Network and Middleware Security for Enterprise Network Monitoring

Over the last decade or so, multi-domain network monitoring systems frameworks such as perfSONAR have been widely deployed in high performance computing and other communities that support large-scale data movements. These frameworks allow end-to-end monitoring across domains such that performance measurements can be queried through web interfaces for interested parties to analyze the network paths for the purposes of detecting anomaly events and diagnosis of faults. perfSONAR, a web-services based infrastructure for collecting and publishing network performance monitoring data sets has made it easy for networking communities to solve end-to-end performance problems on paths crossing several networks and it has emerged as a popular network performance monitoring tool within organizations both in US as well as for communities within the European research networks. It consists of a set of services delivering performance measurements in a federated environment.

The current implementation of the perfSONAR services when hosted in an enterprise network environment in the form of E-perfSONAR measurement point appliance controlled by a central intelligence system has security limitations. It also does not support policy-based access to measurement data sets. The critical issues to be addressed are - (i) Ensure that the web services instrumented into the Central Intelligence system and the measurement point appliance are robust against cyber-attacks and (ii) Allow a `selectively-open' nature of view to the measurement data that are collected by the measurement points and also a policy-driven approach to scheduling of the services.

Therefore, there is a need to investigate network security issues and a need to support a policy-driven approach for Middle-ware security in E-perfSONAR deployments. The primary aim of the thesis is to identify and make steps towards resolution of network security problems of perfSONAR and also in coming up with an authentication and authorization policy that can be built into the E-perfSONAR framework. We refer to our solution as the 'Resource protection service' within the E-perfSONAR framework.

Looking at existing frameworks such as Globus toolkit and integration of authentication and authorization features in perfSONAR-MDM, a flavor of perfSONAR brought to us by GEANT, we propose a 'Federated' and a 'Peer-to-Peer' model of security that leverages the features of existing industry standards such as LDAP, Kerberos and Shibboleth technologies to perform authentication mechanism that fits E-perfSONAR architecture and also leverage the open, modular and distributed features of perfSONAR.

The suggestions made in this thesis towards the design of middleware security features can be utilized for the E-perfSONAR system to bring about a policy-driven approach to authentication,authorization and scheduling of the network monitoring services in a multi-domain environment. The results obtained from the thesis with respect to vulnerability testing of the web services can be extended to ensure that E-perfSONAR appliance will be a secure point of communication when deployed over an enterprise network.