For distributed applications in the digital era, robust security policies are essential. Because in today's demanding, data-intensive environments, external denial of service (DoS) attacks can easily undermine system performance and affect reliability, unless network layer policy enforcement is as powerful as the systems it’s safeguarding.
Based on the Data Distribution Service (DDS™) standard, RTI Connext Secure effectively addresses this challenge, providing comprehensive security mechanisms for DDS-based systems. This solution offers a blend of authentication, encryption, access control, and integration with external security infrastructures. With these tools, Connext Secure is designed to protect data integrity and confidentiality, leveraging the benefits of data centricity to set and enforce next-level security.
A Dual Approach to Security
Mutual authentication systems can be vulnerable to DoS attacks. These attacks exhaust system resources by exploiting the authentication process. To counter this, RTI has been exploring advanced techniques to 'harden' network security beyond pre-shared secrets. This includes leveraging network-level policy-enforcement capabilities available in modern operating systems and routers to provide an additional layer of security at the network layer.
RTI’s Research Team has been investigating how to enhance Connext Secure deployments without relying on pre-shared secrets. This approach involves enforcing policies at Layer 2 of the network, adding another dimension to secure data distribution. The primary advantage is augmenting existing security mechanisms, offering additional protection even in systems that opt not to use DDS-Security™. This is particularly beneficial for retrofitting legacy systems or extending security to resource-constrained environments.
Policy Enforcement Implementation and Benefits
RTI Research recently completed a Proof of Concept (PoC) of its recent work on network policy enforcement. Three different Policy Enforcement Point (PEP) architectures were explored:
- Distributed Per-Node PEP: Applied to each network node, allowing individualized rule enforcement.
- Packet Routing PEP: Centralized rule enforcement on routers, managing LAN-WAN network traffic.
- Packet Bridging PEP: Implemented on a managed switch, it enforces rules within a LAN without needing node-specific installations.
The prototypes used enabled complex rule expressions and deep packet inspection, crucial for precise policy enforcement. The use of VLAN tagging and managed switches in Packet Bridging PEP demonstrated the feasibility of enforcing policies at the packet switching layer.
This blog post is meant to highlight a more dynamic and innovative approach to enforcing DDS policies at the network level. Crucially, these prototypes can lay the groundwork for more secure distributed systems. As the research progresses, it opens up new possibilities for DDS traffic control, extending beyond topic filtering to Quality of Service (QoS) and content-based filtering. We plan to share more results from this work as the research evolves.
In the meantime, we invite you to read about the detailed prototype implementations here.
About the author:
Gianpiero Napoli, with over 15 years at RTI, began in the Core team, where he has contributed to the RTI Connext core libraries and products.
He contributed to the design, development and productization of RTI System Designer, a user-friendly UI for designing distributed systems with RTI Connext.
Gianpiero holds a Master's degree in Computer Engineering from the University of Bologna (Italy).
Posts by Tag
- Connext DDS Suite
- Standards & Consortia
- News & Events
- Aerospace & Defense
- Culture & Careers
- Connext DDS Secure
- Connext DDS Tools
- Connext DDS Pro
- Energy Systems
- Military Avionics
- Connext DDS Micro
- ROS 2
- Connext DDS Cert
- Connectivity Technology
- Oil & Gas
- Connext Conference
- Connext DDS
- RTI Labs
- Case + Code
- FACE Technical Standard
- Edge Computing
- Other Markets
- ISO 26262
- National Instruments
- Tech Talks