The manner in which network file systems (e.g., NFS, CIFS) are administered has not improved as network file systems have evolved. The tools and techniques used to manage these systems has remained primitive and, for the most part, administrators are forced to create custom, ad hoc solutions to satisfy their needs. Although there are a number of different generic network system tools for monitoring and control, they can be difficult to deploy, and require complex configuration. Additionally, they typically only address a subset of the administrative requirements, so that custom solutions are still required.
It is clear that advanced tools are needed to aid in the administration of network file systems. Specifically, we look to provide a generic framework with which an administrator can perform both monitoring and controlling functions on network file systems. FileWall is a network file system middlebox (similar in nature to firewalls) upon which administrators can build context-aware policies to monitor and control user accesses to network file systems, using both network and file system context. The over-riding goal of this project is to develop a framework of tools using FileWall, to ease the administration of network file systems, and to evaluate the effectiveness of these tools in providing a platform for network file systems administration.
The FileWall Framework provides a set of tools for administrators to build and deploy access monitoring and control policies for network file systems. The figure below illustrates the primary components of the framework.
Figure 1: The FileWall Framework
Administrators specify access monitoring and control policies through a high-level programming language. This language provides network file system abstractions, and makes use of the access control and access monitoring mechanisms provided by FileWall. Administrators view the results of policy execution with the FileWall Console GUI. (Note: They can also use the GUI to perform various configuration tasks on the FileWall.) The foundation of the framework is the FileWall, a network file system middlebox (analogous to a network firewall) that interposes on the network file server client-server path and intercepts all messages transmitted between clients and servers. The next figure (below) illustrates our model.
Figure 2: The FileWall Model
In the figure, a client is issuing requests to a server, while the server issues responses. Interposing on this request-response path is FileWall. As FileWall intercepts each request/response, it executes policies based on its configuration. FileWall policies are implemented using message capture, attribute extraction, and message transformation. In brief, policies have access to and can modify any attribute contained within the network file systems messages. Policies can also store state within a per-policy state store called access context. Together these mechanisms allow policies to make decisions/take action based on both current request/response context and historical context. Policy writers use these mechanisms to implement a broad range of network file system access control and monitoring policies. The final figure (below) illustrates the architecture of FileWall.
Figure 3: The FileWall Architecture
In the figure, a request (response) that is issued by a client (server) is captured by FileWall. The message is passed to the request (response) policy handler and processed by the policy, which may also use state stored in the access context during policy evaluation. Policies are organized into chains and are scheduled by the scheduler. Messages are passed between policies in a chain by the forwarder. For more details about the architecture and current experimental results, please see our publications section (below).
There are four primary research goals for this project:
To develop and evaluate network file system access control policies that can be implemented within a network processing device (i.e., FileWall). We are exploring the feasibility of creating and deploying complex access control policies while not modifying the network file system clients or servers. This includes quantifying the client-perceived performance overheads due to the policy execution within FileWall, as well as, understanding the effects of these control actions on the semantics of the network file systems under control.
To develop and evaluate non-intrusive network file system access monitoring policies. We are exploring the feasibility of extracting and analyzing user behavior models by observing the flow of messages in the network file system. Once extracted, we will explore applications of these models to common network file system security and administration problems. Applications of these models include non-intrusive network file system intrusion detection, protocol bug isolation/determination, reliability/fault tolerance, auditing, and forensics.
To be most effective, FileWall must export an expressive and powerful interface. This includes providing the right set of abstractions to the policy designer. We are exploring the use of programming languages techniques (e.g., verification and validation) to improve the programmability of the FileWall by providing a domain-specific set of language abstractions, for developing network file system policies. Additionally, we intend to incorporate mechanisms to improve the overall security of FileWall, while improving reliability and protection by adapting verification/validation mechanisms.
Finally, we are exploring techniques for visualization of policy results. These results may be the output from monitoring tasks, or could be output from any of the various policy applications. The goal of this work is to provide a human-interpretable view of the operation of network file systems. It is clear that there is substantial information that can be gathered through observation of network file system client-server interactions. So much so that human administrators require a filtered or distilled view that is meaningful to the tasks they wish to perform. We are currently building the FileWall GUI as a basis for exploring and identifying the most relevant views into network file systems. These views encompass both on-line and historical policy results, such that administrators can monitor the current situation or generate reports based on historical information. Finally, since we plan to keep historical results, we are exploring techniques to do so efficiently, in terms of performance and storage overheads.
Filewall: A Firewall for Network File Systems
Stephen Smaldone, Aniruddha Bohra, and Liviu Iftode
In Proceedings of the 3rd IEEE International Symposium on Dependable, Autonomic, and Secure Computing (DASC'07), Baltimore, MD, September 2007
FRAC: Implementing Role-Based Access Control for Network File Systems
Aniruddha Bohra, Stephen Smaldone, and Liviu Iftode
In Proceedings of the 6th IEEE International Symposium on Network Computing and Applications (NCA'07), Boston, MA, July 2007
Novel Architecture for Controlling File System Access
Stephen Smaldone and Liviu Iftode
Filed with the US Patent Office
Stephen Smaldone, James Boyce (Undergrad)