OpenSolaris

Application Flow Controller based on access authorization

Zhou Li - lead student researcher  Huang Liqun - faculty advisor  Zhao Jinhua, Zhou Bin, Zhang Yu - student researchers

Huazhong University of Science and Technology, Wuhan, China

Final Report [PDF]

User Guide [PDF]

Sun Tech Days presentation [PDF]

Statement and background of Purpose

 Our purpose of this project is to design a networking management system named Application Flow Controller (AFC). Application Flow is network flow that application used to communicate with the Internet. AFC can implement network access authorization control based on protocol analysis. AFC analyzes the data flow and identifies the flow of certain applications, then limits or cut such flow at proper time to ensure the network in good condition.

 Today, because the using of applications such as BT and online games become more popular, the load of networks and company networks become so heavy that affect the significant function of these networks. More over, Companies may not allow their employees to play online games at work hours. So some companies and education organizations have some prescribes to prevent their people to use certain applications such as online games.

 Tools like MTRG, RRDTOOL, NET-SNMP and NTOP are widely used in many universities and companies, for example, our university use NET-SNMP to monitor several web servers and networks. However, it can only access to server status but can not analyze and control the application flow, which means it cannot identify any certain application[1,2]. To forbid employees or students to use some software like P2P download tools, Instant Messaging tools and so on, universities and companies need a tool to control application flow.

 Our project can ban some certain applications accessing to the Internet. Some tools can achieve this goal, as IPTABLES on LINUX[3],IPFILTER on SOLARIS[4]. However, these tools just block server IP or local port. Download tools like BT can easily change their local port and Instant Messaging tools like MSN can use proxy instead of official server IP. So it is not the efficient way to limit Internet access authorization.

 AFC can be used in networking of campuses, companies and so on. With AFC, administrator can limit the authorization of some specific software to access the Internet. For example, in order to forbid their employees to use eDonkey on working hours, administrators just need to add eDonkey into a block list and then eDonkey will be banned in the whole network.

 Our university (Huazhong University of Science and Technology) is the central node of HuaZhong area of Chinese Education and Research Network(CERNET). As we know, most of our university's servers are SOLARIS and our university has a demand of related application. We also plan to recommend our project to our university for practical use.

Approach to be used and Related Research

 The running processes of the AFC are showed as figure 1 [figure omitted]. The probe module will capture data packets from network, and then in the detecting application flow process, AFC will detect and recognize the application flow for further usage. Based on the work done before, AFC should be in the process analyzing protocol and analyzing abnormal traffic, which will analyze the specific protocol in the detected application flow such as the P2P and MSN protocol. Then the AFC can run in two ways. First, If the system detect any application flow that banned by administrator, it will cut them off, second, if no application flow is banned but network is now overloading, AFC will dynamically control the traffic and decide which application flow to be cut off.

 Flowing is the key technologies AFC used.

1. Data Packet and Net Flow Capture
   There are many ways to capture net flow, for instance, directly capture the flow on gateway server, however, it is not the efficient way, this may lead gateway server to an overloading state. So we use Port Mirroring, which can capture net flow on a independent server[5].We need mirror port that monitored and analyze network traffic on a specific server. Most of Switches and Router, such as Catalyst 2900XL/3500XL/2950, Huawei S2008/S2016/S2026/S2403H/S3026 support this feature.
    As data packet capture there are two candidate approaches to capture data packet. One is using SOLARIS API, the other is using SOLARIS tools SNOOP. Using SNOOP is much easier but not flexible. In AFC a probe will be developed based on SOLARIS API.
2. Network Traffic Statistic and Dynamic Management
   Network traffic statistic is using in AFC to monitor network status. If the network is overload, AFC would dynamically ban network access authorization according to control algorithm. For example, through traffic statistic AFC find EDONKEY or BITTORRENT application flow cause network overload, AFC will cut off EDONKEY or BITTORRENT flow. AFC will also have an order list and ban the software which has the lowest Priority. A control algorithm will be developed in this project. Meanwhile this project will give some rules to judge whether the net has abnormal traffic by analyzing the net flow information in a specific port.
3. Protocol Analyze
   Analyze protocol is the most important and difficult part of this project. AFC will ban application flow according a protocol list, which make it easily and flexibly to add a new banned protocol. Some service network flow protocol analyzed methods, such as connection ports feature, net flow feature, data transport feature, are discussed in [6] and [7]. P2P protocol and MSN protocol will be analyzed in AFC primarily.
    Here we list candidate approaches to be used:
   1. Analysis of P2P protocol (BT)
      In order to cut off the use of BT eDonkey or other P2P protocol based software, we need to detect P2P net flows. P2P tools like BT has its own protocol, so we can detect whether the net flow match BT protocol. Then we can choose to cut the connection.
       To further increase the accuracy of BT flow judgment, we will use the relationship information between the flows. For example, in a certain time period, the same flow between the two hosts was linked together from different hosts have the same destination address and port number purpose of the flow was associated with in a certain period of time from the same host flow was associated with and so on.
   2. Analysis of MSN/QQ protocol
      Since MSN will automatically switch port and the ports are common ports. So we can't use the traditional port blocking way to restrict the use of MSN. AFC will catch the flow if application flow matches MSN application flow, as login application flow, sending message application flow. Any matched flow will be cut off.

Feature of our project

1. AFC analyzes protocol of application flow to ban internet access but not according to service IP or service port.
2. AFC will be programmed in C, JAVA and run on Solaris, so it is easy to install on Solaris system like Indiana, Solaris Express Developer Edition. We use C to program probe so it can get a great performance; we use JAVA to program protocol analyzer so it can get a high portability.
3. AFC provides a User-Oriented user interface. That means it is easy to use and configure.

System Utility Description

 Figure 2 [figure omitted] shows the system architecture of AFC, and it's subsystems' utilities are listed as follows.

1. Administration System
   AFC provide a web based admin system. It is used to show log, set order list, set ban list and so on.
2. Probe Subsystem
   This subsystem provides effective utilities to capture data packet and network flow.
3. Application Flow Detecting Subsystem
   This subsystem detects and analyzes receiving and sending data packet. By using the data provided by the probe Subsystem, it constructs an application flow structure to describe business object to be used.
4. Protocol Analyzing Subsystem
   This subsystem analyzes the protocols and detect if any banned application try to access the internet. First it uses the application flow captured by Probe subsystem, then it analyzes the flow and its protocol and detect if it is sent by banned application. If it is, ban its network access authorization.
5. Abnormal Traffic Analyzing Subsystem
   If any application flow is beyond the client's expectation this subsystem would dynamically cut off the source of he application flow.
6. Dynamic Traffic Control Subsystem
   AFC monitors network status by traffic statistic. User can set a warning level. This tool will ban network access authorization if the network load is above the warning level. There is an order list which includes software priority. Lowest priority software will be banned. And this tool can dynamically do this. That means it can detect which software cause the overload status and ban it.
7. Log System
   AFC provide a log system, record which has been banned and so on.

References

1. J.Case, K.McCloghrie, et al. RFC 1442 - Structure of management information for version 2 of the simple network management protocol (SNMPv2) .SNMP Research, Inc.Hughes LAN Systems, Dover Beach Consulting, Inc.Carnegie Mellon University, 1993.
2. J.Case, M.Fedor, et al. RFC1157 -A simple network management protocol(SNMP) .Performance Systems International, SNMP Reasearch, MIT Laboratory for Computer Science, 1990 .
3. Bai Tao. Internet-based information network management and monitoring system Research and Implementation .CNKI:CDMD:2.2006.147625
4. Using IP Filter to Protect a Solaris 7, 8, or 9 Workstation www.cites.uiuc.edu/wsg/talks/ipfilter/
5. Huo Yaosheng, Network monitoring based on network monitor and analysis of protocol. China's graduate thesis, full-text database
6. Li Zhirong P2P application traffic management study and implementation of voice and packet-detection research module.China's graduate thesis, full-text database
7. Thomas Karagiannis, Andre Broido, Michalis Faloutsos, Kc claffy.Transport Layer Identification of P2P Traffic. In A C 2004.