Applying MLS To
Total Page:16
File Type:pdf, Size:1020Kb
Applying a Multi-level Security Mechanism to a Network Address Translation Scheduler Arthur McDonald1 and Haklin Kimm1 Haesun Lee2 and Ilhyun Lee2 1Computer Science Department 2Department of Science and Mathematics East Stroudsburg University of Pennsylvania University of Texas of the Permian Basin East Stroudsburg PA 18301 4901 E. University Blvd. Odessa, TX 79762 E-mail: [email protected] E-mail: [email protected] Abstract - In this paper, we consider a scheduling on their security levels. Using the algorithm that we algorithm being applied with multi-level security that present in this paper, information can be kept at allows two or more hierarchical classification levels of several levels of security on separate server machines, information to be processed simultaneously. There are which will only grant access to the data if the security various load scheduling algorithms pre-built into the Linux level of the client machine is identifiable and has Virtual Server system that have been tested and proven effective for distributing the load among the real servers. been given the proper security clearance. The While these algorithms may work effectively, there is no security levels are statically assigned by the security current scheduling algorithm that considers a multi-level administrator of the LVS and as of this writing there security protocol to determine which clients have access is no way to bypass the scheduler. rights among the servers. 1. Introduction 2. Linux Virtual Servers One of the main concepts in a Linux Virtual In the late 1990s, several open source developers Server is the ability for the director to forward data created a software package for Linux to take packets sent by the client to the appropriate real advantage of scalability and cluster computing. The server and vice-versa. There are three ways for the Linux Virtual Server (LVS) project allows many director to perform this task: Network Address machines to be networked together into a highly Translation (NAT), IP-Tunneling and Direct Routing. available, high performance virtual server. While it seemingly appears to be a single server to machines 2.1 Network Address Translation (NAT) outside of the cluster (referred to as clients), the Network Address Translation (NAT) is a way of machine may consist of hundreds of separate servers, manipulating the source and/or the destination handling requests for HTTP, FTP, DNS, TELNET or address of a data packet. As described in [2, 12], others. When a client connects to the cluster of data packets contain both address information, such servers, the connection is processed by the director, as the IP address of the source and destination, as or master node of the virtual server. The director well as data. NAT works on the theory that the sends these connections, referred to as the load, to addressing information is independent from the data. one of the many servers in the cluster based on some Therefore, a machine stationed somewhere along the scheduling algorithm. route between the source machine and the intended As of now, there are several load scheduling destination could change the addressing information algorithms already developed and implemented in (or any other information in the packet header) LVS, including round-robin, least-connection, without affecting the connection [4, 12]. destination hashing and source hashing. While these Traditionally, a machine acting as a Network scheduling algorithms work well in various situations, Address Translator is used to connect an isolated there is no way for the administrator to specify, based range of private IP addresses, such as a Virtual on some protocol, what security level clients can Private Network (VPN), to an external realm of have to access certain servers in the cluster. globally unique IP addresses, such as the Internet. We present the implementation of a multi-level When a private network’s internal IP addresses security load scheduling algorithm for Linux Virtual cannot be used outside of the network because they Servers. A multilevel secure (MLS) system is defined are invalid or for security reasons the addresses must as a system with a mode of operation that allows two be kept within the private network, Network Address or more hierarchical classification levels of Translation is used [7]. information to be processed simultaneously [1,3,10,11,15] . 2.2 IP Tunneling Security administrators can specify which users IP Tunneling, sometimes referred to as IP are authorized to access data and programs depending encapsulation, is a technique to encapsulate an IP packet within IP packets. When a client requests a This algorithm is considered a dynamic scheduling service from the LVS, a packet destined for the algorithm because it needs to count the live virtual IP address is examined by the director, which connections for each server dynamically. chooses the real server using the scheduling algorithm. The director then encapsulates the packet 3.4 Weighted Least Connection within the data section of another IP packet and The weighted least connection scheduling forwards it to the destined real server [17]. When the algorithm is a superset of the least connection encapsulated packet reaches the real server, it algorithm, in which weights can also be assigned to decapsulates the packet and processes the request. real servers. Real servers with a higher weight will However, data sent back to the client from the real receive a larger percentage of the connections. server is not routed back through the director; the real server has the IP address of the client, which was in 3.5 Destination/source Hash Scheduling the header of the encapsulated packet. The real server The destination hash scheduling algorithm uses a sends all results directly to the client address. static hash table to look up the destination IP address of data packets and assign a real server accordingly. 2.3 Direct Routing Source hash scheduling is similar to the destination In a Linux Virtual Server that uses Direct hash algorithm, except that the real server is chosen Routing as the forwarding method, all machines are based on the source IP address of the data packet. configured to accept data to the Virtual IP address of Unfortunately, there is not much documentation on the LVS [8, 16]. When a client requests a service, the destination or the source hash scheduling the director examines the packet and determines if it algorithms as these are still considered experimental. matches a service offered by the LVS. If there is a match, then a real server is chosen using the 4. Scheduling with Multilevel Security scheduling algorithm and the data packet is directly While various load scheduling algorithms may forwarded, without any modification, to the physical work effectively, there is no current scheduling MAC address of the real server [9]. When the real algorithm that considers a multi-level security server receives the forwarded packet, the request is protocol to determine which clients have access processed by the real server and returned directly to rights among the servers. the client, bypassing the director [9]. 4.1 The Kernel 3. Load Scheduling The kernel actually does very little itself, but provides the tools for which services can be built. In One of the most important concepts in a Linux fact, any program running on the computer is forced Virtual Server is the concept of load scheduling. As to interact with the kernel in order to access hardware of this writing, the following six scheduling devices, protecting them from damage [5]. algorithms are implemented in the core LVS Interaction between applications and the kernel distribution [18]. is provided through system calls. User applications 3.1 Round Robin and system programs are said to exist and execute in The round robin algorithm sends incoming user space. All kernel operations are executed in requests to the next server in the server list. This kernel space. algorithm treats all the real servers equally, 4.2 Functions regardless of the number of incoming connections or Our algorithm uses a variety of functions to response time of the server. schedule incoming requests across the Linux Virtual 3.2 Weighted Round Robin Server. Some of these functions are required for This algorithm is similar to the normal round- compatibility with the already existing LVS code and robin method, except each real server is also assigned have only been slightly modified for this project. This a weight. More jobs are given to real servers with a section details those functions that have been used for greater weight. The weight factor is adjusted as the the project. load for the server changes. This scheduling 4.2.1 ip_vs_mls_init_svc algorithm is beneficial when there is a significant This function is used by the LVS code when difference in the load capacity of the real servers. setting up the virtual server to use the multi-level 3.3 Least Connection security scheduling. When an administrator sets up This algorithm distributes requests to the real server the Virtual Server, they must specify what type of with the fewest number of established connections. service (telnet, http, etc…) to set up, along with what scheduling algorithm to use. This function takes a parameter as a pointer to an ip_vs_service data type, the list of destination real servers and assigns the and initializes its scheduling data to the list of destination according to the security level. Finally, it destination real servers. returns a pointer to the destination real server’s IP address to the LVS code, which handles all 4.2.2 ip_vs_mls_done_svc communication from there. This function is called by the LVS code when the service is no longer offered by the Virtual Server. 4.2.7 ip_vs_mls_get_security_level This function simply returns 0 to let the system know This is the function that determines the security that the service is no longer being used.