|SlyWare Home | Products | Downloads | Free Source Code | Current Projects | Articles and Papers||About|
|Page Hop [ 1 2 3 4 5 ]|
The concept of simulation using the architecture provided by this project is of great interest. The aim is to have a description of various services running on nodes throughout a network. With a simple description of the links between these nodes and a rich enough specification of the services, processes could be simulated to establish the higher level behaviour of the node as a whole.
One prime candidate for simulation is the situation involving filter based firewalls. These have the responsibility of protecting subsystems, typically used at major network edges. Being able to model the behaviour of a firewall, using the abstracted descriptions mentioned previously, would be a great asset. Packets of data could be simulated as they progressed through the network, allowing the security of the system to be analysed without being concerned with the implementation level constructs.
A possible goal is to fully automated the description - translation - implementation process. Such an extension would enable the higher-level enterprise to react to certain system behaviour, and dynamically alter the lower levels. The purpose of this would be to improve performance or security of the overall solution, by manipulating subsystem implementations.
Simulation is out of the scope of my part of the project. but another project is currently underway investigating the addition of such a system. The new project aims to address the simulation of both the firewall and DNS services, and establish a suitable architecture to store and allow the re-execution of simulation processes.
The test network included with the package will be used for simulation purposes. As new services are added, we aim to be able to simulate the behaviour of the system, then verify using an actual node implementations.
Update: The simulation package has now been fully integrated into the main processing package, and is included in the main archive available in the prototypes section. Please view the README.TXT file within the root of the archive for details on how to get started with simulations. All the simulation code was written by Sanjit Singh, who worked on this as his 3rd year project. Documentation to follow later.Goto Top
Various pieces of documentation have been written for this project, mainly to act as part of my course requirements. As the project progresses I will include new bits of documentation and example configurations to help explain the various topics.
Main Project Documentation
Java Doc and Manuals
Paper for BIS 2002 (PDF)
We report in this paper on a project dealing with the development of an XML-based tool for the management of the communication infrastructure within an e-commerce system. The major aim is to be able to simulate any given infrastructure prior to its implementation in order to detect potential problems early in a cost-effective way. We are focusing mainly on security problems that may arise. From the so tested XML description of the network, the settings of the nodes on the given physical network are generated automatically from the XML. As there are no assumptions made about the underlying network, our approach works for any kind of e-commerce environment, including mobile e-commerce systems.
Paper for ISSA 2002 (PDF)
We present in this paper an approach for modelling the security infrastructure of a network using XML. The modelled system can then be validated on the XML level. From validated models, configurations of concrete nodes, such as firewalls, can be generated automatically.
If you would like further information on any aspect of this project, feel free to come and have a chat. Connect to the IRC server at slybase.homeip.net (usual port 6667), and join #xmlnetman. I am usually around :-)Goto Top
Example Configurations and Translations
An Example Node Configuration
The following is a link to a configuration file for a node within the system. I have specified some firewall rules, and also pointers
to external constructs to include, with variable mappings. The node also includes the definition of a simple DNS service, with
function call examples.
External Service Contructs
This is an example of specifying an external service construct. Among others, a construct for IPSec communications
between two machines has been defined. External constructs are references using unique names, such as
Firewall::ExternalConstruct:IPSec Tunnel, in this case. The second file contains DNS external constructs.
Function Call Implementations
Function calls within the system are represented by XSLT stylesheets. They expect XML input in the form of a Service Constructs, and
generate a service construct (or set of) to be directly replaced into the source file. The first function generates the reverse start
of authority from a forward SOA, the second simply is used to duplicate service construct elements. The third is used to
read in an input DNS description, and generate the required firewall rules needed to allow people to query that DNS service.
These provide a basic translation between an abstracted description to implementation level rules. These are still being developed,
but the basic functionality to convert to IPFW, IPFilter and BIND8 are available.
Again, translations are identified using unique names, hence the IPFW translation is
references by Firewall::Translator:IPFW.
A complete test network has been constructed in order to demonstrate the various service descriptions. It currently features two firewalls and a DNS server. Download the prototype package and look in the /testnet directory. Within that there is also a diagram of the network, and all the required service descriptions.
This network has been implemented, and configurations generated directly from the prototype have been applied to the major nodes. As more services are added, this test network will be expanded.Goto Top
Project Progress and Prototypes
I have been working on this project since October 2001, and it is very near completion. Currently, the system structure is in place to allow services to be loaded, modified and saved back to XML. I initially started development using the Firewall service, and this is implemented. The translation system is in place, and will read translation from the XSL information.
External service constructs and variable mappings are fully functional, and I have included a few external constructs for the various services. Function calls are also implemented, with the planned addition of XML filters shortly. As it stands, XML descriptions of a firewall and DNS service can be loaded, modified, saved back to XML in either partial or expanded mode, and also converted to IPFW, IPFilter and DNS rules.
Now that the main system structure is in place, then next stage is to add support for new network services. I plan to write configurations for DHCP and also extend it to a non-rule based configuration format. Another aspect that I have been working on is the GUI editor. This will allow all services to be configured, and translations to be generated.
Work on the simulation side is currently underway, and this should be merged together with the main package shortly.
Current Prototypes and Downloads
You can download the current code using the link at the bottom of this section. It requires JDK 1.4, and you also have to download the two required packages from Apache, the XML parser and XSL translator. Once the package is extracted, look in the src directory for a basic make file. View the readme file for details on executing the package processor.
All external constructs are listed within constructs and service transforms in transforms. Functions are defined within functions, and the major test network is in testnet. See the readme files for more information.
NOTE: All code and service descriptions/translations are under development! I can't guarantee anything about the stability of the system, as the main priority has been to add functionality rather than protect against invalid inputs. The package performance and stability will be improved in the near future, and if you spot any problems please contact me.
When documentation becomes available, I will put links up on this page. If you have any comments or questions about this project, feel free to mail me at firstname.lastname@example.org, or visit my IRC server.. I would appreciate any input about this project, as it will help me improve the overall quality and hopefully make it a product that others can use freely. Full JavaDoc is included within the package under src/apidoc.
The current archive, xmlnetman.tgz (555kb) contains all the source, test networks, API docs, external functions/constructs/translations and regression testing scripts. You will also need the two packages from Apache, detailed in the next paragraph. There is a Makefile in src and make run will give an example output. See the readme's for more details. In addition, make demoX where X is 1..6 will run various demos based on the test network.
I use Xerces (v 2.0.1) and Xalan (v. 2.4.D1) from Apache. You will need to download both of these products, and plug them into my project. This is simple, just copy the xercesImpl.jar, xmlParserAPIs.jar and xalan.jar files from the archives you got from Apache to the src folder of my archive. Or, if you want, you can ensure that they are on the CLASSPATH, please see src/Makefile as the CLASSPATH is defined there. Development has mainly taken place within Cygwin, hence there should not be too many problems on other systems.
Please note: I have broken the regression testing scripts, and will be fixing shortly. Some of the schemas also need to be checked, as they are not as strict as I want them yet.Goto Top
|Last Updated /projects_xmlnetman_5.shtml (22454 bytes) on Dec 14 at 2004|