secure.html 6.11 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
<!--
   EMULAB-COPYRIGHT
   Copyright (c) 2005 University of Utah and the Flux Group.
   All rights reserved.
  -->
<center>
<h1>Running an Experiment in a ''Secure'' Environment</h1>
</center>

<h2>Contents</h2>
<ul>
<li> <a href="#Overview">Overview</a>
<li> <a href="#Use">Use</a>
<li> <a href="#Limitations">Current Limitations</a>
<li> <a href="#KnownBugs">Known Bugs</a>
Mike Hibler's avatar
Updates  
Mike Hibler committed
16
<li> <a href="#Examples">A Couple of Examples</a>
17 18 19 20 21 22 23 24 25 26 27 28 29
</ul>

<hr>
<a NAME="Overview"></a><h2>Overview</h2>
<p>
Originally, the goal of an Emulab experiment was to provide an isolated
environment in which to run tests.  Isolation here primarily meant resource
isolation--preventing artifacts in an experiment due to other experiments or
outside influences.  While basic authentication and protection mechanisms
were used, the threat model being addressed was accidental "attacks" on
isolation; e.g., a misconfigured interface causing flooding of another
experiment's network.
We are now building up the Emulab infrastructure to allow experimentation
30
with more potent threats, in particular ''malware,'' which attempts to
31 32 33
actively exploit weaknesses on nodes and in the network.
</p><p>
Since Emulab is intended for use by researchers, we did not unnecessarily
34
want to restrict access from the Internet to experimental nodes and vice-versa.
35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51
Thus the central Emulab firewall is fairly permissive.  For high-risk
experiments, this is not acceptable.  To address this, we have added
<a href="docwrapper.php3?docname=firewall.html">per-experiment control net
firewalls</a>.
</p><p>
Another decision made early on, for the convenience of users, was for extensive
use of shared infrastructure such as a shared filesystem and a central login
machine within Emulab allowing for efficient control of experiments.  Such
shared infrastructure provides an easy target for malware, so through the
use of <a href="elabinelab.php3">''Emulab in Emulab''</a>
we provide per-experiment Emulab infrastructure.
</p><p>
By combining the two facilities, we enable containment of high-risk experiments
without sacrificing the features that make Emulab so easy to use.
</p>
<a NAME="Use"></a><h2>Use</h2>
<p>
Mike Hibler's avatar
Mike Hibler committed
52
In your NS file you can specify a <emph>security level</emph> at which an
Mike Hibler's avatar
Updates  
Mike Hibler committed
53 54
experiment should be run.  Security levels are specified as colors
(oh, now that is real original!)
Mike Hibler's avatar
Mike Hibler committed
55 56 57 58 59 60
with the <code>tb-set-security-level</code> command.  Colors are a way to
conveniently configure a firewall with a known, fixed ruleset.  If you use
<code>tb-set-security-level</code> then you cannot modify the implied
firewall (e.g., by using "add-rule"), nor can you allocate your own firewall.
The exact configuration of the firewalls implied by the security level, is
still a work-in-progress, but the current meanings are:
Mike Hibler's avatar
Updates  
Mike Hibler committed
61 62 63 64 65 66
<ul>
<li>Green.
The default for all experiments.  No firewall is allocated.
Hence all nodes are still on the shared control network.
<li>Blue.
A <a href="docwrapper.php3?docname=firewall.html#Styles">basic style</a>
Mike Hibler's avatar
Mike Hibler committed
67 68 69 70 71 72 73 74 75 76 77 78 79 80 81
firewall is allocated.  This configuration is intended for preventing
bad stuff from getting in, not to prevent it from getting out.  The only
practical implication right now is that, at swapout time, nodes in a Blue
experiment do not undergo
<a href="docwrapper.php3?docname=firewall.html#Swapout">
the rigorous decontamination process</a>
that all higher security levels (and explicit firewalls) require.
This security
level is appropriate for running a Windows node in while you customize it,
without needing to worry about it becoming infected.
<li>Yellow.
Currently allocates a
<a href="docwrapper.php3?docname=firewall.html#Styles">basic style</a>
firewall.
All nodes going through the swapout decontamination process.
Mike Hibler's avatar
Updates  
Mike Hibler committed
82 83
<li>Orange.
A <a href="docwrapper.php3?docname=firewall.html#Styles">closed style</a>
Mike Hibler's avatar
Mike Hibler committed
84 85
firewall is allocated.
All nodes going through the swapout decontamination process.
Mike Hibler's avatar
Updates  
Mike Hibler committed
86 87 88 89 90 91 92 93 94
<li>Red.
Not currently implemented.  This will eventually be an experiment for which
the control network has been completely disabled.  The only outside access
allowed will be via the serial console line.
</ul>
You can explicitly combine a per-experiment Emulab with an "Orange" experiment
to get the highest level of protection we currently offer.  It further
restricts access from the experiment to the "real" Emulab infrastructure
(e.g., no NFS allowed to the real "fs" node).
95
<emph>Please note that this configuration currently takes over 20 minutes
Mike Hibler's avatar
Updates  
Mike Hibler committed
96
to setup, regardless of the size of the experiment!</emph>
97 98 99
</p>
<a NAME="Limitations"></a><h2>Limitations</h2>
<p>
Mike Hibler's avatar
Updates  
Mike Hibler committed
100 101
See <a href="docwrapper.php3?docname=firewall.html#Limitations">
the firewall Limitations section</a>.
102 103 104
</p>
<a NAME="KnownBugs"></a><h2>Known Bugs</h2>
<p>
Mike Hibler's avatar
Updates  
Mike Hibler committed
105 106
See <a href="docwrapper.php3?docname=firewall.html#KnownBugs">
the firewall Known Bugs section</a>.
107
</p>
Mike Hibler's avatar
Updates  
Mike Hibler committed
108
<a NAME="Examples"></a><h2>A Couple of Examples</h2>
109
<p>
Mike Hibler's avatar
Updates  
Mike Hibler committed
110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130
This:
	<code><pre>
	source tb_compat.tcl
	set ns [new Simulator]

	tb-set-security-level Yellow

	set n1 [$ns node]
	tb-set-node-os $n1 FBSD-STD
	set n2 [$ns node]
	tb-set-node-os $n2 RHL-STD
	set link [$ns duplex-link $n1 $n2 100Mb 0ms DropTail]

	$ns run
	</code></pre>
is nearly equivalent to
<a href="docwrapper.php3?docname=firewall.html#Example">
the firewall example</a> except that there are no additional firewall
rules to allow <code>traceroute</code>.
</p><p>
To setup a high-security prison for running a
131
<a href="../doc/docwrapper.php3?docname=windows_in_emulab_user.html">Windows XP experiment</a>
Mike Hibler's avatar
Updates  
Mike Hibler committed
132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164
you could do:
	<code><pre>
	source tb_compat.tcl
	set ns [new Simulator]

	tb-elab-in-elab 1
	tb-set-security-level Orange

	tb-set-inner-elab-eid winxpnodes

	$ns run
	</code></pre>
This will setup a firewalled, experiment-private Emulab in which the
pre-existing <code>winxpnodes</code> experiment will be instantiated.
Here <code>winxpnodes</code> might look like:
	<code><pre>
	#
	# Windows XP experiment.
	#
	source tb_compat.tcl
	set ns [new Simulator]

	set win1 [$ns node]
	tb-set-node-os $win1 WINXP-02-11
	tb-set-hardware $win1 pc850

	set win2 [$ns node]
	tb-set-node-os $win2 WINXP-02-11
	tb-set-hardware $win2 pc850

	set lan [$ns make-lan "$win1 $win2" 100Mb 0ms]

	$ns run
165
	<code></pre>
166
</p>
167

Mike Hibler's avatar
Updates  
Mike Hibler committed
168 169
See the <a href="elabinelab.php3">''Emulab in Emulab''</a> section for
more details.