The Design and Implementation of a Secure Content Switch.ppt

《The Design and Implementation of a Secure Content Switch.ppt》由会员分享，可在线阅读，更多相关《The Design and Implementation of a Secure Content Switch.ppt（37页珍藏版）》请在麦多课文档分享上搜索。

1、10/4/2018,Secure Content Switch/godavari,1,The Design and Implementation of a Secure Content Switch,Master Thesis PresentationGanesh Kumar Godavari Department of Computer Science Univ. of Colorado at Colorado Springs,10/4/2018,Secure Content Switch/godavari,2,Outline of the Talk,Content Switch and O

2、verview of SSL Related Literature Design of Secure Content Switch (SCS) Performance of SCS implementation Lessons Learned and Future Directions Conclusion,10/4/2018,Secure Content Switch/godavari,3,Content Switch (CS),Route packets based on high layer (Layer 5/7)headers and content. Examples: Direct

3、 Web traffic based on pattern of URLs, host tags, cookies. Can Route incoming email based on email address; Connect POP/IMAP based on login Web switches and Intel XML Director/accelerator are special cases of content switch.,. .,.,client,uccs.jpg,rocky.mid,home.htm,Index.htm,Content Switch,server1,s

4、erver2,server9,10/4/2018,Secure Content Switch/godavari,4,What Services It Can Provide,Enabling premium services for e-commerce, ISP, and Web hosting providers Load Balancing and High Available Server Clusters: Web, E-commerce, Email, Computing, File, SAN Policy-based networking, differential/QoS se

5、rvices. Firewall, Strengthening DoS protection, cache/firewall load-balancing Flash-crowd management Email Spam Protection, Virus Detection/Removal,10/4/2018,Secure Content Switch/godavari,5,About SSL,Secure Sockets Layer (SSL) protocol developed by Netscape Communications to ensure private and auth

6、enticated communications put into the public domain for the Internet community,10/4/2018,Secure Content Switch/godavari,6,OpenSSL,OpenSSL is based on the excellent SSLeay library developed by Eric A. Young and Tim J. Hudson. Open Source toolkit implementing the Secure Socket Layer (SSL v2/v3) and Tr

7、ansport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library Important Libraries SSL The OpenSSL ssl library implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols Crypto The OpenSSL crypto library implements a wid

8、e range of cryptographic algorithms used in various Internet standards. The services provided by this library are used by the OpenSSL implementations of SSL, TLS, and they have also been used to implement SSH, OpenPGP, and other cryptographic standards,10/4/2018,Secure Content Switch/godavari,7,Comm

9、and Interface,The Openssl program is a command line tool for using the various cryptography functions of OpenSSLs crypto library from the shell. It can be used for Creation of RSA, DH and DSA key parameters Creation of X.509 certificates, and Certificate Revocation List (CRL) Calculation of Message

10、Digests o Encryption and Decryption with Ciphers SSL/TLS Client and Server Tests Handling of S/MIME signed or encrypted mail,10/4/2018,Secure Content Switch/godavari,8,Secure Content Switch(SCS),Secure content switch is a transparent proxy that can translate between encrypted and unencrypted data tr

11、ansport on socket connections.Need for secure network access and high performance e-commerce transactions require security Need high performance for better Quality of ServiceSolution: just plug in SCS between client and the server and thereby add Secure Socket Layer (SSL) support.,10/4/2018,Secure C

12、ontent Switch/godavari,9,Goal & Design of Secure Content Switch,In addition to the above, we need to be able to route requests based on content to a set of backend real servers.Design Considerations Our real Servers can be located at different places Efficiency must not be ruined Easy to understand/

13、write content switching rules. Dynamic rule update Session Reusability,10/4/2018,Secure Content Switch/godavari,10,Related Literature,1George Apostolopoulos, David Aubespin, Vinod Peris, Prashant Pradhan, Debanjan Saha, “ Design, Implementation and Performance of a Content-Based Switch”, Proc. Infoc

14、om2000, Tel Aviv, March 26 - 30, 2000, http:/www.ieee-infocom.org/2000/papers/440.ps 2 Gregory Yerxa and James Hutchinson, “Web Content Switching” , http:/. 3 “Release Notes for Cisco Content Engine Software”. http:/”.4 “Foundry ServIron Installation and Configuration Guide,” May 2000.r http:/ “Inte

15、l IXA API SDK 4.0 for Intel PA 100,” http:/ and http:/ Content Switch/godavari,11,Design of Secure Content Switch,10/4/2018,Secure Content Switch/godavari,12,Advantages of Secure Content Switch,Preferential Treatment Secure Content Switch has been developed to handle secure Content based routing of

16、Requests. e.g. high purchase requests can be routed to the fast real server Security The Secure Content Switch establishes the secure connection if the Server doesnt support HTTPS,10/4/2018,Secure Content Switch/godavari,13,Architecture of Secure Content Switch,The web browser makes a request to the

17、 secure content switch. The dispatcher module in the secure content switch forwards the request to the secure content switch child module. In the dynamic forking version of SCS the dispatcher module forks a child process. In Preforking version of SCS the dispatcher module forwards request to a free

18、child.The secure content switch child module performs the handshake with the client and reads in the request. The secure content switch child module then sends the request to the Rule module, which performs rule matching and returns the name of the server by which the request can be served.The secur

19、e content switch child forwards the request to the real server based on the routing decision,10/4/2018,Secure Content Switch/godavari,14,Dispatchermodule,Secure Content Switch Child module,Existing SSL Session,SSL Request,Decrypt Object Using SSL Session Information,Negotiate SSL Session,Send Object

20、 Information To Rule Matching Module,Retrieve Object From the Server Using Standard HTTP,Encrypt the Object Per Session Information and Send it over HTTPS to the Web Browser,Yes,Yes,No,Retrieve Server Information Rule Matching Module,Request From Web Browser to the SCS,fork (),Dynamic Forking Secure

21、 Content Switch,10/4/2018,Secure Content Switch/godavari,15,Dispatcher module,Secure Content Switch Child Process 1,Existing SSL Session,SSL Request,Decrypt Object Using SSL Session Information,Negotiate SSL Session,Send Object Information To Rule Matching Module,Retrieve Object From the Server Usin

22、g Standard HTTP,Encrypt the Object Per Session Information and Send it over HTTPS to the Web Browser,Yes,Yes,No,Retrieve Server Information Rule Matching Module,Request From Web Browser to the SCS,Prefork Secure Content Switch,Secure Content Switch Child Process 2,Secure Content Switch Child Process

23、 n,assign,assign,assign,10/4/2018,Secure Content Switch/godavari,16,E-Commerce Example: 1. Client,Client submits via HTTP/Post (or SOAP) the following purchase in XML:CCL111222333309121544IBM Thinkpad T2150001050000309121538Intel wireless LAN PC Card20010200052000 ,10/4/2018,Secure Content Switch/go

24、davari,17,E-Commerce Example: 2. Content Switch,Content switch receives the packet. Recognize it is a http post request from http request line POST /purchase.cgi HTTP/1.1 Recognize it is an XML document from the meta header content-type: TEXT/XML Parsing XML content Extract values of tag sequences:

25、52000 purchase/totalAmount CCL purchase/customerName Rule 1 is matched and packet is routed to one of highSpeedServers. Rule 1: if (xml.purchase/totalAmount 5000) routeTo(highSpeedServers); Rule 2: if (xml.purchase/customerName = CCL) routeTo(specialCustomerServers);,10/4/2018,Secure Content Switch/

26、godavari,18,Java-based Rule Editor,Detect conflicts in content switch rule set Convert rules into LCS rule module.,10/4/2018,Secure Content Switch/godavari,19,Design of Rule Module Server,How can I update rules Dynamically ? Make rule matching part as an separate process Design considerationswill th

27、e rule module run locally on the machine as the SCS is running?cannot say depends on the userwhat is going to be the impact on performance ?need to study once in detail ! Current Design Rule module can run as a separate process on the same/different machine. Rule module is an iterative server1 becau

28、se we found that encryption and decryption are the bottlenecks not rule matching (from the previous results) Updating Rule Module Shutdown the rule module, compile the rule module with new rule set and start up the rule module 1 an iterative server is one that can server one request at a time.,10/4/

29、2018,Secure Content Switch/godavari,20,Send Url, Src portno, Src IP, HTTP Headers, Data (if any) to the Rule Module,Decrypt the data And populate the rules with values (if any),Perform rule matching and send back the Real Server Name, Address and Port # on which Real Server is listening,Establish Co

30、nnection with Rule Server Module,Yes,IS (Method = Post),Yes,IS (content type = x-www-form-urlencoded),No,No,Establish Connection with Default Rule Server Module,Yes,Rule Server Module,No,Secure Content Switch Child Process,Yes,10/4/2018,Secure Content Switch/godavari,21,Test bed,10/4/2018,Secure Con

31、tent Switch/godavari,22,Configuration of machines used in testbed,10/4/2018,Secure Content Switch/godavari,23,SSL Processing Overhead,Average SSL req./sec is 14.7 Average HTTP req./sec is 180,dilbert.uccs.edu,eca.uccs.edu,10/4/2018,Secure Content Switch/godavari,24,Dynamic vs. Preforking SCS,The per

32、formance of the Pre-forking SCS is better than Dynamic Forking SCS,dilbert.uccs.edu,eca.uccs.edu,frodo.uccs.edu,oblib.uccs.edu,10/4/2018,Secure Content Switch/godavari,25,Dynamic vs. Preforking SCS,The performance of the Dynamic forking SCS is better than Pre-forked SCS Reason ? What is the advantag

33、e of using cluster ?,dilbert.uccs.edu,eca.uccs.edu,frodo.uccs.edu,calvin.uccs.edu,10/4/2018,Secure Content Switch/godavari,26,Performance of Prefork SCS on varying Startup Children,Startup children = no of child Processes spawned ahead of time It is Suggested always to keep the Startup Children Smal

34、l if you dont expect heavy traffic,Having about 25 pre spawned children is better if the traffic load is heavy,dilbert.uccs.edu,eca.uccs.edu,frodo.uccs.edu,calvin.uccs.edu,10/4/2018,Secure Content Switch/godavari,27,Impact of Rules on the performance of Dynamic SCS,Clearly there is no impact of rule

35、s on the the performance of Dynamic Forking Secure Content Switch,dilbert.uccs.edu,eca.uccs.edu,frodo.uccs.edu,calvin.uccs.edu,10/4/2018,Secure Content Switch/godavari,28,Impact of Rules on the performance of Dynamic Non-SCS,Clearly there is some impact of Rules on the the Performance of Dynamic For

36、king Non-Secure content Switch the smaller the rule set, better the performance No heavy impact of the performance of the Secure content Switch with increase in the number of rules,10/4/2018,Secure Content Switch/godavari,29,Impact of Real Servers on the Performance of Dynamic SCS,Clearly there is n

37、o impact of Real Server on the the Performance of Dynamic Forking Secure content Switch Is Secure Content Switch the bottleneck ?,dilbert.uccs.edu,eca.uccs.edu,frodo.uccs.edu,calvin.uccs.edu,10/4/2018,Secure Content Switch/godavari,30,Impact of Real Servers on the Performance of Dynamic Non-SCS,Perf

38、ormance is not directly proportional to # of Real Servers ! Clearly there is impact of Real Server on the the Performance of Dynamic Forking Non-SSL Secure content Switch Performance was found to degrade when there is only one real server,10/4/2018,Secure Content Switch/godavari,31,Performance of SC

39、S in Local Node situation,Local Node = Web Server runs on the Content Switch machine, therefore the content Switch can serve the requests by routing requests internally,No major gains if the real server runs locally or remotely,dilbert.uccs.edu,calvin.uccs.edu,Apache Web Server,10/4/2018,Secure Cont

40、ent Switch/godavari,32,Lessons Learned: Conflicts among Different Servers on Same Machine,While measuring results using web bench for local node situation for Pre-fork Non-secure content switchThe apache is running on port 8000, SCS on 80. After serving a few requests SCS stopped serving Requests. I

41、 stopped Apache web server, SCS started Serving Requests again. I started the Apache Web server, after serving a few requests SCS stopped serving Requests. This process is continuingProbable conflict on who to serve the request is ruled out, as a request send to Secure Content Switch /APACHE is bein

42、g handled perfectly well,10/4/2018,Secure Content Switch/godavari,33,Local vs. Remote Rule Module,Pre-fork SCS Overtakes Dynamic forking SCS Dynamic forking SCS Performance was degraded by 100%,dilbert.uccs.edu,calvin.uccs.edu,eca.uccs.edu,frodo.uccs.edu,Rule module,Rule module walrus.uccs.edu,10/4/

43、2018,Secure Content Switch/godavari,34,Future Directions,Reducing bottleneck of SSL encryption / decryption by having Parallel Processing we need to maintain state across machine using cookieshave server id parameter as a part of handshake (OpenSSL 0.7 may have this feature)caching of web pages Toug

44、h to achieve in case of dynamic pages.Modify the Apache web server to include preferred treatment and do fair comparisionhave packet rewrite techniques.,10/4/2018,Secure Content Switch/godavari,35,Conclusion,Preforking Secure Content Switch encryption and decryption are the major bottleneck no major

45、 gains if processor speed is increased. no major benefit if the number of real server or increased no major benefit if the number of the rules are increasedDynamic forking Secure Content Switch encryption and decryption are the major bottleneck major gains if processor speed is increased. no major b

46、enefit if the number of real server or increased some impact if the number of the rules are increasedPreforking version of SCS is better than Dynamic forking version of SCS,10/4/2018,Secure Content Switch/godavari,36,References,1 OpenSSL: The Open Source toolkit for SSL/TLS (http:/www.openssl.org) 2

47、 SSL and TLS, by Eric Rescorla 3 SSL and TLS Essentials, by Stephen Thomas 4 mod_ssl: The Apache Interface to OpenSSL (http:/www.modssl.org) 5 HTTP Over TLSftp:/ftp.ietf.org/internet-drafts/draft-ietf-tls-https-02.txtThe specification on how to run HTTP over SSL/TLS 6 Tunneling TCP based protocols t

48、hrough Web proxy servershttp:/www.www.alternic.org/drafts/drafts-l-m/draft-luotonen-web-proxy-tunneling-01.txtThe specification for the HTTP CONNECT method 7 Analysis of SSL 3.0 Protocolhttp:/ Wagner and B. Schneiers USENIX analysis of SSLv3 8 HyperText Transfer Protocol (HTTP), Version 1.1 (Interne

49、t Draft)http:/www.w3.org/Protocols/HTTP/1.1/draft-ietf-http-v11-spec-rev-06.txtThe application layer protocol Apache+mod_ssl uses over SSL/TLS 9 HyperText Transfer Protocol (HTTP), Version 1.0 (RFC 1945)http:/www.ietf.org/rfc/rfc1945.txtThe application layer protocol Apache + mod_ssl uses over SSL/TLS,