Network Management Page 5
XMLNetMan downloads...

Project Contents

Page 1
The Project and Aims
Conceptual Overview
System Structure

Page 2
Service Constructs
Variables
Constructs Libraries
Function Calls

Page 3
Introduction
Rule Specification
Pre-Processor Output
Example Restrictions

Page 4
Specification
Implementation
Limitation Detection

[Page 5]
Simulation
Documentation
Examples
Prototypes


 Simulation

The concept of simulation using the architecture provided by this project is of great interest. The aim is to have a description of various services running on nodes throughout a network. With a simple description of the links between these nodes and a rich enough specification of the services, processes could be simulated to establish the higher level behaviour of the node as a whole.

One prime candidate for simulation is the situation involving filter based firewalls. These have the responsibility of protecting subsystems, typically used at major network edges. Being able to model the behaviour of a firewall, using the abstracted descriptions mentioned previously, would be a great asset. Packets of data could be simulated as they progressed through the network, allowing the security of the system to be analysed without being concerned with the implementation level constructs.

A possible goal is to fully automated the description - translation - implementation process. Such an extension would enable the higher-level enterprise to react to certain system behaviour, and dynamically alter the lower levels. The purpose of this would be to improve performance or security of the overall solution, by manipulating subsystem implementations.

Simulation is out of the scope of my part of the project. but another project is currently underway investigating the addition of such a system. The new project aims to address the simulation of both the firewall and DNS services, and establish a suitable architecture to store and allow the re-execution of simulation processes.

The test network included with the package will be used for simulation purposes. As new services are added, we aim to be able to simulate the behaviour of the system, then verify using an actual node implementations.

Update: The simulation package has now been fully integrated into the main processing package, and is included in the main archive available in the prototypes section. Please view the README.TXT file within the root of the archive for details on how to get started with simulations. All the simulation code was written by Sanjit Singh, who worked on this as his 3rd year project. Documentation to follow later.

Goto Top



 Documentation

Various pieces of documentation have been written for this project, mainly to act as part of my course requirements. As the project progresses I will include new bits of documentation and example configurations to help explain the various topics.

 Main Project Documentation

Initial Project Brief
Mid Project Progress Report
Final Project Report

 Java Doc and Manuals

Package Java Doc

 Papers

Paper for BIS 2002 (PDF)
Presentation slides for BIS 2002 (Powerpoint)

The above paper was written by myself and my project supervisor, and was presented at the BIS 2002 Mobile E-business conference April 2002 in Poznan, Poland. It was submitted as a work in progress, and describes the overall concepts and challenges of this project.

Following is the abstract of this paper, titled "Simulation and Implementation of an E-Commerce Communications Infrastructure using XML Specifications".

We report in this paper on a project dealing with the development of an XML-based tool for the management of the communication infrastructure within an e-commerce system. The major aim is to be able to simulate any given infrastructure prior to its implementation in order to detect potential problems early in a cost-effective way. We are focusing mainly on security problems that may arise. From the so tested XML description of the network, the settings of the nodes on the given physical network are generated automatically from the XML. As there are no assumptions made about the underlying network, our approach works for any kind of e-commerce environment, including mobile e-commerce systems.


Paper for ISSA 2002 (PDF)

The above paper was written by myself and my project supervisor, and was presented at the ISSA 2002 Information Security conference July 2002 in Muldersdrift, Gauteng, South Africa.

Following is the abstract of this paper, titled "An XML-based Approach to Modelling and Implementing Firewall Configurations".

We present in this paper an approach for modelling the security infrastructure of a network using XML. The modelled system can then be validated on the XML level. From validated models, configurations of concrete nodes, such as firewalls, can be generated automatically.

 Further Information

If you would like further information on any aspect of this project, feel free to come and have a chat. Connect to the IRC server at slybase.homeip.net (usual port 6667), and join #xmlnetman. I am usually around :-)

Goto Top





















Please Note

The example files are still from a prototype version of this project. Therefore, the translations will not be complete, and don't currently provide all the functionality required.

As I refine the translations I will place links to them from this site.






 Example Configurations and Translations

 An Example Node Configuration

The following is a link to a configuration file for a node within the system. I have specified some firewall rules, and also pointers to external constructs to include, with variable mappings. The node also includes the definition of a simple DNS service, with function call examples.

A sample node description

 External Service Contructs

This is an example of specifying an external service construct. Among others, a construct for IPSec communications between two machines has been defined. External constructs are references using unique names, such as Firewall::ExternalConstruct:IPSec Tunnel, in this case. The second file contains DNS external constructs.

Sample external firewall constructs
Sample external DNS constructs

 Function Call Implementations

Function calls within the system are represented by XSLT stylesheets. They expect XML input in the form of a Service Constructs, and generate a service construct (or set of) to be directly replaced into the source file. The first function generates the reverse start of authority from a forward SOA, the second simply is used to duplicate service construct elements. The third is used to read in an input DNS description, and generate the required firewall rules needed to allow people to query that DNS service.

DNS::Functions:GenReverseSOA
Global::Functions:Duplication
Firewall::Functions:DNSAccess

 Service Translations

These provide a basic translation between an abstracted description to implementation level rules. These are still being developed, but the basic functionality to convert to IPFW, IPFilter and BIND8 are available. Again, translations are identified using unique names, hence the IPFW translation is references by Firewall::Translator:IPFW.

Sample translation XSL file for IPFW (Firewall)
Sample translation XSL file for IPFilter (Firewall)

Sample translation XSL file for BIND8 (DNS)

 Test Network

A complete test network has been constructed in order to demonstrate the various service descriptions. It currently features two firewalls and a DNS server. Download the prototype package and look in the /testnet directory. Within that there is also a diagram of the network, and all the required service descriptions.

This network has been implemented, and configurations generated directly from the prototype have been applied to the major nodes. As more services are added, this test network will be expanded.

Goto Top










A Warning!

The whole project is still under development, even though the main section has finished.

Therefore, don't be surprised if there are large sections of functionality missing :-)

If you have any comments or questions about this project, please mail me at si@slyware.com













By The Way

The code for this project is all in Java. It requires JDK 1.4.


 Project Progress and Prototypes

 Project Status

I have been working on this project since October 2001, and it is very near completion. Currently, the system structure is in place to allow services to be loaded, modified and saved back to XML. I initially started development using the Firewall service, and this is implemented. The translation system is in place, and will read translation from the XSL information.

External service constructs and variable mappings are fully functional, and I have included a few external constructs for the various services. Function calls are also implemented, with the planned addition of XML filters shortly. As it stands, XML descriptions of a firewall and DNS service can be loaded, modified, saved back to XML in either partial or expanded mode, and also converted to IPFW, IPFilter and DNS rules.

 Planned Stages

Now that the main system structure is in place, then next stage is to add support for new network services. I plan to write configurations for DHCP and also extend it to a non-rule based configuration format. Another aspect that I have been working on is the GUI editor. This will allow all services to be configured, and translations to be generated.

Work on the simulation side is currently underway, and this should be merged together with the main package shortly.

 Current Prototypes and Downloads

You can download the current code using the link at the bottom of this section. It requires JDK 1.4, and you also have to download the two required packages from Apache, the XML parser and XSL translator. Once the package is extracted, look in the src directory for a basic make file. View the readme file for details on executing the package processor.

All external constructs are listed within constructs and service transforms in transforms. Functions are defined within functions, and the major test network is in testnet. See the readme files for more information.

NOTE: All code and service descriptions/translations are under development! I can't guarantee anything about the stability of the system, as the main priority has been to add functionality rather than protect against invalid inputs. The package performance and stability will be improved in the near future, and if you spot any problems please contact me.

When documentation becomes available, I will put links up on this page. If you have any comments or questions about this project, feel free to mail me at si@slyware.com, or visit my IRC server.. I would appreciate any input about this project, as it will help me improve the overall quality and hopefully make it a product that others can use freely. Full JavaDoc is included within the package under src/apidoc.

The current archive, xmlnetman.tgz (555kb) contains all the source, test networks, API docs, external functions/constructs/translations and regression testing scripts. You will also need the two packages from Apache, detailed in the next paragraph. There is a Makefile in src and make run will give an example output. See the readme's for more details. In addition, make demoX where X is 1..6 will run various demos based on the test network.

You can grab the JAR file of just the xmlnetman.* package tree source and class files using xmlnetman.jar (974kb). Java Doc's can be fetched from the documentation section.

I use Xerces (v 2.0.1) and Xalan (v. 2.4.D1) from Apache. You will need to download both of these products, and plug them into my project. This is simple, just copy the xercesImpl.jar, xmlParserAPIs.jar and xalan.jar files from the archives you got from Apache to the src folder of my archive. Or, if you want, you can ensure that they are on the CLASSPATH, please see src/Makefile as the CLASSPATH is defined there. Development has mainly taken place within Cygwin, hence there should not be too many problems on other systems.

Please note: I have broken the regression testing scripts, and will be fixing shortly. Some of the schemas also need to be checked, as they are not as strict as I want them yet.

Page <<  1  2  3  4  5

Goto Top