def example_setup(num_clients=3, num_servers=3): ### EXAMPLE PARAMETERS # NETWORK BREAKDOWN ethernet = [2,3,4,1000] ip_core = [5,6,7,1002] gateway = [1001] # SUBNET ADDRESSING eth_prefix = '10.0.0.' ip_prefix = '10.0.1.' prefix_len = 24 eth_cidr = eth_prefix + '0/' + str(prefix_len) ip_cidr = ip_prefix + '0/' + str(prefix_len) # END HOST ADDRESSES public_ip = IP('10.0.1.100') fake_mac = MAC('BB:BB:BB:BB:BB:BB') eth_macs = { IP(eth_prefix+str(i+1)) : MAC('00:00:00:00:00:0'+str(i)) \ for i in range(1,1+num_clients) } ip_macs = { IP(ip_prefix+str(i+1)) : MAC('00:00:00:00:00:0'+str(i+num_clients)) \ for i in range(1,1+num_servers) } host_macs = dict(eth_macs.items() + ip_macs.items()) host_macs.update({IP(public_ip) : fake_mac}) ### POLICIES FOR THIS EXAMPLE eth_pol = mac_learner() ip_pol = mac_learner() gw_pol = gateway_forwarder(eth_cidr,ip_cidr,host_macs) return ((switch_in(ethernet) & eth_pol) + (switch_in(gateway) & gw_pol ) + (switch_in(ip_core) & ip_pol ))
def example_setup(num_clients=3, num_servers=3): ### EXAMPLE PARAMETERS # NETWORK BREAKDOWN ethernet = [2, 3, 4, 1000] ip_core = [5, 6, 7, 1002] gateway = [1001] # SUBNET ADDRESSING eth_prefix = '10.0.0.' ip_prefix = '10.0.1.' prefix_len = 24 eth_cidr = eth_prefix + '0/' + str(prefix_len) ip_cidr = ip_prefix + '0/' + str(prefix_len) # END HOST ADDRESSES public_ip = IP('10.0.1.100') fake_mac = MAC('BB:BB:BB:BB:BB:BB') eth_macs = { IP(eth_prefix+str(i+1)) : MAC('00:00:00:00:00:0'+str(i)) \ for i in range(1,1+num_clients) } ip_macs = { IP(ip_prefix+str(i+1)) : MAC('00:00:00:00:00:0'+str(i+num_clients)) \ for i in range(1,1+num_servers) } host_macs = dict(eth_macs.items() + ip_macs.items()) host_macs.update({IP(public_ip): fake_mac}) ### POLICIES FOR THIS EXAMPLE eth_pol = mac_learner() ip_pol = virtualize(mac_learner(), merge(name=5, from_switches=ip_core)) gw_pol = gateway_forwarder(eth_cidr, ip_cidr, host_macs) return ((switch_in(ethernet) >> eth_pol) + (switch_in(gateway) >> gw_pol) + (switch_in(ip_core) >> ip_pol))
def example_setup(num_clients=3, num_servers=3): ### EXAMPLE PARAMETERS # NETWORK BREAKDOWN ethernet = [2,3,4,1000] ip_core = [5,6,7,1002] gateway = [1001] # SUBNET ADDRESSING eth_prefix = '10.0.0.' ip_prefix = '10.0.1.' prefix_len = 24 eth_cidr = eth_prefix + '0/' + str(prefix_len) ip_cidr = ip_prefix + '0/' + str(prefix_len) # END HOST ADDRESSES public_ip = IP('10.0.1.100') fake_mac = MAC('BB:BB:BB:BB:BB:BB') eth_macs = { IP(eth_prefix+str(i+1)) : MAC('00:00:00:00:00:0'+str(i)) \ for i in range(1,1+num_clients) } ip_macs = { IP(ip_prefix+str(i+1)) : MAC('00:00:00:00:00:0'+str(i+num_clients)) \ for i in range(1,1+num_servers) } host_macs = dict(eth_macs.items() + ip_macs.items()) host_macs.update({IP(public_ip) : fake_mac}) # PARAMETERS FOR FIREWALL/LOAD BALANCER R = [IP(ip_prefix + str(i)) for i in range(2, 2+num_servers)] H = {IP(eth_prefix + str(i)) : 0 for i in range(2,2+num_clients)} W = {(c,public_ip) for c in H.keys()} ### POLICIES FOR THIS EXAMPLE eth_pol = mac_learner() alb = dynamic(lb)(public_ip,R,H) >> fix_dstmac(ip_macs) afw = if_(ARP,passthrough,dynamic(fw)(W)) ip_pol = if_(match(srcip=eth_cidr), afw >> alb, alb >> afw) >> mac_learner() ip_pol = virtualize(ip_pol,BFS_vdef(name=5,from_switches=ip_core)) gw_pol = gateway_forwarder(eth_cidr,ip_cidr,host_macs) return (switch_in(ethernet)[ eth_pol ] + switch_in(gateway)[ gw_pol ] + switch_in(ip_core)[ ip_pol ])
def example_setup(num_clients=3, num_servers=3): ### EXAMPLE PARAMETERS # NETWORK BREAKDOWN ethernet = [2,3,4,1000] ip_core = [5,6,7,1002] gateway = [1001] # SUBNET ADDRESSING eth_prefix = '10.0.0.' ip_prefix = '10.0.1.' prefix_len = 24 eth_cidr = eth_prefix + '0/' + str(prefix_len) ip_cidr = ip_prefix + '0/' + str(prefix_len) # END HOST ADDRESSES public_ip = IP('10.0.1.100') fake_mac = MAC('BB:BB:BB:BB:BB:BB') eth_macs = { IP(eth_prefix+str(i+1)) : MAC('00:00:00:00:00:0'+str(i)) \ for i in range(1,1+num_clients) } ip_macs = { IP(ip_prefix+str(i+1)) : MAC('00:00:00:00:00:0'+str(i+num_clients)) \ for i in range(1,1+num_servers) } host_macs = dict(eth_macs.items() + ip_macs.items()) host_macs.update({IP(public_ip) : fake_mac}) # PARAMETERS FOR FIREWALL/LOAD BALANCER R = [IP(ip_prefix + str(i)) for i in range(2, 2+num_servers)] H = {IP(eth_prefix + str(i)) : 0 for i in range(2,2+num_clients)} W = {(c,public_ip) for c in H.keys()} ### POLICIES FOR THIS EXAMPLE eth_pol = mac_learner() alb = dynamic(lb)(public_ip,R,H) >> fix_dstmac(ip_macs) afw = if_(ARP,passthrough,dynamic(fw)(W)) ip_pol = if_(match(srcip=eth_cidr), afw >> alb, alb >> afw) >> mac_learner() ip_pol = virtualize(ip_pol,BFS_vdef(name=5,from_switches=ip_core)) gw_pol = gateway_forwarder(eth_cidr,ip_cidr,host_macs) return ((switch_in(ethernet) & eth_pol) + (switch_in(gateway) & gw_pol ) + (switch_in(ip_core) & ip_pol ))
def setup(num_internet_hosts=253, num_dmz_servers=1, num_internal_hosts=2): #----------------- #Network breakdown (virtual components) internal_net_edge = [1000] gateway = [1001] blackhole_checker_redirector = [1002] firewall = [1003] internet_edge = [1004] #----------------- #IP subnets internal_prefix = '10.1.1.' internet_prefix = '10.1.2.' prefix_len = 24 internal_cidr = internal_prefix + '0/' + str(prefix_len) internet_cidr = internet_prefix + '0/' + str(prefix_len) #----------------- #End hosts and servers internal_ip_to_macs = { IP(internal_prefix + str(i + 1)): MAC('00:00:00:00:00:0' + str(i)) for i in range(1, 1 + num_internal_hosts + num_dmz_servers) } internet_ip_to_macs = { IP(internet_prefix + str(i + 1)): MAC('00:00:00:00:00:04') for i in range(1, 1 + num_internet_hosts) } host_ip_to_macs = dict(internal_ip_to_macs.items() + internet_ip_to_macs.items()) #----------------- #params for blackhole checker/redirector #threshold rate of packets belonging to the same (srcip,dstip,dstport) flow (careful: TCP protocol!) #if this rate is surpassed, we conider this a possible DoS and redirect #the flow to the blackhole host for further examination threshold_rate = 5 #packets per sec (you can tune it if needed) blackhole_port_dict = { 'untrusted': 2, 'trusted': 1, 'blackhole': 3 } #see exercise setup (figure 2) ips_and_tcp_ports_to_protect = [("10.1.1.4", 80)] #protect apache server #----------------- #params for firewall firewall_port_dict = { 'untrusted': 2, 'trusted': 1 } #see exercise setup (ports of firewall, figure 2) whitelist = set([]) for i in internal_ip_to_macs.keys(): for j in internet_ip_to_macs.keys(): internal_ip = str(i) internet_ip = str(j) #here we check if the internal_ip is the server #and if this is the server we make by-directional connection #else we make one direction connection if internal_ip != '10.1.1.4': whitelist.add((internal_ip, internet_ip)) else: whitelist.add((internal_ip, internet_ip)) whitelist.add((internet_ip, internal_ip)) #ATTENTION: Build whitelist!!! (see how firewall expects it) print "Firewall whitelist" print whitelist #----------------- #policies #ATTENTION: internal network edge policy??? #ATTENTION: gateway policy??? #ATTENTION: black-hole host policy?? #ATTENTION: firewall policy???-->ATTENTION: besides the IP whitelist, the firewall policy should let ARP packets reach the gateway! (hint: use 'if_') #ATTENTION: internet edge policy??? #initial test policies for firewall and blackhole #blackhole_pol= blackhole_pol = BlackholeCheckerRedirector(threshold_rate, blackhole_port_dict, ips_and_tcp_ports_to_protect) # proo8ei to paketo firewall_pol = ( if_(ARP, passthrough, fw(whitelist)) >> dumb_forwarder(1, 2)) #idio level eth_pol = mac_learner() ip_pol = mac_learner() gw_pol = gateway_forwarder(internal_cidr, internet_cidr, host_ip_to_macs) return ((switch_in(blackhole_checker_redirector) >> blackhole_pol) + (switch_in(firewall) >> firewall_pol) + (switch_in(internal_net_edge) >> eth_pol) + (switch_in(gateway) >> gw_pol) + (switch_in(internet_edge) >> ip_pol))
def setup(num_internet_hosts=253, num_dmz_servers=1, num_internal_hosts=2): #----------------- #Network breakdown (the virtual components in Pyretic) internal_net_edge = [1000] gateway = [1001] flow_monitor_blackhole_redirector = [1002] firewall = [1003] internet_edge = [1004] #----------------- #IP subnets internal_prefix = '10.1.1.' internet_prefix = '10.1.2.' prefix_len = 24 internal_cidr = internal_prefix + '0/' + str(prefix_len) internet_cidr = internet_prefix + '0/' + str(prefix_len) #----------------- #End hosts and servers internal_ip_to_macs = {IP(internal_prefix+str(i)) : MAC('00:00:00:00:00:0'+str(i)) for i in range(1,1+num_internal_hosts+num_dmz_servers)} internet_ip_to_macs = {IP(internet_prefix+str(i)) : MAC('00:00:00:00:00:04') for i in range(1,1+num_internet_hosts)} host_ip_to_macs = dict(internal_ip_to_macs.items() + internet_ip_to_macs.items()) print "Third Arguement:" + str(host_ip_to_macs) #----------------- #Parameters for flow monitor and blackhole redirector. #Threshold rate of packets belonging to the same (srcip,dstip,dstport) flow. #If this rate is surpassed, the flow is suspected to be a DoS attack; then redirect flow to the blackhole host. threshold_rate = 5 #packets per sec (you can change this if you want to check) blackhole_port_dict = {'untrusted' : 2, 'trusted' : 1, 'blackhole' : 3} #see Figure 2 in the project description ips_and_tcp_ports_to_protect = [("10.1.1.3",80)] #protect the Apache server #----------------- #Parameters for the stateful firewall firewall_port_dict = {'untrusted' : 2, 'trusted' : 1} #see Figure 2 in project description whitelist = set([]) for i in internal_ip_to_macs.keys(): for j in internet_ip_to_macs.keys(): internal_ip = str(i) internet_ip = str(j) if (internal_ip == '10.1.1.3'): whitelist.add((internal_ip,internet_ip)) whitelist.add((internet_ip,internal_ip)) else: whitelist.add((internal_ip,internet_ip)) ### write your code ###: Build whitelist of IP addresses (see how firewall expects it) print "Firewall whitelist:" print whitelist #----------------- #Define policies ### write your code ###: internal network edge policy? internal_network_edge_policy = mac_learner() ### write your code ###: gateway policy? gateway_policy = gateway_forwarder(internal_cidr,internet_cidr,host_ip_to_macs) ### write your code ###: blackhole host policy? blackhole_policy = FlowMonitorBlackholeRedirector(threshold_rate, blackhole_port_dict, ips_and_tcp_ports_to_protect) ### write your code ###: firewall policy? Note that besides the IP addresses in the firewall whitelist, the firewall policy should let ARP packets reach the gateway (hint: use 'if_') ### write your code ###: internet edge policy??? internet_edge_policy = mac_learner() #Commands to do initial test of policies for firewall and blackhole firewall_policy = if_(ARP,passthrough,fw(whitelist)) >> dumb_forwarder(firewall_port_dict['trusted'],firewall_port_dict['untrusted']) #----------------- ### write your code ###: return ? --> Combine the policies! (Hint: check gateway_3switch_example_basic.py in the ~/pyretic/pyretic/examples directory) return((switch_in(internal_net_edge) >> internal_network_edge_policy) + (switch_in(gateway) >> gateway_policy) + (switch_in(flow_monitor_blackhole_redirector) >> blackhole_policy) + (switch_in(firewall) >> firewall_policy) + (switch_in(internet_edge) >> internet_edge_policy))
def setup(num_internet_hosts=253, num_dmz_servers=1, num_internal_hosts=2): #----------------- #Network breakdown (the virtual components in Pyretic) internal_net_edge = [1000] gateway = [1001] flow_monitor_blackhole_redirector = [1002] firewall = [1003] internet_edge = [1004] #----------------- #IP subnets internal_prefix = '10.1.1.' internet_prefix = '10.1.2.' prefix_len = 24 internal_cidr = internal_prefix + '0/' + str(prefix_len) internet_cidr = internet_prefix + '0/' + str(prefix_len) #----------------- #End hosts and servers internal_ip_to_macs = { IP(internal_prefix + str(i)): MAC('00:00:00:00:00:0' + str(i)) for i in range(1, 1 + num_internal_hosts + num_dmz_servers) } internet_ip_to_macs = { IP(internet_prefix + str(i)): MAC('00:00:00:00:00:04') for i in range(1, 1 + num_internet_hosts) } host_ip_to_macs = dict(internal_ip_to_macs.items() + internet_ip_to_macs.items()) print "Third Arguement:" + str(host_ip_to_macs) #----------------- #Parameters for flow monitor and blackhole redirector. #Threshold rate of packets belonging to the same (srcip,dstip,dstport) flow. #If this rate is surpassed, the flow is suspected to be a DoS attack; then redirect flow to the blackhole host. threshold_rate = 5 #packets per sec (you can change this if you want to check) blackhole_port_dict = { 'untrusted': 2, 'trusted': 1, 'blackhole': 3 } #see Figure 2 in the project description ips_and_tcp_ports_to_protect = [("10.1.1.3", 80) ] #protect the Apache server #----------------- #Parameters for the stateful firewall firewall_port_dict = { 'untrusted': 2, 'trusted': 1 } #see Figure 2 in project description whitelist = set([]) for i in internal_ip_to_macs.keys(): for j in internet_ip_to_macs.keys(): internal_ip = str(i) internet_ip = str(j) if (internal_ip == '10.1.1.3'): whitelist.add((internal_ip, internet_ip)) whitelist.add((internet_ip, internal_ip)) else: whitelist.add((internal_ip, internet_ip)) ### write your code ###: Build whitelist of IP addresses (see how firewall expects it) print "Firewall whitelist:" print whitelist #----------------- #Define policies ### write your code ###: internal network edge policy? internal_network_edge_policy = mac_learner() ### write your code ###: gateway policy? gateway_policy = gateway_forwarder(internal_cidr, internet_cidr, host_ip_to_macs) ### write your code ###: blackhole host policy? blackhole_policy = FlowMonitorBlackholeRedirector( threshold_rate, blackhole_port_dict, ips_and_tcp_ports_to_protect) ### write your code ###: firewall policy? Note that besides the IP addresses in the firewall whitelist, the firewall policy should let ARP packets reach the gateway (hint: use 'if_') ### write your code ###: internet edge policy??? internet_edge_policy = mac_learner() #Commands to do initial test of policies for firewall and blackhole firewall_policy = if_(ARP, passthrough, fw(whitelist)) >> dumb_forwarder( firewall_port_dict['trusted'], firewall_port_dict['untrusted']) #----------------- ### write your code ###: return ? --> Combine the policies! (Hint: check gateway_3switch_example_basic.py in the ~/pyretic/pyretic/examples directory) return ( (switch_in(internal_net_edge) >> internal_network_edge_policy) + (switch_in(gateway) >> gateway_policy) + (switch_in(flow_monitor_blackhole_redirector) >> blackhole_policy) + (switch_in(firewall) >> firewall_policy) + (switch_in(internet_edge) >> internet_edge_policy))
def setup(num_internet_hosts=253, num_dmz_servers=2, num_internal_hosts=4): #----------------- #Network breakdown (virtual components) internal_net_edge = [1000] gateway = [1001] blackhole_checker_redirector = [1002] firewall = [1003] internet_edge = [1004] #----------------- #IP subnets internal_prefix = '10.1.1.' internet_prefix = '10.1.2.' prefix_len = 24 internal_cidr = internal_prefix + '0/' + str(prefix_len) internet_cidr = internet_prefix + '0/' + str(prefix_len) #----------------- #End hosts and servers internal_ip_to_macs = {IP(internal_prefix+str(i+1)) : MAC('00:00:00:00:00:0'+str(i)) for i in range(1,1+num_internal_hosts+num_dmz_servers)} internet_ip_to_macs = {IP(internet_prefix+str(i+1)) : MAC('00:00:00:00:00:07') for i in range(1,1+num_internet_hosts)} host_ip_to_macs = dict(internal_ip_to_macs.items() + internet_ip_to_macs.items()) #----------------- #params for blackhole checker/redirector #threshold rate of packets belonging to the same (srcip,dstip,dstport) flow (careful: TCP protocol!) #if this rate is surpassed, we conider this a possible DoS and redirect #the flow to the blackhole threshold_rate =6#packets per sec (you can tune it if needed) blackhole_port_dict = {'untrusted' : 2, 'trusted' : 1, 'blackhole' : 3} #see exercise setup (figure 2) ips_and_tcp_ports_to_protect = [("10.1.1.6",22),("10.1.1.7",80)] #protect ssh and apache servers #----------------- #params for firewall firewall_port_dict = {'untrusted' : 2, 'trusted' : 1} #see exercise setup (ports of firewall, figure 2) whitelist = set([]) for i in internal_ip_to_macs.keys(): for j in internet_ip_to_macs.keys(): internal_ip = str(i) internet_ip = str(j) #ATTENTION: Build whitelist!!! (see how firewall expects it) if internal_ip == '10.1.1.6' or internal_ip == '10.1.1.7': #Allow bi-direction on server node whitelist.add((internal_ip,internet_ip)) whitelist.add((internet_ip,internal_ip)) else: #Allow single-direction on intenal host whitelist.add((internal_ip,internet_ip)) #print "Firewall whitelist" #print whitelist #----------------- #policies #ATTENTION: internal network edge policy??? internal_pol = mac_learner() #ATTENTION: gateway policy??? gateway_pol = gateway_forwarder(internal_cidr,internet_cidr,host_ip_to_macs) #ATTENTION: black-hole host policy?? blackhole_pol=BlackholeCheckerRedirector(threshold_rate,blackhole_port_dict,ips_and_tcp_ports_to_protect) #ATTENTION: firewall policy???-->ATTENTION: besides the IP whitelist, the firewall policy should let ARP packets reach the gateway! (hint: use 'if_') firewall_pol = (if_(ARP,passthrough,fw(whitelist)) >> dumb_forwarder(1,2)) #ATTENTION: internet edge policy??? internet_pol = mac_learner() #initial test policies for firewall and blackhole #blackhole_pol = dumb_forwarder(1,2) #firewall_pol = dumb_forwarder(1,2) #----------------- #ATTENTION: return ??? --> Combine the policies! (hint: check gateway_3switch_example_basic.py) return ((switch_in(internal_net_edge) >> internal_pol)+(switch_in(gateway) >> gateway_pol)+(switch_in(blackhole_checker_redirector) >> blackhole_pol)+(switch_in(firewall) >> firewall_pol)+(switch_in(internet_edge) >> internet_pol))