by Tanja Zseby and Thomas Hirsch
Several future Internet solutions introduce decision-cycles in the network for protection, management and application support. They require the establishment of situation awareness in network nodes as the basis for making decisions. Fraunhofer FOKUS has developed a Node Collaboration System (NCS) that provides situation awareness based on the collaboration of network nodes. Due to its cross-layer design it also allows the collaboration of services with network nodes to include service feedback to network decision functions.
As increasing numbers of businesses and communities come to rely on network connectivity, the Internet has mutated behind the scenes into a complex assembly of patchwork solutions. This makes it vulnerable, difficult to manage and hard to adjust to future demands. Future Internet solutions will address network protection, network management and application support that can substitute for this uncontrollable agglomerate of protocols.
Many solutions, like autonomic communication, require decision-cycles in network nodes so that solutions can be applied before problems affect end systems and users. Situation awareness is the prerequisite for making good decisions. Classical decision-cycles describe four phases in which situation awareness is established: the 'observe' and 'orient' phases, followed by the 'decision' phase and finally the 'act' phase, in which the decided actions are executed.
Within the project 4WARD, Fraunhofer FOKUS is investigating solutions by which situation awareness can be established as the basis for network decisions. Collaboration of network nodes and between different layers is the key to enhancing situation awareness by aggregating information from a variety of different sources.
To this purpose, Fraunhofer FOKUS has developed a Node Collaboration System (NCS) that allows network nodes to access information from neighbouring nodes and end systems. The system provides the means by which to locate information and then access it directly from the source. It is also possible to invoke the on-demand generation of additional information by triggering measurements or post-processing functions.
Based on the NCS, Fraunhofer FOKUS is working on solutions for network protection against overload situations that originate from either legitimate traffic like flash crowds or malicious traffic like denial-of-service attacks. While in such cases it is comparatively easy to detect the overload situation with classical measurement methods, it is not trivial to decide which traffic should be blocked. While it is necessary to reduce traffic in order to protect the network and its users, it would be unfortunate if valuable customers were blocked. We have therefore developed a Distributed Context-Aware Firewall (D-CAF), based on the NCS, that takes valuation reports from services into account when making the decision inside the network about the blocking of packets.
The objective of D-CAF is not to identify attacks, but rather to make an intelligent blocking decision if an overload situation occurs, regardless of whether the origin is legitimate traffic or an attack. During normal operation, D-CAF learns how important a particular traffic flow is by collecting and analysing valuation reports from its connected servers. A Web site may serve as an example: a user visiting the site with low frequency might get a slightly positive rating, a site scraper with high frequency a slightly negative one. A successful login with a user account receives a high positive rating.
These valuations are mapped to a uniform range per service, which we define as [-1.0; 1.0] ∈ R. This corresponds to the usefulness of the user for the service or business objective. Such reports are sent from all servers via the NCS to D-CAF, where they are aggregated, weighted and used as the basis for the blocking decision.
Based on the valuation reports, D-CAF automatically generates blocking rules that represent the joint opinion of all connected servers. If an overload situation occurs, the first flows to be blocked are those with a low aggregated valuation. Filter rules are applied step-by step until the load situation normalizes, ensuring that it is always the least important flows (from the servers viewpoint) that are blocked. In order to restore normal operation after an overload, the filters are slowly removed when the total traffic reaches a sufficiently low level.
The D-CAF approach lends itself to a distribution of the three functional blocks (reporting; aggregation of reports; firewall configuration) across the network. In non-hierarchical network architectures (Mesh, MANET, SOA), these blocks may be replicated wherever components are able to evaluate users, process data and protect resources. To verify this approach, we plan to deploy and investigate the D-CAF scenario on a larger scale within PlanetLab Europe, a federated large-scale testbed that is extended in the project OneLab. This allows us to set up and accurately control various testing and verification cases. We plan to investigate the various effects of correlating valuation reports from large clusters of protected services, and in particular the timing and delay effects occurring in a realistic simulation.
A further application field for the NCS is the assessment of different future Internet solutions that are based on network decision-cycles. In such a scenario the NCS can be used to simulate different awareness levels with artificial information sources and help to assess key performance indicators such as the costs of collaboration, decision quality etc. Methods for the assessment of autonomic communication solutions are currently standardized within the Autonomic Communication Forum (ACF).
Fraunhofer FOKUS, Germany
Tel: +49 30 3463 7153