Skip to the main content.

Did you know?

 

RTI is the world’s largest DDS supplier and Connext is the most trusted software framework for critical systems.

Tiered-Support-Plan-DatasheetTiered Support Plans

Our Professional Services team brings extensive experience to train, problem-solve, mentor, and accelerate customer success.

Learn more

Developers

From downloads to Hello World, we've got you covered. Find all of the tutorials, documentation, peer conversations and inspiration you need to get started using Connext today.

Try the Connectivity Selection Tool ⇢

Resources

RTI provides a broad range of technical and high-level resources designed to assist in understanding industry applications, the RTI Connext product line and its underlying data-centric technology.

Company

RTI is the infrastructure software company for smart-world systems. The company’s RTI Connext product is the world's leading software framework for intelligent distributed systems.

Contact Us

News & Events
Cooperation

2 min read

Addressing DoS Attacks: Innovations in Network Layer Policy Enforcement

Addressing DoS Attacks: Innovations in Network Layer Policy Enforcement

For distributed applications in the digital era, robust security policies are essential. Because in today's demanding, data-intensive environments, external denial of service (DoS) attacks can easily undermine system performance and affect reliability, unless network layer policy enforcement is as powerful as the systems it’s safeguarding. 

Based on the Data Distribution Service (DDS) standard, RTI Connext Secure effectively addresses this challenge, providing comprehensive security mechanisms for DDS-based  systems. This solution offers a blend of authentication, encryption, access control, and integration with external security infrastructures. With these tools, Connext Secure is designed to protect data integrity and confidentiality, leveraging the benefits of data centricity to set and enforce next-level security.

A Dual Approach to Security

Mutual authentication systems can be vulnerable to DoS attacks. These attacks exhaust system resources by exploiting the authentication process. To counter this, RTI has been exploring advanced techniques to 'harden' network security beyond pre-shared secrets. This includes leveraging network-level policy-enforcement capabilities available in modern operating systems and routers to provide an additional layer of security at the network layer. 

RTI’s Research Team has been investigating how to enhance Connext Secure deployments without relying on pre-shared secrets. This approach involves enforcing policies at Layer 2 of the network, adding another dimension to secure data distribution. The primary advantage is augmenting existing security mechanisms, offering additional protection even in systems that opt not to use DDS-Security. This is particularly beneficial for retrofitting legacy systems or extending security to resource-constrained environments.

Policy Enforcement Implementation and Benefits

RTI Research recently completed a Proof of Concept (PoC) of its recent work on network policy enforcement. Three different Policy Enforcement Point (PEP) architectures were explored:

  1. Distributed Per-Node PEP: Applied to each network node, allowing individualized rule enforcement.
  2. Packet Routing PEP: Centralized rule enforcement on routers, managing LAN-WAN network traffic.
  3. Packet Bridging PEP: Implemented on a managed switch, it enforces rules within a LAN without needing node-specific installations.

The prototypes used enabled complex rule expressions and deep packet inspection, crucial for precise policy enforcement. The use of VLAN tagging and managed switches in Packet Bridging PEP demonstrated the feasibility of enforcing policies at the packet switching layer.

This blog post is meant to highlight a more dynamic and innovative approach to enforcing DDS policies at the network level. Crucially, these prototypes can lay the groundwork for more secure distributed systems. As the research progresses, it opens up new possibilities for DDS traffic control, extending beyond topic filtering to Quality of Service (QoS) and content-based filtering. We plan to share more results from this work as the research evolves.

In the meantime, we invite you to read about the detailed prototype implementations here. 

 

 

About the author:

Gianpiero HeadshotGianpiero Napoli, with over 15 years at RTI, began in the Core team, where he has contributed to the RTI Connext core libraries and products.

Currently part of the Research Team, Gianpiero led the implementation of a Lua-based scripting engine, integrating it with RTI Prototyper for rapid prototyping. He also designed, implemented and productized a new API, supporting Python and Javascript through the RTI Connector.

He contributed to the design, development and productization of RTI System Designer, a user-friendly UI for designing distributed systems with RTI Connext.

Gianpiero holds a Master's degree in Computer Engineering from the University of Bologna (Italy).