(UTM) has been used widely to enhance network security protection. Typical UTM device integrates multiple security technologies, therefore its control and.
2010 International Conference on Communications and Mobile Computing
UTM-CM: A Practical Control Mechanism Solution for UTM System Ying Zhang1, Fachao Deng2, Zhen Chen3, 5, Yibo Xue3, 5 and Chuang Lin4, 5 1 School of Information Engineering, University of Science & Technology Beijing 2 Department of Automation, Tsinghua University, Beijing, China 3 Research Institute of Information Technology, Tsinghua University, Beijing, China 4 Dept. Computer Science and Technology, Tsinghua University, Beijing, China 5 Tsinghua National Lab for Information Science and Technology, Beijing, China {zhangying84happy, fachao}@gmail.com, {zhenchen, yiboxue, chlin}@tsinghua.edu.cn Our solution includes two main parts: 1) Configuration. Initiate UTM when it is first put into use and reconfigure it when some changes occur. 2) System Management of UTM (monitors operational condition and governs interaction between different security modules, etc.). In summary, we have made the following contributions: • A novel solution to control mechanism for UTM is proposed. • An improved method for UTM configuration and management is present. • System implementation and demonstrate is introduced that the solution can be implemented with the qualities of ease-to-use, scalability, interoperability, high-efficiency and reliability. The remainder of the paper is structured as follows. Section 2 presents an overview of related work. Next, Section 3 discusses the design of control mechanism. We present the implementation in Section 4, followed by the experiment and evaluation in Sections 5. We briefly discuss our on-going work in Section 6.
Abstract Since emerged in 2004, Unified Threat Management (UTM) has been used widely to enhance network security protection. Typical UTM device integrates multiple security technologies, therefore its control and management involves various interfaces, message formats, communication protocols, and security policies and so on. Therefore, it is a big challenge to design and implement the configuration and management of security technologies in UTM. To address this issue, this paper proposes a practical UTM control mechanism that features ease-to-use, scalability, interoperability, highefficiency and reliability. The solution, called UTMConfiguration and Management (UTM-CM), has been implemented and its performance was evaluated.
1. Introduction With rapid development of the Internet, network security has become an intractable issue, and the security threats present the trend of diversity with quick variation velocity. As a primary network gateway defense solution, Unified Threat Management (UTM) emerged in 2004, and has been used widely. UTM is a special equipment consisting of hardware, software and network protection technologies in one single appliance, such as firewall, intrusion prevention system (IPS), gateway antivirus (AV), VPN, content filter and so on[1-2]. UTM can be divided into two types: tightly-coupled UTM and loosely-coupled UTM. For tightly-coupled UTM, all the security functions are developed by one vendor, which is easy-to-use and has advanced technologies. However, loosely-UTM integrates existing security products from various vendors. The interoperability and interaction between different security technologies is a matter of especial importance to configuration and management. Anyhow, the real UTM constructs a standard management platform to provide strong defense capabilities. To achieve the goal, we propose the solution to control mechanism for UTM with ease-to-use, scalability, interoperability, high-efficiency and reliability.
978-0-7695-3989-8/10 $26.00 © 2010 IEEE DOI 10.1109/CMC.2010.267
2. Related work With network functionality growing increasingly complex, as discussed in [3-7], network configuration management becomes a challenge and many management methods or platforms have emerged. Some related management solutions are introduced in this section. 1) SNMP. Simple Network Management Protocol (SNMP) was created to solve the problem of the management of the distribution network based on TCP/IP protocols. SNMP is a UDP-based protocol. Although many successes may have been made in using SNMP in different domains, as shown in [8-9],it is not a perfect choice for UTM which is a integration management solution. In other words, SNMP couldn’t reach the goal of interaction and interoperability. 2) TOPSEC &OPSEC. TOPSEC’s Talent Open Platform for Security (TOPSEC) is a unified and scalable security platform, which integrates various network security technologies and excellent network security productions, realizing the interoperability and interaction between security products [10]. Check Point’s Open Platform for Security (OPSEC) integrates and manages 86
IA architecture, is used for deep inspection of network traffic with the functions of IPS, AV, etc. Single blade has the processing capacity of 500Mbps~1Gbps, and multiple blades can coordinating work. 4) Control Processing blade (CP) controls communication and interaction between various blades. And it also stores both configuration information and applications, and makes sure the hot standby of critical components.
various network securities through an open, extensible framework [11]. Both of the technologies can configure and manage various network securities, but nearly all the security applications can’t interact with either of TOPSEC and OPSEC unless they strictly follow the protocols created by the two technologies and even have been authenticated by them. For each vendor designs and develops their application programming interface (APIs) under certain environment, the two technologies cause the problem of compatibility. An open, standard and scalable mechanism is required to configure and manage various security applications. 3) NETCONF. The NETCONF protocol defines a simple mechanism through which a network device can be managed, configuration information can be retrieved, and new configuration data can be uploaded and manipulated [12-13]. The NETCONF protocol plays a great role in a system of automated configuration. However, the control mechanism of UTM is not just referring to configuration. For example, interoperability and interaction between different security devices are out of reach of NETCONF [14].
3.2. Goals of Control mechanism We did some analysis on the desired requirements that a control mechanism of UTM must supply. We now list them below. 1) Easy to use. The development trend of network security is active-safety and auto-defense which can reduce the error and bad response by man-made factors. Since UTM integrates various security technologies (such as firewall, VPN gateway, Antivirus, IPS, etc.), users don’t need to buy these security technologies separately, and network managers never are required to learn the configuration and management of all the equipments from different vendors. Therefore, one of the vital requirements of configuration and management of UTM is easy-to-use and comprehensive. 2) Scalability. To enforce protective capability, more and more security technologies are being integrated into UTM. UTM should be configured and managed well even after integrating new security technology. The configuration and management of UTM shall be scalable to meet the requirement. 3) Interoperability. As applications of networks are becoming more and more complex, the security has been increasing unexpectedly, and the mode and targets of attack vary quickly. An enterprise maybe has a series of security products (Anti-virus, Firewall, IPS, etc.). However, these security products generate a great deal of safety information with different forms, so it’s almost impossible to make them cooperate and interact well. UTM, which can provide three-dimensional protection, must have the management ability of interoperability and interaction. 4) High-efficiency and reliability. UTM continues to evolve to offer multiple security services, integrates equipment from multiple vendors, and conducts continuous performance and feature tuning. Configuration errors have a significant portion of operator errors, and are the largest contributor to failures and repair time. About 60% of network downtime is owing to human configuration errors, and more than 80% of IT budgets are allocated towards maintaining the status quo [3]. This is why the configuration and management of UTM must have features of high-efficiency and reliability.
3. Design of Control Mechanism for UTM
AP (dual dual-core IA)
AP (dual dual-core IA)
AP (dual dual-core IA)
AP (dual dual-core IA)
AP (dual dual-core IA)
SW+CP
NP (dual octeon 5860)
SW+CP
AP (dual dual-core IA)
NP (dual octeon 5860)
AP (dual dual-core IA)
AP (dual dual-core IA)
AP (dual dual-core IA)
AP (dual dual-core IA)
3.1. ATCA-based UTM overview
Figure 1. Infrastructure of ATCA-based UTM
As shown in Figure 1, UTM adopts the Advanced Telecommunication Computing Architecture (ATCA) and has 14 slots where various blades can be inserted according to applications and user’s requirements. The configurable blades include: 1) Switch blade (SW) has the capabilities of fast switching and high capacity. There are two switching mode, 1GE Base switching for control plane and 10GE Fabric switching for data plane. 2) Network Processing blade (NP) deals with network layer and implements load balance. It plays the role of a firewall at the same time. NP adopts Multi-MIPS core architecture. 3) Application Processing blade (AP), based on multi-
87
(called CP Agent, NP Agent and AP Agent separately), which communicate with each other to make good configuration and management of UTM. 3) UTM Message Protocol: it formulates the communication mode between CP, NP and AP. 4) Notify process: when a network operator makes new configuration via Web (or Console), the Notify process-CP notifier will be activated to send special message to managed device. Meanwhile, Notify processNP notifier and AP notifier report their information to CP.
3.3. Architecture of Control Mechanism For achieving the design goals, we use layer architecture to category the different functionality of UTM and abstract different layer’s main function. The architecture can be used as a guideline for our system design and implementation.
4.2. Control Command Representation Code
Table 1. Message format of UTM-C Identifier Length Type Subtype
Data
As shown in Table 1, the message consists of six fields: Code The field identifies the type of message: Code=1 stands for request message for configuration; Code=2 represents response message; Code=11, Type identifies the type of event request message; Code=12, Type identifies the type of event response message. Identifier The field helps to make a response message matches its corresponding request message. Length The field, which is two bytes, specifies the length of a configuration message. Type With regard to the field Code, Type has different meanings: If Code=1, Type identifies the type of request message for configuration; If Code=2, Type identifies the type of response message for configuration; Data It is zero or more bytes, depends on the value of the field Type and Subtype.
Figure 2. Control mechanism architecture
We now present an overview of our control mechanism architecture (see Figure 2). It is described on a high-level overview in this section. We will discuss the details and implementation of several components in the following sections. We divide it into three layers: 1) Configuration & management. It is human-tomachine layer and deals with control command representation. 2) Enforcement layer. The layer processes the control messages, such as control messages representation and their execution. 3) Communication layer. Communication layer, machine-to-machine layer, controls the communication and interaction between different components (CP, NP and AP). We name the control mechanism as UTMConfiguration and Management (UTM-CM). It includes two components: 1) UTM Configuration (UTM-C) configures the components of UTM; 2) UTM Management (UTM-M) manages the UTM.
4.3. Control Message 4.3.1. Proposed methods 1) TLV. Type-Length-Value (TLV) is a very convenient and space efficient method to insert complex data with multiple fields into an organized format. However, TLV can’t meet the requirement of interoperability and interaction between various security equipments. 2) XML-RPC. XML Remote Procedure Call (XMLRPC) is an extension to XML and a method of performing Remote Procedure Calls using XML to transmit the procedure call invocation data [15].However, it is lack of rich standards and strong specifications to represent data types, and couldn’t send more complex data. In the UTM system which covers various security technologies, the data transfer tend to be more complex thus XML-RPC is not preferred in this situation. 3) SOAP. Simple Object Access Protocol (SOAP) has been designed to be one step on from XML-RPC and
4. Implementation details 4.1. UTM-CM As shown in Figure 2, multiple utilities are provided to take advantage of and control the capability of configuration and management of UTM: 1) Web/Console: it is Configuration User Interface (CUI). Using this interface, a network operator can configure and manage the UTM easily. 2) Configuration and Management daemon (CM agent): there is a CM agent in each of CP, NP and AP
88
addresses many of the shortcomings of XML-RPC. SOAP is designed to send more complex data and provide a more robust data typing mechanism than XML-RPC. Therefore, SOAP can represent the data transfer in UTM. While SOAP has considerably more overhead due to the fact that more meta-data is sent, we propose an improved method which is based on SOAP. To meet the requirements of configuration and management of UTM, our solution (UTM-CM) adopts an improved method. It will be introduced in detail in the following section.
transfer; processing delay time is spent on control command representation, control message representation and execution; δis 0.00005s in our system. Related data will be shown to you in the section 5.
5. Experiment and evaluation 5.1. Experiment As mentioned in section 3.1, the experiment platform is the multi-core UTM system which is based on ATCA: radisys ATCA-6000 for its inside carrier, radisys ATCA7200 for NP blade and intel mpcbl-0050 for AP blade.
4.3.2. Control message representation The control message is base on the Extensible Markup Language (XML). For example, in the experiment of UTM-M, the request message and response message are as follows:
Table 2 performance of different management schemes Performance
Configuration
Schemes
operability
yes
yes
partial
partial
TOPSEC
homogeneous and heterogeneous devices
partial
partial
NETCONF
homogeneous and heterogeneous devices
no
no
SNMP
homogeneous devices only
no
no
OPSEC
Inter
homogeneous and heterogeneous devices homogeneous and heterogeneous devices
UTM-CM
Request message based on XML:
Inter action
Compared with other schemes, UTM-CM can not only configure homogeneous and heterogeneous devices, but also can help various devices to interact and interoperate with each other (As shown in Table 2). 1) Configuration. CP can configure both NPs and APs through User Interface (CLI/WEB) easily. Both Intrusion Prevention System of AP and firewall policy of NP, for example, can be well configured by UTM-CM. 2) Interaction. Take load-balance for example, APs report their load information to CP at set intervals; once overload happens, CP will notify NP to make load balance, and finally NP complete the process of loadbalance based on the APs’ load information. 3) Interoperability. When some AP detects abnormal traffic, it will request CP to drop the traffic and add the corresponding rule to firewall rules (NP policy). After receiving the request message, CP will tell NPs to execute the actions and NPs will drop the traffic and update their policy.
Response message based on XML: - 0
4.4. Delay-time analysis According to previous sections, we estimate delay time from a blade X to another blade Y based on the following formulation: total_delay(X,Y) =cd(X,Y) + pd(X|Y) +δ, where cd(X,Y) is the communication delay time from X to Y and pd(X|Y) denotes processing delay time at blade X or Y, and δrepresents the variable parameter (e.g. device stability, network condition). Communication delay time refers to the time taken during control message
5.2. Evaluation 1) Easy to use. The user Interface (CLI/WEB) is userfriendly and comprehensive. All the security technologies can be configured and managed. Therefore, any network operator is able to configure and manage the UTM through the UI easily, and don’t need to learn the
89
solution and Availability).
configuration and management of various security technologies. 2) Scalability. Our solution (UTM-CM) is also scalability, new security products can be easily added to our system. After achieving the configuration of NP’s interface and AP’s IPS, we successfully configure and manage other products, such as route rule, firewall policy and so on. 3) Interoperability. As shown in the section 4.3.2, UTM-CM is based on XML, and various security technologies from various vendors can cooperate and interact well. 4) High-efficiency. Figure 3 and Figure 4 shows that UTM-CM provides high-efficiency on the basis of quality of interoperability with delay-time below 0.01003s. The feature of reliability is also met as well.
[1] http://www.idc.com/. [2] http://www.venustech.com.cn/. [3] Richard Alimi, Ye Wang, Y. Richard Yang, “Shadow Configuration as a Network Management Primitive”, ACM Sigcomm’08, August 17–22, 2008, Seattle, Washington, USA, pp. 111-122. [4] Donald Caldwell, Seungjoon Lee, Yitzhak Mandelbaum, “Adaptive Parsing of Router Configuration Languages”, IEEE Internet Network Management Workshop, 2008. [5] Wei Zheng, Ricardo Bianchini, Thu D. Nguyen, “Automatic Configuration of Internet Services”, EuroSys’07, March 21–23, 2007, Lisboa, Portugal, pp. 219-229. [6] M.Aqeel Iqbal , Uzma Saeed Awan ,“An Efficient Configuration Unit Design For VLIW Based Reconfigurable Processors”, INMIC 2008. [7] Bin Lin, Aaron B. Brown, Joseph L. Hellerstein, “Towards an Understanding of Decision Complexity in IT Configuration”, ACM CHIMIT’07. [8] Peter Drake, “USING SNMP TO MANAGE NETWORKS”. [9] Weldson Queiroz de Lima, Rodrigo Sanger Alves, Ricardo Lemos Vianna, Maria Janilce , etc.“Evaluating the Performance of SNMP and Web Services Notifications”, NOMS2006, 3-7 April 2006, pp.546 – 556. [10] http://www.topsec.com.cn/. [11] http://www.opsec.com/. [12] Yanan Chang, Debao Xiao, Hui Xu, Limiao Chen, “Design and Implementation of NETCONF-Based Network Management System”, FGCN ’08, 13-15 Dec. 2008, pp.256 – 259. [13] Zhu Wei, Liu Ningning, Shan Weifeng, Fu Guobin, “Design of the Next Generation Military Network Management System Based on NETCONF”, ITNG 2008, 7-9 April 2008, pp.1216 – 1219. [14] Ji Huang, Zhang Bin, Li Guohui, Gao Xuesong, Li Yan, “Challenges to the New Network Management Protocol: NETCONF”, ETCS ’09, 7-8 March 2009, pp.832 – 836. [15] de Rivera, Ribalda, R., Colas, J., Garrido , J., “A generic software platform for controlling collaborative robotic system using XML-RPC”, IEEE/ASME 2005, 24-28 July 2005, pp.1336 – 1341.
runtime/second
20
10
0 3
4
5
6
7
8
Figure 3 Run time 0.01004
delaytime/second
delay time
0.01002
0
1
2
3
4
5
6
7
8
High
8. References
30
2
(UTM
The authors would like to thanks Dr. Anan Luo for his kind help, and all the members in the Network Security Lab of Tsinghua University for their valuable suggestions. This work is supported by High-tech Program No. 2007AA01Z468 with the title of “A Holistic UTM System Design and Implementation”. It is also supported by Natural Science Foundation of China No. 90718040 with the title of “Trusted Computing Environment and Trusted Software Design”.
40
1
UTM-HA
7. Acknowledgements
send message time response time
50
implement
9
Figure 4 Delay-time estimation
6. Conclusions and future work In this paper, we presented the solution to control and management mechanism of UTM with ease-to-use, scalability, interoperability, high-efficiency and reliability. In the future work, we would like to implement UTMSEC (UTM Security) to further improve our solution. We would also like to study the high-availability of the 90