International Journal of Networks and Communications 2015, 5(4) p-ISSN: 2168-4936 e-ISSN: 2168-4944
Network Tapping System Based on Customized Embedded Linux: Design and Implementation Abdullah A. Mohamed1 , Dia M. Ali2 Communication Department, Collages of Electronic Engineering, M osul University, Iraq
The Network Tapping System is one of the most important network systems. It takes a copy of all the networking events and send it to the served system to be monitored and analysed. In this paper, a network tapping system is designed and implemented. The system is designed based on embedded Linux. Vyatta is one of the most powerful embedded Linu x distributions. The Vyatta L2 switch is designed and, through VLAN technology, reformed a s tapping system. GNS3 software is used as a simulator and emulator in the design. Tiny-Core embedded Linux distributions is used in the testing of the system designing. The designed system is implemented in one of the modern embedded appliances BIS-6660. BIS-6660 is a Fanless embedded appliance provided by NORCO Company. It has the latest Atom Cedar Trail N2800/D2550 1.86/1.86 GHz Intel embedded processors. The result of the built system is compared with a number of traditional tapping systems. Cisco WS C2950T-24, Mikrotik 1100 AHx2 RouterBoard and BIS-6370 with ARM processor are used as tapping systems and compared with the designed system. The built system gives good results and achieved throughput up to 700 Mbps without packet losing or drooping. The res ults showed that the limitation came from the tested instrument that used in the testing. It's thought that the system can be achieved more than 700 Mbps if a more efficient test instrument is used. The built system is applied in a real network and drove a network security system (Intrusion Detection System) with high efficiency.
Abstract
Keywords
Network Tapping System, Vyatta, Embedded Linux, Embedded Systems.
1. Introduction The Network Tapping System is a network system used especially to take a sample or copy of all the networking events and pass it to the served system, which is a testing or monitoring system. It inserted in-line at a specific point in the network where all the network events can be accessed. When connecting a monitoring system or network security system to the network, it's very risk to install these systems in-line in the network. Every time the system rebooted or updated, the network will fall down. The Network Tapping System is the solution for this risk. It will guarantee that the monitoring system will be in-line of the network logically. Every packet passing in the network, The Network Tapping System will send a copy of it to the monitoring system.
The Network Tapping System typically consists of two couples of ports, network and monitoring. Network ports A and B connected to the network line terminals and the monitor ports 1 and 2 connected to the served system as shown in Figure 1. The Taping system has two monitoring ports because the networks are full-duplex so, if there was data transmission from point A to B and B to A at the same time with 100 Mbps where the NIC was 100 Mbps type thus, the monitoring port will carry 200 Mbps. This will cause data drops, for that, the monitor ports consist of two ports, one for each direction and the served system need to make data aggregation for the two monitor ports to be as one port [1]. Many methods for evaluating the tapping operations, some of them have a many problems. The rest will shows the methods of making the tapping system. The advantages and disadvantages of each method are discussed. The designing steps, the implementing and the testing operations are illustrated in splitting sections also.
2. Tapping Technology Methods Figure 1. Typical Tapping system [1].
Corresponding author:
[email protected] (Abdullah A. Mohammed) Accepted Oct. 2015 ID: 109700139 Scientific & Academic Publishing
There are various methods for getting access to the network. Many tapping methods can be used, according to the network technology and the monitoring objective. The first method, when a monitoring device is installed inline. When a monitoring device is installed in-line, the network will stop every time the device updated or rebooted.
Similarly, if the device failed, the network will break down as well [1]. Another method to monitor networks is by enabling Promiscuous Mode on the host that used for the monitoring and attaching it to a network switch. This method is working well with old LAN technologies. However, Modern network became switched network, that meaning; the devices are communicated using Point-To-Point links. If the monitoring device is connected to such network, it will only see its own traffic, so it is hard for other devices see the traffics [1]. Some of the traditional methods for gaining access to the network traffic are using a SPAN port, also known as MIRROR port, in the switch. It is a software method to make network tapping. It makes load on the network switch. This is a low cost alternative to network tap. However, not all routers and switches support port mirror and, on those that do, using port mirroring can affect the performance of the router or the switch. Often, when the SPAN port is overloaded, packets will be dropped before reaching the monitoring device. There is also the possibility of losing some of the error packets that may be causing problems. If this data is not sent to the monitoring device because it is dropped, it is impossible to troubleshoot, no matter how advanced a device that may be used [1]. All of these problems can be solved by using a Tapping system. The Tapping will guarantee that every packet is being sent from the network to the monitoring device. It always passes every packet, even error packets that a SPAN port may drop it, to the monitoring device. V-Line Tapping is the most important Tapping system methods. V-Line Tapping (also known as In-line or Bypass Tapping) allows placing the served system virtually in-line. When putting this device inline will compromise the integrity of a critical network. By placing a Tapping system instead of the monitoring device and connecting the monitoring device to the Tapping system, it can guarantee that the network will continue to flow and the device will not create a failure point in the network [1].
3. Taping System Design The system design was V-Line type based on embedded Linux for many causes. The design need to be fast real-time and high efficiency for that embedded Linux is used. Embedded Linux has many properties make it the first OS for the embedded systems [2]. The most important properties are the small size that means not needing a big memory storage, limited tasks which mean not losses the CPU resources, open source that mean the ability to customize and the supporting for the modern embedded micro-processors architecture like ARM and Atom. Network servers , switches, and NSSs are built essentially based on customized embedded Linu x. Many embedded Linux distributions can be used to design a tapping system like Tiny-Core, Micro-Core, LISA, CintOS and Vyatta. For many reasons, Vyatta is used in this design. Vyatta is built based on Debian Linux distribution and customized proficiently for network systems designation. It has many packages and open source network projects that make it able to configure as network switch or network security system.
Open Vswitch (OVS), Quagga and VLAN are built-in in the Vyatta [3]. Table 1 shows comparison between Vyatta, Cisco and Quagga routers. Vyatta, Quagga (open source router) and two types of Cisco routers OS are shown. The compared virgin of Vyatta is VC 3.0, while the used virgin in the design is VC 6.5. Vyatta VC 6.5 support VPN SSL technology and NTP server without need adding on Linux packages. If the cost is added in a field in the table, the difference will be very high [3]. Vyatta with its packages has size about 200 MB, but it can reduce to minimum size by removing the unrequired packages. Vyatta includes preconfigured systems like IPS, Firewall and VPN; all these systems are removed with their files. It reduced to be less than 50 MB size. OVS, Quagga and
Table 1. Comparison of Vyatta properties with traditional routers [3].
VLAN packages are kept because they are used in the Tapping design. By OVS, network switch for any layer can be designed. It supports many important protocols like NetFlow and OpenFlow. VLAN has the useful properties of both L2 and L3 switches. Depending on VLAN, the switching speed of the designed switch approaching of L2 switch and controlling approaching of L3 switch. It splits the L2 network through dividing the broadcasting domain and con trolling the L2 switch according to the port or protocol or MAC address [4]. GNS3 is used as a simulator and emulator in the designing. It has Graphical Unit Interface (GUI) help to make the design easier. The important factors that make the GNS3 different from another emulator programs are the supporting for Virtualizing technology through soft wares like as VMware, Quimu and Vbox that mean the ability to use real OS images. This property allows burning the used image on bootable media after finishing the design and can be booted on other machines as a real OS. The second property, it supports bridging to a wide range of input/output ports and memories [5].
3.1. The Design Steps The tap designing was based on VLAN (Port Based VLAN). Because the VLAN configured after building the L2 switch, the first step was building of the L2 switch. 3.1.1. The L2 Switch Designing Vyatta, through OVS, easy to build L2 switch. The designing was based on GNS3. Two hosts are connected to the designed switch as shown in Figure 2. Tiny-Core Linux distribution is used for the two hosts because the resource requirement. After finishing the configuration, the switch MAC table is checked. Figures 3 (a, b, c) show the terminals of the switch and the two hosts.
the hosts MACs addresses are added to the switch MAC table which mean the designed switch work properly. At this step, GNS3 provides the ability to burn the Vyatta L2 switch image into a bootable media and then, it can be booted into a suitable network machine as a real image and it will work properly as L2 switch. The designed tapping system need at least three ports for that, a new port is added to the switch and it is ready to turn to the VLAN configuration step. 3.1.2. VLAN configuration and Tapping forming After L2 switch design is finished, the VLAN is easy to configure. Port based VLAN is the most useful and simplest types of VLAN. It depends two types of ports, access port and trunk port. Access port is usually connected within the VLAN for the host-switch connections because it can carry traffic for one VLAN only. Switch ports that connected to end station like a PC or server that deal with only one type of traffic are configured as an access port as shown in Figure 4 [4].
Figure 2. The designed L2 switch based on Vyatta OS by using GNS3.
Figure 4. Port Based VLAN [4].
(a)
Trunk port can carry multiple VLANs traffic, for that it's usually connected to switch-switch and switch-server connections [4]. Figure 5 shows the designed tapping system, ports A and B set as access ports that connected to the network line and tagged to the same VLAN.
(b)
(c) Figure 3. test of the designed switch, a- PC1 (host 1) terminal, bPC2 (host 2) terminal, c- the designed Vyatta switch terminal.
A switch MAC table is shown in Figure 3-c. It consist of the local MAC addresses (Switch’s NIC MAC) only, but after making ping from host1 to host2 and from host2 to host1,
Figure 5. The designed Tapping system by using GNS3.
By making the bonding configuration, the served system would be able to see all the traffic that passes in the full duplex line [4]. Vyatta, like all the embedded operating systems, is a standalone operating system. It works with its entire configuration at plug-in automatically without needing to login or any user managements [6]. Port C set as trunk port that would connect to the served system like Intrusion Detection System (IDS). Ports A, B are bonded (aggregated) in port C by adding bonding configuration to the VLAN.
Table 2 the specifications of BIS-6660, [7].
4. The Implementation After the tapping designing is finished, the system image is burned on a bootable media (SD Card) to be ready for implementation. A strong and modern embedded network appliance is used in the implementing. BIS-6660 is used in the implementin g then, it compared with the traditional preconfigured network appliance. 4.1. The used Device for the Tapping Implementing BIS-6660 is a Fanless embedded appliance provided by NORCO Company as shown in Figure 6. The new generation of NORCO's proprietary ICEFIN Thermal Technology ensures maximum heat dissipation and utilizing performance of latest Atom Cedar Trail N2800/D2550 1.86/1.86 GHz Intel embedded processors. Atom embedded processor characterized with small size, high performance, low power consumption and low heat radiation. BIS-6660 provides network connectivity with 2 LAN 10/100/1000 Mbps Ethernet, Wi-Fi and 3G support, 6 USB ports and one SIM slot. Table 2 shows the BIS-6660 Specifications [7].
(
4.2. The used Device for Tapping Comparison The compared appliances were Cisco WS-C2950T-2 4, MikrotiK 1100 Router-Board and BIS-6730. Cisco is one of the best-specialized companies that provide software and hardware network technologies. The Cisco WSC2950T-24 switch includes 24x 10/100 Mbps Ethernet ports and 2x Gigabit ports. Figure 7 shows the Cisco WS-C2950T24 switch. The Cisco IOS operating system allows the switch to make IP routing and VLAN configuration. The IOS is closed source which means unable to reform the system, adding or removing to it, which block the developing attempts that allowed just by Cisco [9].
(
Figure 6. The BIS-666, a- back view, b- front view [7].
Figure 7. Cisco WS-C2950T-24 switch, [9].
Mikrotik, like Cisco, provides network appliances with high efficiency. RouterBoard 1100 AHx2 is one of the most popular routers, figure 8. It has thirteen of Gigabit Ethernet ports. A strong dual-core CPU 1.06 GHz and the supporting for memory RAM up to 2 GB are the most important of its properties [10].
Figure 8. Mikrotik 1100 AHx2 RouterBoard, [10].
BIS-6370 is a NORCO based network-security bare-bone appliance. It is powered with one of the best-embedded CPU architectures. Marvell ARMv5TE processor 1.6 GHz is used in BIS-6370. It has 6x Gigabit ports, 1x RS-232, 1x USB2.0, 1x SATAII, 1x SD Card, on-board 512 MBDDRII RAM and 1 GB NAND flash [11]. Figure 9 shows the BIS-6370.
TFTP installing is done through small code: $sudo apt-get install tftp Then it must configure and edited with VIM text editor, some codes must added see [8]. With the same method of installing and configuring, NFS is installed and configured, but the NFS Kernel modifier must install at first. MINICOM the terminal emulation and modem control (serial port debugging) is installed and run from the Ubuntu terminal through: $sudo minicom –s A menu window will be displayed. Figure 10. From the menu, select Serial port setup, a new window will appear, Figure 11. From the menu set as below: • Set Serial device field to /dev/ttyS0. (Assuming the Target connected to Com1 of the Host) • Set Bps/Par/Bits field to 115200 8N1. • Set Hardware Flow Control to No. • Set Software Flow Control to No. • Select Exit.
Figure 9. BIS-6370.
NOROC provide an OS image for BIS-6370. It is a customized embedded Linux. The provided OS allows configuring any network layer switch and it support VLAN [12]. The work with embedded systems, especially ARM architecture, and the method of communicating with it to inject the OS need some experience. The preparing of BIS-6370 to be a tapping system is shown below.
Figure 10. MINICOM configuration.
4.3 The BIS-6370 Configuration. To inject the OS image inside the NAND flash of the embedded appliance, it must communicate with it at first. Usually, the communications with the embedded systems make by Host-Target method. The BIS-6370 has one console port set for host communications. One of the client Linux distributions must be set in the Host (Ubuntu is preferred). BIS-6660 is used as Host, where Ubuntu 12.04 is installed on it. Through one of BIS 6660 serial ports, the Target (BIS-6370) is connected (by the console-serial adapter). Some protocols, libraries, terminal emulation and modem control must be installed on the Ubuntu to be able to deal with the ARM architecture. VIM, TFTP, NFS, Libpcap, Cross Compiler Tool Chain and MINICOM are the most required software to be installed in Ubuntu. A fast view will be taken for the installation process where a more details is found in [8].
Figure 11. MINICOM-Serial port setup.
To download OS image (Host files) to the ARM board (Target), the OS image must store in the Host at /tftpbootdirectoryr. The host IP Address must be set to 10.4.52.7, which is the default network of the Target. Then, the following command will download the file to the ARM board and save it in /tmp directory: #tftp -l /tmp/OS-Name -r Linux-2.6.31.8.img -g 10.4.52.7 If need to boot the OS image directly from a removable drive, Boot Mood must be set to direct the booting operation to the removable drive, where the default boot mode is booting from NAND flash. In Mincom, write “Boot u-boot”, then restart the Target. The target will load the OS image as shown in Figures 12 (a-b). The booting, start with displaying the Target specifications, then it turns to read the NAND flash content that includes the Kernel image (OS image). The Kernel image is uncompressed and loaded. The terminal shows the Kernel version and Kernel image type that it is an ARM Linux Kernel image as shown in Figure 12-b. The creation date of the Kernel image shows that it is created at the end of 2012. The OS image creation from a file system can be done, but it needs to install the Cross Compiler and “Mtd-Utils” tool [8].
Figure 12-b. The booting operation of the injected image.
5. The Testing of the built Tapping System
Figure 12-a. The booting operation of the injected image.
To test the designed Tapping system perfectly, MikrotiK RouterBoard 1100 is used as testing instrument. Local-loop is done by making the MikrotiK generate packets, send it to the Tap system and then receive it from the Tap system. The MikrotiK generates the packets, but it could not continue. It generated about 250 Mbps and the CPU load reached 100%. Figure 13 shows the MikrotiK records of the test, where the throughput reached 244 Mbps, the CPU load 100%. Figure 14 shows the throughput when the receiving task is done by a Laptop instead of the MikrotiK. The bit rate (Tx/Rx) reached about 300 Mbps because the MikrotiK used for packets generating only and the Laptop receives the traffic from the Tap system. After that, the testing is done by using three Laptops where a big size file is transmitted between two of them, while the third was receiving the taped traffic from the tapping port. It is found that the video file is the best file types for testing, especially, when the file size is greater than 1 GB, where the transmitted packets be in MTU size and no transmission drooping that occurs at each end-start of sending files (between end of send the file and start the next). The throughput increase to reach 670 Mbps in this method (three Laptops), then, the MikrotiK is placed in-line of the tap port to record more details about the throughput. It records 700 Mbps throughput without packets loos e as shown in Figures (15, 16). The using of the MikrotiK as throughput-recording device is very useful and powerful, but it is used as packet generator (it achieved 250 Mbps only) for important reas ons.
Figure 13. The designed tapping system traffic by using Mikrotik 1100 AHx2 RouterBoard as test instrument, Mikrotik 1100 AHx2 RouterBoard record.
Figure 14. The designed system traffic by using MikrotiK 1100 AHx2 RouterBoard as packet generator and Laptop for the receiving task, receiving Laptop record.
Figure 15. The designed system traffic by using three Laptops method, receiving Laptop record.
Figure 16. The designed system traffic by using three Laptops method, MikrotiK 1100 AHx2 RouterBoard record.
The MikrotiK allows generating and sending random packets with variable sizes, that is the more efficient test for the system. One of the most important factors in the network systems is the system efficiency when its deal with variable size packets, especially those small and there the measurement will be the packet rate, not the bit rate. Unfortunately, the packet specifications (packet size) cannot be controlled in the three laptops method, where the test depends on sending files between the laptops, for that the bit rate is depended, not the packet rate. Figure 17 represents the bit rate at the received laptop. It shows 49.9 MB, where it represents the information only, without headers for all the layers. Figure 18 shows the bit rate 660 Mbps when the Mikrotik is used as tapping system. It approaches from the result of the designed system, which depended on BIS-6660.
Figure 17. The designed system data rate by using three Laptops method, receiving Laptop record.
Figure 18. The MikrotiK 1100 AHx2 RouterBoard traffic, receiving Laptop record.
Figure 19. The Cisco WS-C2950T-24 traffic, receiving Laptop record.
Figure 20. The BIS-6730 traffic, receiving Laptop record.
The bit rate reached to 650 Mbps when Cisco is used as a tapping system as shown in Figure 19. BIS-6750 achieved 450 Mbps, which is the lowest one between the other tested devices as shown in Figure 20.
6. The Results Discussion and the Conclusions The results that achieved were approaching from 700 Mbps for that, the thought was the devices could not achieve more than this or the reason come from the data line limit ations. Finally, the limitation found, it came from the used test instrument. The used PCs with the Hard Disk (magnetic
SATA HD) cannot achieve data read/ write more than 50 MB/Sec. HDs from several companies and models like Toshiba MK3276GSX, Samsung HD 501LG and Mobile Samsung HM160HI/CN3 5400RP with PCs properties from Core2 Duo- 2 GB RAM to Core I7-16 GB RAM were used in the testing for more results ensuring. Many testing done for the tested devices and the averages were listed in the Table 3. The last record is the throughput when direct connection is used between two laptops without any in line device. The results show the designed tapping system is more efficient. It reached the result of the direct connection.
Table 3. T he throughput of the tested devices.
THROUGHPUT OF THE TESTED DEVICES Throughput Mbps
800 700
671
693
693
657
600 449
500 400 300 200
100 0
Series1
Mikrotik 1100 AHx2 RouterBoard
BiS-6660Vyatta
Cisco WSC2950T-24
BIS-6730Costm-Linux
Direct
671
693
657
449
693
Tested Devices If a Solid-Stat HD and a more efficient test instrument, like Spirent Test Center v. 3.70 that support throughput up to 40 Gbps, are used in the testing, the throughput may be becoming more than the recorded result in the Table 3. The results of the Mikrotik 1100 AHx2 RouterBoard, Cisco WS-C2950T-24 and the designed tapping system are more converges where the difference is in the gap of the percentage error values. The built system is applied in a real network and drove a network security system with high efficiency. It attached to a packet features extractor system, and then the features passed to real-time network intrusion detection system to detect the intruders [13, 14, 15]. REFERENCES [1]
Alistair Croll and Sean Power. Complete Web M onitoring. 1st ed. O’Reilly M edia, June 2009. PP. 353-376.
[2]
Richard Zurawski. Embedded Systems Handbook. 2nd ed. CRC press, 2009. pp. 72-85.
[3]
Vyatta Inc. Why Vyatta is Better than Cisco. Vyatta Inc, 2007.
[4]
Super M icro Computer Inc. Supermicro L2/L3 Switches VLAN Configuration Guide. 1st ed. Super M icro Computer Inc., January 2013.
[5]
Chris Welsh. GNS3 Network Simulation Guide. 1st ed. Packt Publishing, October 2013. PP. 22-28.
[6]
Vyatta Inc. Vyatta System Quick Start Guide. 2nd ed. Vyatta Inc., August 2008.
[7]
NORCO Intelligent Technology Co. BIS-6660 Datasheet. NORCO Intelligent Technology Co., November 2012.
[8]
NORCO Intelligent Technology Co. BIS-6660 User's M anual. NORCO Intelligent Technology Co., 2011.
[9]
Cisco Systems Inc. Cisco Catalyst 2950 Series Intelligent Ethernet Switches. Cisco Systems Inc., 2013.
[10] M ikroTikls SIA Inc. RouterBOARD 1100/AH Series User's M anual. M ikroTikls SIA Inc, jun 2013. [11] NORCO Intelligent Technology Co. BIS-6370 Datasheet. NORCO Intelligent Technology Co., January 2013. [12] NORCO Intelligent Technology Co. EM B-4520/Ver 1.0 Test Report. NORCO Intelligent Technology Co., January 2013. [13] Abdullah A. M ohamed, Dia M . Ali. Packet features extractor for network security systems: design and implementation. International Journal of Engineering and Innovative Technology (IJEIT) 2014; 3: 225-231. [14] Abdullah A. M ohamed, Dia M . Ali. Creating real-time operation system based on xpc target kernel. International Journal of Recent Technology and Engineering (IJRTE) 2013; 2: 143146. [15] Abdullah A. M ohamed. Design intrusion detection system based on image block matching. International Journal of Computer and Communication Engineering 2013; 2: 605-607.
