f8b/html5/thumbnails/28.jpg)
Beep Implementations:
• JAVA: – PermaBEEP 0.8 – Beepcore–java 0.9.07
• C– Roadrunner 0.9– Beepcore–C 0.2
![Page 29: The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649d235503460f949f9f8b/html5/thumbnails/29.jpg)
No-Hop Tunnel
• Profile and application can successfully open a tunnel to a host with no firewall in between.
![Page 30: The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649d235503460f949f9f8b/html5/thumbnails/30.jpg)
Future Work
• One–Hop Tunnel
• Firewall Proxy–Hopping
• Multi–Hop Proxying
• Interoperability between C and JAVA implementations
![Page 31: The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649d235503460f949f9f8b/html5/thumbnails/31.jpg)
Schedule
ID Task Name
2 Prepare Development Machine
3 Group Presentation
4 Proposal
5 Draft Proposal Due
6 Proposal Due
7 Evaluate Tunnel Draft
8 Fall Break
9 Choose BEEP Implementation
10 Single Host BEEP Communication
11 Peer-to-peer BEEP Communication
12 One-Hop BEEP Communication
13 Thanksgiving Break
14 Midyear Report
15 Draft Midyear
16 Midyear Report
100%
100%
100%
10/4
10/11
100%
100%
10/18
100%
100%
0%
0%
0%
12/5
12/12
9/1 9/8 9/159/229/2910/610/1310/2010/2711/311/1011/1711/2412/112/812/1512/2212/291/5 1/121/191/26 2/2 2/9 2/162/23September October November December January February
![Page 32: The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649d235503460f949f9f8b/html5/thumbnails/32.jpg)
Questions?