The Design and Implementation of a Secure Content Switch

1
The Design and Implementation of a Secure
Content Switch

• Master Thesis Presentation
• Ganesh Kumar Godavari
• Department of Computer Science
• Univ. of Colorado at Colorado Springs

2
Outline of the Talk

• Content Switch and Overview of SSL
• Related Literature
• Design of Secure Content Switch (SCS)
• Performance of SCS implementation
• Lessons Learned and Future Directions
• Conclusion

3
Content Switch (CS)
server1
home.htm
ContentSwitch
server2
client
. .
uccs.jpg
Index.htm
.
rocky.mid
server9

• Route packets based on high layer (Layer 5/7)
• headers and content.
• Examples
• Direct Web traffic based on pattern of URLs, host
  tags, cookies.
• Can Route incoming email based on email
  addressConnect POP/IMAP based on login
• Web switches and Intel XML Director/accelerator
  are special cases of content switch.

4
What Services It Can Provide

• Enabling premium services for e-commerce, ISP,
  and Web hosting providers
• Load Balancing and High Available Server
  Clusters Web, E-commerce, Email, Computing,
  File, SAN
• Policy-based networking, differential/QoS
  services.
• Firewall, Strengthening DoS protection,
  cache/firewall load-balancing
• Flash-crowd' management
• Email Spam Protection, Virus Detection/Removal

5
About SSL

• Secure Sockets Layer (SSL) protocol
• developed by Netscape Communications to ensure
  private and authenticated communications
• put into the public domain for the Internet
  community

6
OpenSSL

• OpenSSL is based on the excellent SSLeay library
  developed by Eric A. Young and Tim J. Hudson.
• Open Source toolkit implementing the Secure
  Socket Layer (SSL v2/v3) and Transport Layer
  Security (TLS v1) protocols as well as a
  full-strength general purpose cryptography
  library
• Important Libraries
• SSL
• The OpenSSL ssl library implements the Secure
  Sockets Layer (SSL v2/v3) and Transport Layer
  Security (TLS v1) protocols
• Crypto
• The OpenSSL crypto library implements a wide
  range of cryptographic algorithms used in various
  Internet standards. The services provided by this
  library are used by the OpenSSL implementations
  of SSL, TLS, and they have also been used to
  implement SSH, OpenPGP, and other cryptographic
  standards

7
Command Interface

• The Openssl program is a command line tool for
  using the various cryptography functions of
  OpenSSL's crypto library from the shell. It can
  be used for
• Creation of RSA, DH and DSA key parameters
• Creation of X.509 certificates, and Certificate
  Revocation List (CRL)
• Calculation of Message Digests o Encryption and
  Decryption with Ciphers
• SSL/TLS Client and Server Tests
• Handling of S/MIME signed or encrypted mail

8
Secure Content Switch(SCS)

• Secure content switch is a transparent proxy that
  can translate between encrypted and unencrypted
  data transport on socket connections.
• Need for secure network access and high
  performance
• e-commerce transactions require security
• Need high performance for better Quality of
  Service
• Solution just plug in SCS between client and
  the server and thereby add Secure Socket Layer
  (SSL) support.

9
Goal Design of Secure Content Switch

• In addition to the above, we need to be able to
  route requests based on content to a set of
  backend real servers.
• Design Considerations
• Our real Servers can be located at different
  places
• Efficiency must not be ruined
• Easy to understand/write content switching rules.
• Dynamic rule update
• Session Reusability

10
Related Literature

• 1George Apostolopoulos, David Aubespin, Vinod
  Peris, Prashant Pradhan, Debanjan Saha, Design,
  Implementation and Performance of a Content-Based
  Switch, Proc. Infocom2000, Tel Aviv, March 26 -
  30, 2000, http//www.ieee-infocom.org/2000/papers/
  440.ps
• 2 Gregory Yerxa and James Hutchinson, Web
  Content Switching , http//www.networkcomputing.c
  om.
• 3 Release Notes for Cisco Content Engine
  Software. http//www.cisco.com.
• 4 Foundry ServIron Installation and
  Configuration Guide, May 2000.r
  http//www.foundrynetworks.com/techdocs/SI/index.h
  tml
• 5 Intel IXA API SDK 4.0 for Intel PA 100,
  http//www.intel.com/design/network/products/softw
  are/ixapi.htm and http//www.intel.com/design/ixa/
  whitepapers/ixa.htmIXA_SDK

11
Design of Secure Content Switch
12
Advantages of Secure Content Switch

• Preferential Treatment
• Secure Content Switch has been developed to
  handle secure Content based routing of Requests.
• e.g. high purchase requests can be routed to the
  fast real server
• Security
• The Secure Content Switch establishes the secure
  connection if the Server doesn't support HTTPS

13
Architecture of Secure Content Switch

• The web browser makes a request to the secure
  content switch.
• The dispatcher module in the secure content
  switch forwards the request to the secure content
  switch child module. In the dynamic forking
  version of SCS the dispatcher module forks a
  child process. In Preforking version of SCS the
  dispatcher module forwards request to a free
  child.
• The secure content switch child module performs
  the handshake with the client and reads in the
  request.
• The secure content switch child module then
  sends the request to the Rule module, which
  performs rule matching and returns the name of
  the server by which the request can be served.
• The secure content switch child forwards the
  request to the real server based on the routing
  decision

14
Dynamic Forking Secure Content Switch
Dispatcher module
Request From Web Browser to the SCS
fork ()
Secure Content Switch Child module
Negotiate SSL Session
No
Existing SSL Session
SSL Request
Decrypt Object Using SSL Session Information
Yes
Yes
Encrypt the Object Per Session Information and
Send it over HTTPS to the Web Browser
Send Object Information To Rule Matching Module
Retrieve Server Information Rule Matching Module
Retrieve Object From the Server Using Standard
HTTP
15
Prefork Secure Content Switch
Request From Web Browser to the SCS
Dispatcher module
assign
assign
assign
Negotiate SSL Session
Secure Content Switch Child Process 1
Secure Content Switch Child Process 2
Secure Content Switch Child Process n
No
Existing SSL Session
SSL Request
Decrypt Object Using SSL Session Information
Yes
Yes
Encrypt the Object Per Session Information and
Send it over HTTPS to the Web Browser
Retrieve Object From the Server Using Standard
HTTP
Send Object Information To Rule Matching Module
Retrieve Server Information Rule Matching Module
16
E-Commerce Example 1. Client

• Client submits via HTTP/Post (or SOAP) the
  following purchase in XML
• ltpurchasegt
• ltcustomerNamegtCCLlt/customerNamegt
• ltcustomerIDgt111222333lt/customerIDgt
• ltitemgtltproductIDgt309121544lt/productIDgt
• ltproductNamegtIBM Thinkpad T21lt/productNamegt
• ltunitPricegt5000lt/unitPricegt
• ltnoOfUnitsgt10lt/noOfUnitsgt
• ltsubTotalgt50000lt/subTotalgt
• lt/itemgt
• ltitemgtltproductIDgt309121538lt/productIDgt
• ltproductNamegtIntel wireless LAN PC
  Cardlt/productNamegt
• ltunitPricegt200lt/unitPricegt
• ltnoOfUnitsgt10lt/noOfUnitsgt
• ltsubTotalgt2000lt/subTotalgt
• lt/itemgt
• lttotalAmountgt52000lt/totalAmountgt
• lt/purchasegt

17
E-Commerce Example 2. Content Switch

• Content switch receives the packet.
• Recognize it is a http post request from http
  request line POST /purchase.cgi HTTP/1.1
• Recognize it is an XML document from the meta
  headercontent-type TEXT/XML
• Parsing XML content
• Extract values of tag sequences
  52000 purchase/totalAmount
  CCL
  purchase/customerName
• Rule 1 is matched and packet is routed to one of
  highSpeedServers.Rule 1 if (xml.purchase/totalAm
  ount gt 5000) routeTo(highSpeedServers)Rule 2
  if (xml.purchase/customerName CCL)
  routeTo(specialCustomerServers)

18
Java-based Rule Editor

• Detect conflicts in content switch rule set
• Convert rules into LCS rule module.

19
Design of Rule Module Server

• How can I update rules Dynamically ?
• Make rule matching part as an separate process
• Design considerations
• will the rule module run locally on the machine
  as the SCS is running?
• cannot say depends on the user
• what is going to be the impact on performance ?
• need to study once in detail !!
• Current Design
• Rule module can run as a separate process on the
  same/different machine.
• Rule module is an iterative server1 because we
  found that encryption and decryption are the
  bottlenecks not rule matching (from the previous
  results)
• Updating Rule Module
• Shutdown the rule module, compile the rule module
  with new rule set and start up the rule module
• 1 an iterative server is one that can server one
  request at a time.

20
Rule Server Module
Establish Connection with Rule Server Module
Send Url, Src portno, Src IP, HTTP Headers, Data
(if any) to the Rule Module
Yes
Secure Content Switch Child Process
No
IS (Method Post)
Establish Connection with Default Rule Server
Module
No
Yes
Yes
IS (content type x-www-form-urlencoded)
No
Perform rule matching and send back the Real
Server Name, Address and Port on which Real
Server is listening
Yes
Decrypt the data And populate the rules with
values (if any)
21
Test bed
22
Configuration of machines used in testbed
23
SSL Processing Overhead

• Average SSL req./sec is 14.7
• Average HTTP req./sec is 180

dilbert.uccs.edu
eca.uccs.edu
24
Dynamic vs. Preforking SCS

• The performance of the Pre-forking SCS is better
  than Dynamic Forking SCS

eca.uccs.edu
dilbert.uccs.edu
oblib.uccs.edu
frodo.uccs.edu
25
Dynamic vs. Preforking SCS

• The performance of the Dynamic forking SCS is
  better than Pre-forked SCS
• Reason ?
• What is the advantage of using cluster ?

eca.uccs.edu
dilbert.uccs.edu
calvin.uccs.edu
frodo.uccs.edu
26
Performance of Prefork SCS on varying Startup
Children

• Startup children gt no of child Processes spawned
  ahead of time
• It is Suggested always to keep the Startup
  Children Small if you dont expect heavy traffic

• Having about 25 pre spawned children is better
  if the traffic load is heavy

eca.uccs.edu
dilbert.uccs.edu
calvin.uccs.edu
frodo.uccs.edu
27
Impact of Rules on theperformance of Dynamic SCS

• Clearly there is no impact of rules on the the
  performance of Dynamic Forking Secure Content
  Switch

eca.uccs.edu
dilbert.uccs.edu
calvin.uccs.edu
frodo.uccs.edu
28
Impact of Rules on theperformance of Dynamic
Non-SCS

• Clearly there is some impact of Rules on the the
  Performance of Dynamic Forking Non-Secure content
  Switch
• the smaller the rule set, better the performance
• No heavy impact of the performance of the Secure
  content Switch with increase in the number of
  rules

29
Impact of Real Servers on thePerformance of
Dynamic SCS

• Clearly there is no impact of Real Server on the
  the Performance of Dynamic Forking Secure content
  Switch
• Is Secure Content Switch the bottleneck ??

calvin.uccs.edu
eca.uccs.edu
dilbert.uccs.edu
frodo.uccs.edu
30
Impact of Real Servers on thePerformance of
Dynamic Non-SCS

• Performance is not directly proportional to of
  Real Servers !!
• Clearly there is impact of Real Server on the the
  Performance of Dynamic Forking Non-SSL Secure
  content Switch
• Performance was found to degrade when there is
  only one real server

31
Performance of SCS in Local Node situation
Local Node gt Web Server runs on the Content
Switch machine, therefore the content Switch can
serve the requests by routing requests internally
calvin.uccs.edu

• No major gains if the real server runs locally
  or remotely

dilbert.uccs.edu
Apache Web Server
32
Lessons Learned Conflicts among Different
Servers on Same Machine

• While measuring results using web bench for local
  node situation for Pre-fork Non-secure content
  switch
• The apache is running on port 8000, SCS on 80.
  After serving a few requests SCS stopped serving
  Requests. I stopped Apache web server, SCS
  started Serving Requests again. I started the
  Apache Web server, after serving a few requests
  SCS stopped serving Requests. This process is
  continuing
• Probable conflict on who to serve the request is
  ruled out, as a request send to Secure Content
  Switch /APACHE is being handled perfectly well

33
Local vs. Remote Rule Module
Rule module walrus.uccs.edu

• Pre-fork SCS Overtakes Dynamic forking SCS
• Dynamic forking SCS Performance was degraded by
  100

eca.uccs.edu
dilbert.uccs.edu
frodo.uccs.edu
Rule module
calvin.uccs.edu
34
Future Directions

• Reducing bottleneck of SSL encryption /
  decryption by having Parallel Processing we need
  to maintain state across machine
• using cookies
• have server id parameter as a part of handshake
  (OpenSSL 0.7 may have this feature)
• caching of web pages
• Tough to achieve in case of dynamic pages.
• Modify the Apache web server to include
  preferred treatment and do fair comparision
• have packet rewrite techniques.

35
Conclusion

• Preforking Secure Content Switch
• encryption and decryption are the major
  bottleneck
• no major gains if processor speed is increased.
• no major benefit if the number of real server or
  increased
• no major benefit if the number of the rules are
  increased
• Dynamic forking Secure Content Switch
• encryption and decryption are the major
  bottleneck
• major gains if processor speed is increased.
• no major benefit if the number of real server or
  increased
• some impact if the number of the rules are
  increased
• Preforking version of SCS is better than Dynamic
  forking version of SCS

36
References

• 1 OpenSSL The Open Source toolkit for SSL/TLS
  (http//www.openssl.org)
• 2 SSL and TLS, by Eric Rescorla
• 3 SSL and TLS Essentials, by Stephen Thomas
• 4 mod_ssl The Apache Interface to OpenSSL
  (http//www.modssl.org)
• 5 HTTP Over TLS
• ftp//ftp.ietf.org/internet-drafts/draft-ietf
  -tls-https-02.txt
• The specification on how to run HTTP over
  SSL/TLS
•  6 Tunneling TCP based protocols through Web
  proxy servers
• http//www.www.alternic.org/drafts/drafts-l-
  m/draft-luotonen-web-proxy-tunneling-01.txt
• The specification for the HTTP CONNECT
  method
•  7 Analysis of SSL 3.0 Protocol
• http//www.counterpane.com/ssl.html
• D. Wagner and B. Schneier's USENIX analysis
  of SSLv3
• 8 HyperText Transfer Protocol (HTTP), Version
  1.1 (Internet Draft)
• http//www.w3.org/Protocols/HTTP/1.1/draft-i
  etf-http-v11-spec-rev-06.txt
• The application layer protocol
  Apachemod_ssl uses over SSL/TLS
• 9 HyperText Transfer Protocol (HTTP), Version
  1.0 (RFC 1945)
• http//www.ietf.org/rfc/rfc1945.txt
• The application layer protocol Apache
  mod_ssl uses over SSL/TLS

37
References

• 10 Intel IXA (Internet Exchange Architecture),
• http//developer.intel.com/design/ixa/inde
  x.htm
• 11 WindRiver Tornado Development Tools,
• http//www.windriver.com/products/html/torn
  ado2.html
• 12 Tornado Users Guide (Windows Version) 2.0
• 13 WindRiver VxWorks, http//www.windriver.com/p
  roducts/html/vxwks54.html
• Intel, IXP-1200, IXP-12EB is the registered
  Trademarks of Intel Corporation
• Tornado, VxWorks is the registered Trademarks of
  Wind River Systems, Inc
• Linux, Apache, Openssl protected under the GNU
  General Public License