276 M IDDLEWARE N ETWORKS: C ONCEPT, D ESIGN AND D EPLOYMENT providing service, and additional service - specific parameters Submission and retrieval of usage records. Such records support fine - grain tracking of peer activities and thereby ensure nonrepudiation of action. Usage tracking provides important management support through profiling of usage patterns Definition, generation and receipt of events through the publish/subscribe paradigm. These events provide a distributed systems - level communica - tion of exactly - once semantics providing structured messages to sub - scribed components. It utilizes stable storage to ensure event reception even by components that are unavailable at the time of event generation Interface to additional APIs that may be added for a specific application. Usage tracking Event Generation and Reception External APIs The SD API supports C/C++ through the peer interface. This supports a substantial subset of the SD Java classes, as shown: TABLE 9: C/C++ Interfaces with SD Interface Domain Interface Connection Interface Peer Interface Capabilities User, service and subaccount creation. Infor - mationretrieval. Subscription management User authentication, service announcement, platform encryptor manipulation, connec - tion status determination Remote user identification (callerID), peer status determination, peerlet management, log control 8.4.2 Service Development (SD) Application Models There are three programming models for peer activities: peerlet, monolithic peers, and the external model. These share the common software base of a software peer that interacts with the cloud network. The peerlet and the monolithic peer use the Java lan - guage and Java APIs; and the external model supports other languages or applications through peer - resident capabilities. Peerlets run under the control of a precompiled peer running in a Java virtual machine. The peer provides the execution environment and support. Peerlets are precompiled and then loaded into the peer, which invokes them as distinct threads. Monolithic peers use the peer software as a library, but provide a main program that invokes the peer’s initialization functions. Indeed, the peer itself is a monolithic program that can TEAM LinG - Live, Informative, Non-cost and Genuine! Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. S ERVICE D EVELOPMENT 277 load and invoke peerlets. The peerlet and the monolithic peer models both run a single process containing the SD control and the application logic. External applications run in their own process and communicate with an existing peer through a peer interface. Existing applications, or programs written in C/C++, interact with middleware APIs through the interface channel to the running peer. 8.4.3 Peerlets SD programs use either of three models – the peerlet described currently, as well as monolithic peers or external models, which provide varying amounts of structure to the developer. The greatest structure is provided with the so - called peerlet model. Col - lections of functions pertaining to a single purpose are compiled into an archive that can be installed as a complete peerlet. This runs as a thread within the peer, technically by extending the geo.peer.Peerlet class. The peerlet therefore is controlled by the peer, and must be installed into the peer. This provides a module method for distribution of prepackaged functionality. A peerlet is relatively unconstrained by the peer environment, and may access the execution con - text and command - line arguments as needed The peer runs many peerlets with resource allocation under the control of the Java virtual machine. 1 package samples.sdk.peerlets ; 2 import Java. awt .*; 3 import java.awt.event.*; 4 import javax.swing.*; 5 import geo.peer.*; 6 7 public class HelloworldPeerlet extends Peerlet ( 8 private JFrame _frame; 9 10 public void run(){ 11 _frame = new JFrame( " HelloWorldPeerlet " ); 12 _frame.addWindowListener (new WindowAdapter ()( 13 public voidwindowClosing( WindowEventwe )( 14 getPeerletContext (). firePeerletStopped ( ) ; 15 } 16 } ); 17 _frame.getContentPane ( ).add( new JLabel( " Hello World " , 18 JLabel.CENTER ), 19 BorderLayout.CENTER ); 20 Dimension prefsize =new Dimension( 250, 60); 21 _frame.getRootPane ().setPreferredSize( prefSize ); 22 _f rame .pack( ); 23 _frame. setVisible ( true ) ; 25 26 public void cleanup () { 27 _frame.dispose ( ); 24 ) 28 } 29 } Figure 8 - 20: The " Simplest " Peerlet TEAM LinG - Live, Informative, Non-cost and Genuine! Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 278 M IDDLEWARE N ETWORKS: C ONCEPT, D ESIGN AND D EPLOYMENT Peerlets may not provide a main ( ) method, and must provide a run ( ) method. They should not invoke the System.exit() method since this terminates the entire pro - cess. Instead, they invoke the firepeerletstopped () method of their runtime context, getpeerletcontext() .This allows the peer to reclaim resources. Peerlets are, in essence, prepackaged routines stored as Java archives. The peer methods sup - port loading, starting and stopping of peers. Figure 8 - 20 shows a simple peerlet. The reader may notice this code is nearly indistin - guishable from a well written Java module. This peerlet, when invoked, displays a popup window that displays the time - honored welcome text of any first program, “Hello World”. Lines 1 through 4 define the package and import standard java.awt and javax.swing providers of graphics and popup windows. Line 5 imports the geo.peer class that defines the interfaces for the peer. Lines 7 through 29 implement the HelloWorldPeerlet class. Line 7 defines this class, and in particular the class extends the peerlet class. This uses the libraries that we imported back in line five. The class defines a private graphics frame at line 8. Line 9 departs from an ordinary Java class, and provides the mandatory method pub - lic void run () . All peerlets must have a run method. This serves as the entry point when the peer invokes the peerlet. The peerlet also calls the getPeerletCon- text ( ) .firepeerletstopped () ; The body of this method defines what the peerlet does; this example creates a suitable graphics frame and displays Java code that defines and displays a window, as well as a resource deallocation routine (lines 27 - 28). The peerlet is compiled, packaged for distribution, and installed through tools included with the SD. 8.4.4 Monolithic Peer Application Model Monolithic peers define a main() method and call the geo.peer.Peer.init() method to initialize the SD. This provides full access to all SD APIs, including the ability to load and invoke peerlets. Rather than define a standard runtime environment, it grants greater freedom to the developer who develops the service or application. The sample program of Figure 8 - 21 also creates a popup window that displays the time - honored welcome text of any first program, “Hello World”. The simplest mono - lithic program includes the same application logic as the peerlet model. However, sev - eral significant differences change it from a peerlet into a monolithic program. The class definition that line 7 provides no longer extends the Peerlet class, and instead the monolithic example provides a main () method rather than the run () line of the Peerlet. Line 9 (which was intentionally left blank in the Peerlet) now initializes with Peer. initialize () , Upon completion at line 13 it terminates with Sys - tem.exit() whereas the peerlet signalled completion with getPeerletcon- text() .firepeerletstopped(). TEAM LinG - Live, Informative, Non-cost and Genuine! Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. S ERVICE D EVELOPMENT 279 package samples.sdk.external; import java.net.UnknownHostException; import java.io.FileNotFoundException; import java.io.IOException; import geo.peer.pi.*; import geo.util.GeoException; public class AuthenticateExternal { static private void usage( ) System.err.println( " usage: AuthenticateExternal " + { } { " userHandle cloudName passphrase " ) ; static public void authenticate( String userHandle, String cloudName, String passphrase ) try { String deploy = System.getProperty ( "GEOPLEX_DEPLOY" ) ; PIConnection piConn = new PIConnection( deploy ) ; ConnectionHandler conn = new ConnectionHandler( piConn ); conn.login( userHandle, passphrase, cloudName, " PropertiesFile " ) ; } { } catch ( Exception ge ) System.err.println( ge.getLocalizedMessage ( ) ); static public void main( String argv [] ) { if ( argv.length != 3 ) { System.err.println( " Incorrect number of command " + " line arguments provided: " + argv.length ) ; usage(); System.exit( } ); } authenticate ( argv [0] , argv [1] , argv [2] ) ; } } Figure 8 - 21: Simples Monolithic Peer without Authentication There is one more, somewhat hidden difference. The peerlet ran in the context of its peer, and the peer interfaced directly with the cloud. The peer supported authenticat - ing and other cloud interactions through a GUI. On the other hand, the simplest mono - lithic program merely initialized the peer, but never authenticated it. We need to enhance the program through several internal changes and an additional 20 lines of Java program, shown in Figure 8 - 22. 8.4.5 Connection Objects Independent of Domains and Locations The very significant security implications of mobility, peering, and other issues require careful consideration of the client's identity, as well as the network connection and authentication. The program networking APIs therefore provide a general framework available through abstract APIs that leverage the specifics of the client, local devices, networking or remote capabilities. These capabilities utilize the connection, security and utility classes imported at lines 2 through 4 of Figure 8 - 22. Note in particular that TEAM LinG - Live, Informative, Non-cost and Genuine! Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 280 M IDDLEWARE N ETWORKS: C ONCEPT, D ESIGN AND D EPLOYMENT the connection object (line 28) does not specify what it is connecting to. Rather than constrain the connection to a single cloud or domain, the API supports a variety of domains, peering and roaming arrangements. This example provides specific values as program parameters (lines 24, 25 and 26 access argv [] ), though in practice the authentication passphrase cannot be a simple stored String. 1 package samples.sdk.mono; 2 import geo.peer.*; 3 import geo.connection.Connection; 4 import geo.security.Credentials; 5 import geo.util.*; 6 7 public class AuthenticateMPeer ( 8 9 static private void usage( ) ( 10 System.err.println( 11 " \nusage: samples.sdk.mno.AuthenticateMPeer" + 12 " userHandle cloudNaine passPhrase\n " ); 14 15 static public void main( String argv[] ) ( 16 Peer. initialize(1 ; 17 Log log = Peer.getDefaultLog (); 18 if (argv.length !=3 ) { 19 log.log( Log.ERROR, Incorrect number of conmand"+ 20 " line argumentsprovided: " + argv.length ) 21 usage () ; 22 Systein.exit( 1); 24 String userHandle = argv [0] ; 25 String cloudName = argv [1] ; 26 String passphrase = argv [2] ; 27 28 t ry Connectionconn = Peer.getConnection( ) ; 29 Credentials cred = 30 conn. createCredentialsObject("PropertiesFile"); 31 cred.setUserHandle( userHandle ); 32 cred.setCloudNaine( cloudName); 33 conn.authenticate( cred,passphrase); 34 System.out.println( " Authenticationsucceeded! " ); 35 } catch(GeoExceptionge) ( 36 log.log( Log.ERROR, ge ); 37 log.log( Log.ERROR,ge.getKeyword ( ) ) ; 38 System.err.println( ge.getlocalizedMessage ( ) ); 39 System.exit (1); 41 System.exit( 0); 13 } 23 } 40 } 42 } 43 } Figure 8 - 22: Monolithic Peer with Authentication Code The credential object (line 29) provides a structured container for the various creden - tials or algorithms that may be required to establish and protect the connection. These include X.509 certificates as well other security information described in Section 6.3. This information is too voluminous for most people to remember, and hence it must be stored on a hardware device. The conn. CreateCredentialObject () specifies a source, which in this example (line 30) it is a propertiesFile stored in partially encrypted form on the local disk The specific user and cloud are placed into the object (lines 31, 32), but the " unlock key " is not placed into the object. The program specifies values including the subscriber's home cloud, user name, and authentication informa - tion appropriate for the activities the subscriber requires of this object (lines 31, 32), and then authenticates over the connection. The credentials can be constrained by the TEAM LinG - Live, Informative, Non-cost and Genuine! Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. S ERVICE D EVELOPMENT 281 1 package samples.sdk.mono; 2 import java.awt.*; 3 import java.awt.event.*; 4 import javax.swing.*; 5 import geo.peer.*; 6 7 public class HelloWorldMPeer { 9 Peer.initialize (); 10 JFrame frame = new JFrame (Hello World Monolithic Peer " ); 11 frame.addWindowListener( new WindowAdapter( ) ( 12 public voidwindowClosing( WindowEvent we ) ( 13 System.exit( 0 ); 15 static public void main( String argv [ ] ) ( 16 Peer. initialize(); 17 Log log = Peer.getDefaultLog (); 18 if ( argv.length != 3 ) ( 19 log.log( Log.ERROR, " Incorrectnumberofcommand " + 20 " line argumentsprovided: " +argv.length); 21 usage () ; 22 System.exit( 1) ; 24 String userHandle = argv [0] ; 25 string cloudName = argv [1] ; 26 String passphrase = argv [2]; 27 28 t r y Connection conn = Peer.getConnection () ; 29 Credentials cred = 30 conn.createCredentialsObject("PropertiesFile") ; 31 cred.setUserHandle( userHandle ); 32 cred.setCloudName( cloudName ); 33 conn.authenticate( cred, passphrase ); 34 System.out.println( " Authentication succeeded! " ); 35 } catch ( GeoException gs ) [ 36 log.log( Log.ERROR,ge); 37 log.log( Log.ERROR, ge.getKeyword () ); 38 System.err.println( ge.getLocalizedMessage () ); 39 System.exit( 1); 41 System.exit( 0); 8 static public void main( String argv [] ) ( 14 ) 23 } 40 ) 42 } 43 } Figure 8 - 23: External Application Model local connectivity; for example, an office provides a private physical network, whereas a " road warrior " or telecommuter may access a specialized local access through infor - mation defined in the credentials. The program provides a main () method (line 15), initializes the peer and sets up a standard log (line 16), and verifies the parameters (lines 18 - 23). It then creates a con - nection object (line 28) thereby enabling the IP connectivity, and specifies a source for the credentials that will be needed to authenticate (line 30). The user’s name (line 31) defines identity for this connection. The identity is unique within a domain as defined through the setCloudName method (line 32). Authentication of the connection is then requested (line 33), at which time the volatile “unlock key” or passphrase must be pro - vided. The remainder of the program handles errors and terminates with an appropri - ate return code. 8.4.6 External Peer Application Model .External applications are more loosely integrated with the peer. They control an inde - pendently executing Peer using a Peer Interface (PI), and can be written in any sup - ported languages such as C, C++ or Java. However, access is limited to the networking TEAM LinG - Live, Informative, Non-cost and Genuine! Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 282 M IDDLEWARE N ETWORKS: C ONCEPT, D ESIGN AND D EPLOYMENT services and SD APIs. It is best used for legacy applications, but may also be useful for applications that specialization to Java virtual machines makes difficult to achieve under the peerlet or monolithic models. This is shown in Figure 8 - 23. 8.5 Summary We have presented a reference implementation for network middleware. This defines and explains essential components including active registries, dynamic directories, and access control models. These components provide APIs that describe, at an abstract layer, the activities necessary for service development and deployment. Mid - dleware components provide these services in keeping with the platform design princi - ples, and thus the polymorphic APIs may specify “why” rather than “how”. The middleware can deploy the APIs through various mechanisms that leverage the most appropriate technologies available. TEAM LinG - Live, Informative, Non-cost and Genuine! Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. C HAPTER 9 Mechanisms of Middleware Components This chapter explores the form and function of the middleware components, with emphasis upon what they can do and how they work. Starting with the selective admis - sion of IP packets through the firewall, Section 9.1 describes a full range of functional - ity that subsumes the enforcement of security policy The firewall directly supports a framework for managed security (Section 9.2) through dynamic binding of secure modules, thereby integrating standards - based security components into a manageable structure. Extensibility leverages a generalized proxy framework, as described in Sec - tion 9.3. We then present several examples, including customizing the standard domain name service (DNS) protocol, network - based extensions of the hypertext transport protocol (HTTP), and the Common Internet File System (CIFS) protocol ubiquitous to Microsoft networking. The latter example enables “software leasing”, a model recently identified by the Application Service Provider (ASP) industry as it evolves from the Internet Service Provider (ISP) model. 9.1 Rules - Based Packet Filter Firewall Firewalls typically serve exclusively as a security component, while ignoring the higher - layer application semantics and lower - layer network behaviors. This narrow expertise sustains highly efficient performance with minimal delay and maximum safety. Consequently, we partition the firewall into separate control and action compo - nents. The control portion maintains a structured rule base that quickly locates the appropriate rules. Several structuring techniques organize the rules according to the static hierarchy of users, services and sessions. Dynamic data structures maintain per session rule caches for fast runtime lookup. Machine specific parameters configure the specific sizes of these dynamic structures, although this tuning question is beyond the confines of the current work. TEAM LinG - Live, Informative, Non-cost and Genuine! Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 284 M IDDLEWARE N ETWORKS: C ONCEPT, D ESIGN AND D EPLOYMENT Rapid execution by a powerful firewall engine enforces the rules at low cost, and elimi - nates dependence upon either extensive runtime state or expensive algorithms. This follows directly from the logical decomposition into a specialized rule component, plus a refined engine that executes the rules. Reliability also improves because each component is smaller and hence easier to test, validate and refine. The composite rules - base and programmable firewall protects the SNodes from invalid traffic, while also adapting to new traffic patterns. Positioned as the physical mediator of all network traffic, the firewall aptly enforces a broad range of system behaviors that extends beyond security. Rather than confining the firewall to security enforcement alone, the architectural partitioning between rules and engine extends naturally into a more capable view of the firewall. This synergistic result arises from the design requirements of highest attainable throughput, and the consequent engineering of a highly efficient and streamlined engine. Reuse of the com - ponent does not in any way diminish its efficiency, but rather reinforces its centrality to the SNode design. Figure 9 - 1: Firewall Integrates Transport Features with Service Requirements SNodes deploy two or more network interface cards (NIs) that constitute the physical connection between multiple networks. All information passed into the SNode enters TEAM LinG - Live, Informative, Non-cost and Genuine! Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. R ULES- B ASED P ACKET F ILTER F IREWALL 285 through these NICs and encounters the firewall. When filtering at a coarse granularity and acting upon packet - header information through cached rules, the filter does not impose a significant computational burden. The filter selectively activates fine granu - larity processes only when necessary It is interesting to note this coarse - to - fine approach arises as the preferred solution in other complex processes as well. The SNode also provides a routing function as it receives packets that are destined for vari - ous IP addresses – not only the local IP address. The dynamic firewall interposes as a mediator between IP networking and higher layer services, and thus preserves the rich capabilities of the higher and lower layers, as shown in Figure 9 - 1. The dynamic firewall is constructed from five primary compo - nents: • Packet filters that define the behavior of IP connections (“Managed Firewalls” on page 180) Encryption modules that recover inbound data and protect outbound data (“Authentication and Session Layers” on page 165) • ACT APIs that modify the firewall rule cache as client authentications change (“Active Registries: Connections, Users and Services” on page 246) • Authentication proxy that validates client credentials and indicates when a cli - ent is authenticated (“Security Framework Authentication Proxy and Agents” on page 290) • Access daemon that maintains the firewall rules to the firewall rule cache (“Fire - wall and Access Control – Access Daemon” on page 297) • The firewall can perform any of four actions upon a packet, and makes this determina - tion through the packet’s source/destination IP address and port. These actions are: PASS, DROP, LOCAL and MAP (see Table 3 on page 182). These methods support both coarse - granularity and fine - granularity access control. At the coarse granularity level, the PASS action allows direct IP routing to the destination IP and port, whereas the DROP action discards the traffic. This may squelch certain cyber attacks such as denial of service, at least when there is a rhyme or reason to the targeted addresses and ports. Traffic flow and function are modified through the MAP action, as this redirects traffic to another address. The LOCAL action activates a local process, and it is through such local actions that fine - grain access control is enforced. The LOCAL action also supports protocol mediation. The architecture runs multiple and simultaneous copies of the firewall (each copy run - ning within its own gate). Additional servers can run duplicate copies of the gate and firewall software that is brought online as the volume of network traffic increases. These components support a flexible security system while also preserving the rich capabilities unique to both upper - layer services and the lower - layer networking: TEAM LinG - Live, Informative, Non-cost and Genuine! Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. [...]... combine multiple interacting clouds, as shown in Figure 9-8 TEAM LinG - Live, Informative, Non-cost and Genuine! 300 MIDDLEWARE NETWORKS: CONCEPT, DESIGN AND DEPLOYMENT Figure 9-8: Multiple Cloud Firewall 9.2.5 Middleware- Based PKI and PKI Management The mechanisms and deployment of middleware Credential Proxy (CP) controls all the credentials related mechanisms in the platform This handles the generation/issuance,... internally accredited CA The user and middleware then provide the information to be written onto the certificate in accordance with policies regulating the CA The middleware mediates the certificate content by control of data passing into the certificate request; this includes permitted, forbidden and required certificate extensions, as well as validity dates and algorithms The middleware translates the user... Middleware accepts the connection, and provides the application-layer protocol at the protocol port 3 Middleware either serves the request, or completes the connection to the service IP TEAM LinG - Live, Informative, Non-cost and Genuine! PROXY DESIGN, DEPLOYMENT AND METHODOLOGY 311 4 This protocol may run on either the announced service port, or on its own unique port (called the proxy port) The middleware. .. authentication occurs only through a common and controlled framework The second situation allows access to direct subscribers of network middleware The dial platform essential becomes a tunneling pass-through For these users the requests are passed directly to the middleware for validation, with appropriate encapsulation in PPP, L2TP or other protocol [Shea] 9.2.4 Firewall and Access Control – Access... AUTHENTICATION PROXY AND AGENTS 297 tials could be specific to the modem pool, or they could be part of the middleware network The first situation may arise when an enterprise chooses to administrate its uses with a private domain Such enterprises can broker the requests over a private tunnel connection to the middleware In such uses the enterprise retains responsibility for user actions, except when the user... passwords, authentication certificates, or a trust relationship with a hosting domain Password authentication will validate the password supplied by TEAM LinG - Live, Informative, Non-cost and Genuine! 294 MIDDLEWARE NETWORKS: CONCEPT, DESIGN AND DEPLOYMENT the user Certificate authentication uses an X.509 certificate for mutual authentication Clients can either register an existing certificate for the purpose... connection, finding Alice among active users gives the DP the assurance that the authentication token is not being replayed Unprotected HTTP con- TEAM LinG - Live, Informative, Non-cost and Genuine! 296 MIDDLEWARE NETWORKS: CONCEPT, DESIGN AND DEPLOYMENT Figure 9-7: Time-Varying Encrypted Cookies Securing Identity nections, however, strictly require fortification to protect their content The tokens sent... page 204) After the DP has finished the verification procedure, it contacts the content server through a secure proxy connection on Alice’s behalf The content is returned to Alice’s browser Thus, the middleware supports the most common Internet protocol – HTTP – through combination of multiple standards and improvements built on them The example of browser login uses the globally accepted standards...286 MIDDLEWARE NETWORKS: CONCEPT, DESIGN AND DEPLOYMENT Security System The packet filter allows the rules to be changed dynamically by the authentication system This is capable of creating independent sets... the access? The rule manager maintains these rules along the principle of maximal security, thereby imposing the maximally restrictive actions TEAM LinG - Live, Informative, Non-cost and Genuine! 288 MIDDLEWARE NETWORKS: CONCEPT, DESIGN AND DEPLOYMENT The packet filter maintains two rule bases, as previously described in Section 6.6 First are the global rules that affect all the hosts on a network . Non-cost and Genuine! Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. C HAPTER 9 Mechanisms of Middleware Components This chapter. LinG - Live, Informative, Non-cost and Genuine! Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 278 M IDDLEWARE N ETWORKS: