Distributed Virtual Scenarios over Multi-host Linux
1
Distributed Virtual Scenarios over Multi-host Linux Environments: Virtual Networks over LinuX (VNX) Introduction Validation and Tests Dynamic honeynets deployment Contact information Site 8 RB2 Network Management Center RB3 RB4 RB1 Site 12 Site 11 Site 10 Site 9 Site 7 Site 6 Site 5 Site 3 Site 4 ISIS Area L1 F L1 C RRF1 RRF2 RRE2 RRD2 RRE1 L1 D RRD1 RRC1 RRC2 RRB2 RRB1 Core MPLS ISIS L2 SC1 SC2 SC4 SC3 .1 RRA1 Site 2 Site 1 RRA2 Route Reflector L1 B ISIS Area L1 A L1 E H2 H1 H3 H4 H5 H6 Management Network EDIV Controller EDIV Cluster VNX Standalone Server E1 E2 Networking laboratory for dynamic routing tests, resembling the topology of an ISP and involving 44 virtual devices as follows: • 16 Cisco routers • 6 Juniper routers • 6 Linux/Quagga routers • 12 end user computers • 4 Servers (WinXP, FreeBSD, Ubuntu, Debian) Deployed over two testing platforms: Deployment scenarios Example Validation Scenario Distributed Cluster Architecture VNUML made of two main components: 1. XML based scenario specification language 2. Language interpreter Three basic operations: • Scenario building: virtual machines and networks created following the scenario topology in the user specification. • Command execution: users can directly interact with virtual machines or automatize the execution of commands. • Scenario releasing: virtual machines and networks are released. Previous work : VNUML Virtual Networks User Mode Linux (VNUML) is a general purpose open-source scenario- based management tool designed to help building virtual network testbeds automatically. Virtualization based testbeds widely used for the creation of network environments needed to test protocols and applications. However, complexity of present networks and protocols arises the need of very complex network testbeds, made of tenths or hundreds of virtual machines. Need for tools to support the design, deployment and management of large virtual network scenarios over clusters of servers Apart from large scale initiatives, none of the available tools (Netkit, MLN, Marionnet, CORE) support distributed deployment or the diversity of virtual machine operating systems needed for complex testbeds. Development continues, mainly focused on improving VNX functionalities, its robustness and completing the distributed version capabilities. Future work includes: • Complete and improve distributed support • Dynamic scenarios (adding/deleting VMs and networks, machine migration, etc) • Graphical user interface • New virtual machine types (e.g. Android) • Plug-in to control physical equipment • Better network emulation capabilities Coordinator: David Fernández Dpto. Ingeniería de Sistemas Telemáticos Universidad Politécnica de Madrid Avda. Complutense, 30 28040 MADRID - SPAIN E-mail: [email protected] www: http://www.dit.upm.es http://www.dit.upm.es/vnx VNUML Operation Workflow VNX implementation Why VNX? Limitations of VNUML and EDIV tools: • Only Linux virtual machines (User Mode Linux limitation). Performance problems and need of additional plattforms and operating systems. • Inability to manage virtual machines individually • Limited autoconfiguration and command execution • Distributed version (EDIV) limitations: manual network configuration for disperse clusters, lack of monitoring tools, etc Current version of VNX available: • libvirt support. Tested with Linux (Ubuntu, Fedora, CentOS), FreeBSD and Windows (XP and 7) • Dynamips and Olive router emulation support • Virtual machine individual management (start, stop, restart, reboot, suspend, etc) • OVF-Environment-like autoconfiguration and command execution support • Plug-in architecture to add extensions to VNX • Distributed deployment support (EDIV) • Library of root filesystems available: Ubuntu, Fedora, CentOS, FreeBSD, etc VNX is mostly written in Perl (around 25000 lines of code); Windows autoconf daemon writen in C++. Around 40% of VNUML code reused with minor modifications. VNX project overall goal is the creation of a tool to allow the deployment of large virtual network scenarios over a federated cluster environment made of disperse nodes interconnected by means of layer 2/3 tunnels over Internet. Each node is composed of: • Virtualization servers running different types of hypervisors • Physical (non-virtual) equipment to allow the creation of hybrid virtual scenarios VNX (Virtual Networks over LinuX) is a major rewrite of VNUML. A modular architecture based on a virtual machine control API has been defined to accommodate new virtualization platforms: Plug-ins developed: • libvirt, the Linux standard API for virtualization (libvirt.org), provides access to most of virtualization platforms supported in Linux (KVM, Xen, UML, etc) • Dynamips: emulated CISCO routers • UML: includes old VNUML code The internal API is a simplified version of libvirt API, with the addition of a primitive to execute commands inside virtual machines. New autoconfiguration and command execution mechanism created. Based on the OVF Environment approach: a dynamic cdrom offered to virtual machines with an XML file with autoconfiguration parameters and commands to execute. VNUML redesign: VNX switches ….. VMware vm3 vm4 vm6 VNX UML Plugin Libvirt Plugin Dynamips Plugin Physical Equipment Plugin vmAPI vm1 vm2 Xen UML Dynamips libvirt KVM Physical equipment Virtual machines vm7 servers routers PE manager Other Plugins vm5 Experimentation Scenario VNX Architecture This research was partially supported by Ministry of Science and Innovation of the Spanish Government under the RECLAMO project (Virtual and Collaborative Honeynets based on Trust Management and Autonomous Systems applied to Intrusion Management) with code TIN2011-28287- C02-01, as well as S21Sec company and the Centre for the Development of Industrial Technology (CDTI) as part of the SEGUR@ project (https://www.cenitsegura.es/ ), within the CENIT program, with reference CENIT-2007 2004. Acknowledgment VNX H1 Cluster Controller Virtualization Cluster H3 H2 Physical Equipment Switch NODE 1 NODE 2 NODE 3 NODE 4 Internet h1 h2 h3 VNX h1 h2 h3 VNX h1 h2 h3 EDIV: VNUML Distributed Deployment host1 host2 Ethernet Switches Deployment Controler Net0 Net1 Net2 vm1 vm2 vm3 vm5 vm4 <vnuml> </vnuml> vm3 Net0 vm1 vm2 VNUML Net2 vm5 vm4 VNUML VLAN 802.1q (Net1) building, execution sequences, releasing VLAN 802.1q (host-controller interface) SSH command Interface Scenario specification VM Distribution brA brA Virtual bridges Segmentation Module Distributed Deployment Architecture EDIV is a wrapper application to VNUML developed to allow the distributed deployment of virtual scenarios over clusters of servers. EDIV segments virtual scenarios into sub- scenarios deployed to the different servers, interconnecting them by means of VLANs. EDIV includes basic segmentation algorithms (R, RR, WRR) as well as an API to allow the development of new ones. David Fernández, Jorge Somavilla, Verónica Mateos, Omar Walid, Jorge Rodríguez, Francisco J. Martín Departamento de Ingeniería de Sistemas Telemáticos Universidad Politécnica de Madrid. Madrid, Spain. [email protected] Francisco J. Monserrat, Miguel Ferrer RedIRIS Fermín Galán Telefónica I+D More info available at: http://www.dit.upm.es/vnx TERENA NETWORKING CONFERENCE 2012 Reykjavík, Iceland RedIRIS-NOVA is the high capacity photonic network for the Research and Education Comunity in Spain, that provides connectivity to international academic networks like the portuguese FCCN and the european reseach network GÉANT. VNX has been choosen to build a model of the RedIRIS-NOVA IP infrastructure (same topology, metrics and links) to be used to define, implement and test new network features. Test case: building a route server reflector to provide BGP DDOS mitigation without accessing the router server. Scenario deployed over a SunFire X4150 server (8Gb RAM, 2 CPU with 4 cores) in the infrastructure of PASITO project. • 39 network links • 17 virtual machines (15 JunOS Olive routers, core + route server + reflector, and 2 Linux servers for DNS and mitigation) • IS-IS & iBGP convergence • Time to boot the simulation: ~ 7 minutes VNX Application: RedIRIS-NOVA RedIRIS-NOVA IP infrastructure <vnuml> … </vnuml> Red2 Red1 Red3 building releasing command sequence execution Scenario specification Virtual scenario Physical host VNUML parser operations VNUML user VNUML parser invocation Direct interaction (e.g., console, SSH, etc.) VNX in Academic Education VNX is being extensively used in ETSIT- UPM computer network laboratories to create complex network scenarios to teach, for example, routing protocols like OSPF and BGP, IPv6 transition mechanisms, IPv6 mobility, security tools, etc. For example, recently used in: • A network security laboratory exercise to experiment with fwbuilder, nmap, nessus and Metasploitable Framework and Backtrack tools • Designed to allow 14 student groups to simultaneously work on a common scenario to interact among them • Based on a scenario composed by more than 65 linux virtual machines VNX Internal API Conclusions and Future Work In security research projects RECLAMO and Segur@, as part of the development of Automated Intrusion Response Systems (AIRS), VNX is being used as a tool to dynamically deploy virtual honeynets.
Transcript of Distributed Virtual Scenarios over Multi-host Linux
Distributed Virtual Scenarios over Multi-host Linux Environments:
Virtual Networks over LinuX (VNX)
Introduction
Validation and Tests
Dynamic honeynets deployment
Contact information
Site 8
RB2
Network Management
Center
RB3
RB4
RB1
Site 12
Site 11
Site 10Site 9
Site 7
Site 6
Site 5
Site 3
Site 4
ISIS Area
L1 F
L1 C
RRF1
RRF2RRE2
RRD2 RRE1
L1 D RRD1
RRC1
RRC2
RRB2
RRB1
Core MPLS
ISIS L2
SC1 SC2
SC4SC3
.1
RRA1
Site 2
Site 1
RRA2
Route Reflector L1 B
ISIS Area
L1 A
L1 E
H2H1 H3 H4 H5 H6
Management
Network
EDIV
Controller
EDIV Cluster
VNX
Standalone
Server
E1
E2
Networking laboratory for dynamic routing
tests, resembling the topology of an ISP and
involving 44 virtual devices as follows:
• 16 Cisco routers
• 6 Juniper routers
• 6 Linux/Quagga routers
• 12 end user computers
• 4 Servers (WinXP, FreeBSD, Ubuntu,
Debian)
Deployed over two testing platforms:
Deployment scenarios
Example Validation Scenario
Distributed Cluster Architecture
VNUML made of two main components:
1. XML based scenario specification
language
2. Language interpreter
Three basic operations:
• Scenario building: virtual machines and
networks created following the scenario
topology in the user specification.
• Command execution: users can directly
interact with virtual machines or
automatize the execution of commands.
• Scenario releasing: virtual machines
and networks are released.
Previous work : VNUML
Virtual Networks User Mode Linux (VNUML)
is a general purpose open-source scenario-
based management tool designed to help
building virtual network testbeds
automatically.
Virtualization based testbeds widely used for
the creation of network environments
needed to test protocols and applications.
However, complexity of present networks
and protocols arises the need of very
complex network testbeds, made of tenths
or hundreds of virtual machines.
Need for tools to support the design,
deployment and management of large
virtual network scenarios over
clusters of servers
Apart from large scale initiatives, none of the
available tools (Netkit, MLN, Marionnet,
CORE) support distributed deployment or
the diversity of virtual machine operating
systems needed for complex testbeds.
Development continues, mainly focused on
improving VNX functionalities, its robustness
and completing the distributed version
capabilities.
Future work includes:
• Complete and improve distributed support
• Dynamic scenarios (adding/deleting VMs
and networks, machine migration, etc)
• Graphical user interface
• New virtual machine types (e.g. Android)
• Plug-in to control physical equipment
• Better network emulation capabilities
Coordinator:
David Fernández
Dpto. Ingeniería de Sistemas Telemáticos
Universidad Politécnica de Madrid
Avda. Complutense, 30
28040 MADRID - SPAIN
E-mail: [email protected]
www: http://www.dit.upm.es
http://www.dit.upm.es/vnx
VNUML Operation Workflow
VNX implementation
Why VNX?
Limitations of VNUML and EDIV tools:
• Only Linux virtual machines (User Mode
Linux limitation). Performance problems
and need of additional plattforms and
operating systems.
• Inability to manage virtual machines
individually
• Limited autoconfiguration and command
execution
• Distributed version (EDIV) limitations:
manual network configuration for disperse
clusters, lack of monitoring tools, etc
Current version of VNX available:
• libvirt support. Tested with Linux
(Ubuntu, Fedora, CentOS), FreeBSD and
Windows (XP and 7)
• Dynamips and Olive router emulation
support
• Virtual machine individual management
(start, stop, restart, reboot, suspend, etc)
• OVF-Environment-like autoconfiguration
and command execution support
• Plug-in architecture to add extensions to
VNX
• Distributed deployment support (EDIV)
• Library of root filesystems available:
Ubuntu, Fedora, CentOS, FreeBSD, etc
VNX is mostly written in Perl (around 25000
lines of code); Windows autoconf daemon
writen in C++. Around 40% of VNUML code
reused with minor modifications.
VNX project overall goal is the creation of a
tool to allow the deployment of large virtual
network scenarios over a federated cluster
environment made of disperse nodes
interconnected by means of layer 2/3
tunnels over Internet.
Each node is composed of:
• Virtualization servers running different
types of hypervisors
• Physical (non-virtual) equipment to allow
the creation of hybrid virtual scenarios
VNX (Virtual Networks over LinuX) is a
major rewrite of VNUML. A modular
architecture based on a virtual machine
control API has been defined to
accommodate new virtualization platforms:
Plug-ins developed:
• libvirt, the Linux standard API for
virtualization (libvirt.org), provides access
to most of virtualization platforms
supported in Linux (KVM, Xen, UML, etc)
• Dynamips: emulated CISCO routers
• UML: includes old VNUML code
The internal API is a simplified version of
libvirt API, with the addition of a primitive to
execute commands inside virtual machines.
New autoconfiguration and command
execution mechanism created. Based on the
OVF Environment approach: a dynamic
cdrom offered to virtual machines with an
XML file with autoconfiguration parameters
and commands to execute.
VNUML redesign: VNX
switches
…..VMware
vm3 vm4 vm6
VNX
UMLPlugin
Libvirt PluginDynamips
Plugin
PhysicalEquipment
Plugin
vmAPI
vm1 vm2
XenUML Dynamips
libvirt
KVM
Physical equipment Virtual machines
vm7 serversrouters
PEmanager
OtherPlugins
vm5
Experimentation Scenario
VNX Architecture
This research was partially supported by Ministry of Science
and Innovation of the Spanish Government under the
RECLAMO project (Virtual and Collaborative Honeynets
based on Trust Management and Autonomous Systems
applied to Intrusion Management) with code TIN2011-28287-
C02-01, as well as S21Sec company and the Centre for the
Development of Industrial Technology (CDTI) as part of the
SEGUR@ project (https://www.cenitsegura.es/), within the
CENIT program, with reference CENIT-2007 2004.
Acknowledgment
VNX
H1
ClusterController
Virtualization Cluster
H3
H2
Physical Equipment
Switch
NODE 1
NODE 2
NODE 3
NODE 4
Internet
h1 h2 h3
VNX
h1 h2 h3
VNX
h1 h2 h3
EDIV: VNUML Distributed Deployment
host1 host2
Ethernet Switches
Deployment
Controler
Net0 Net1 Net2
vm1vm2
vm3
vm5
vm4
<vnuml>
</vnuml>
vm3
Net0
vm1
vm2
VNUML Net2
vm5
vm4 VNUML
VLAN 802.1q (Net1)
building,
execution
sequences,
releasing
VLAN 802.1q (host-controller interface)
SSH command Interface
Scenario specification
VM Distribution
brA brA
Virtual bridges
Segmentation Module
Distributed Deployment Architecture
EDIV is a wrapper application to VNUML
developed to allow the distributed
deployment of virtual scenarios over clusters
of servers.
EDIV segments virtual scenarios into sub-
scenarios deployed to the different servers,
interconnecting them by means of VLANs.
EDIV includes basic segmentation
algorithms (R, RR, WRR) as well as an API
to allow the development of new ones.
David Fernández, Jorge Somavilla,
Verónica Mateos, Omar Walid,
Jorge Rodríguez, Francisco J. MartínDepartamento de Ingeniería de Sistemas Telemáticos
Universidad Politécnica de Madrid. Madrid, Spain.
Francisco J. Monserrat,
Miguel FerrerRedIRIS
Fermín GalánTelefónica I+D
More info available at: http://www.dit.upm.es/vnx
TERENA NETWORKINGCONFERENCE 2012
Reykjavík, Iceland
RedIRIS-NOVA is the high capacity photonic
network for the Research and Education
Comunity in Spain, that provides
connectivity to international academic
networks like the portuguese FCCN and the
european reseach network GÉANT.
VNX has been choosen to build a model of
the RedIRIS-NOVA IP infrastructure (same
topology, metrics and links) to be used to
define, implement and test new network
features.
Test case: building a route server reflector to
provide BGP DDOS mitigation without
accessing the router server.
Scenario deployed over a SunFire X4150
server (8Gb RAM, 2 CPU with 4 cores) in
the infrastructure of PASITO project.
• 39 network links
• 17 virtual machines (15 JunOS Olive
routers, core + route server + reflector, and 2
Linux servers for DNS and mitigation)
• IS-IS & iBGP convergence
• Time to boot the simulation: ~ 7 minutes
VNX Application: RedIRIS-NOVA
RedIRIS-NOVA IP infrastructure
<vnuml>
…
</vnuml>Red2Red1 Red3
building
releasing
command
sequence
execution
Scenariospecification
Virtualscenario
Physicalhost
VNUML parseroperations
VNUML user
VNUML parser invocation
Directinteraction
(e.g., console,SSH, etc.)
VNX in Academic Education
VNX is being extensively used in ETSIT-
UPM computer network laboratories to
create complex network scenarios to teach,
for example, routing protocols like OSPF
and BGP, IPv6 transition mechanisms, IPv6
mobility, security tools, etc.
For example, recently used in:
• A network security laboratory exercise to
experiment with fwbuilder, nmap, nessus
and Metasploitable Framework and
Backtrack tools
• Designed to allow 14 student groups to
simultaneously work on a common
scenario to interact among them
• Based on a scenario composed by more
than 65 linux virtual machines
VNX Internal API
Conclusions and Future Work
In security research projects RECLAMO and
Segur@, as part of the development of
Automated Intrusion Response Systems
(AIRS), VNX is being used as a tool to
dynamically deploy virtual honeynets.
