2 min read
Addressing DoS Attacks: Innovations in Network Layer Policy Enforcement
Gianpiero Napoli : January 30, 2024
**Please note that with the April 2024 release of Connext Professional 7.3 LTS, the functionalities formerly comprising Connext Secure are now available as an optional component to Connext Professional, named Security Extensions.
For distributed applications in the digital era, robust security policies are essential. Because in today's demanding, data-intensive environments, external denial of service (DoS) attacks can easily undermine system performance and affect reliability, unless network layer policy enforcement is as powerful as the systems it’s safeguarding.
Based on the Data Distribution Service (DDS™) standard, RTI Connext Secure effectively addresses this challenge, providing comprehensive security mechanisms for DDS-based systems. This solution offers a blend of authentication, encryption, access control, and integration with external security infrastructures. With these tools, Connext Secure is designed to protect data integrity and confidentiality, leveraging the benefits of data centricity to set and enforce next-level security.
A Dual Approach to Security
Mutual authentication systems can be vulnerable to DoS attacks. These attacks exhaust system resources by exploiting the authentication process. To counter this, RTI has been exploring advanced techniques to 'harden' network security beyond pre-shared secrets. This includes leveraging network-level policy-enforcement capabilities available in modern operating systems and routers to provide an additional layer of security at the network layer.
RTI’s Research Team has been investigating how to enhance Connext Secure deployments without relying on pre-shared secrets. This approach involves enforcing policies at Layer 2 of the network, adding another dimension to secure data distribution. The primary advantage is augmenting existing security mechanisms, offering additional protection even in systems that opt not to use DDS-Security™. This is particularly beneficial for retrofitting legacy systems or extending security to resource-constrained environments.
Policy Enforcement Implementation and Benefits
RTI Research recently completed a Proof of Concept (PoC) of its recent work on network policy enforcement. Three different Policy Enforcement Point (PEP) architectures were explored:
- Distributed Per-Node PEP: Applied to each network node, allowing individualized rule enforcement.
- Packet Routing PEP: Centralized rule enforcement on routers, managing LAN-WAN network traffic.
- Packet Bridging PEP: Implemented on a managed switch, it enforces rules within a LAN without needing node-specific installations.
The prototypes used enabled complex rule expressions and deep packet inspection, crucial for precise policy enforcement. The use of VLAN tagging and managed switches in Packet Bridging PEP demonstrated the feasibility of enforcing policies at the packet switching layer.
This blog post is meant to highlight a more dynamic and innovative approach to enforcing DDS policies at the network level. Crucially, these prototypes can lay the groundwork for more secure distributed systems. As the research progresses, it opens up new possibilities for DDS traffic control, extending beyond topic filtering to Quality of Service (QoS) and content-based filtering. We plan to share more results from this work as the research evolves.
In the meantime, we invite you to read about the detailed prototype implementations here.
About the author:
Gianpiero Napoli, with over 15 years at RTI, began in the Core team, where he has contributed to the RTI Connext core libraries and products.
Currently part of the Research Team, Gianpiero led the implementation of a Lua-based scripting engine, integrating it with RTI Prototyper for rapid prototyping. He also designed, implemented and productized a new API, supporting Python and Javascript through the RTI Connector.
He contributed to the design, development and productization of RTI System Designer, a user-friendly UI for designing distributed systems with RTI Connext.
Gianpiero holds a Master's degree in Computer Engineering from the University of Bologna (Italy).
Posts by Tag
- Developers/Engineer (174)
- Connext DDS Suite (77)
- Technology (74)
- News & Events (71)
- 2020 (54)
- Standards & Consortia (51)
- Aerospace & Defense (47)
- 2023 (35)
- Automotive (34)
- 2022 (29)
- IIoT (27)
- Leadership (24)
- 2024 (20)
- 2021 (19)
- Cybersecurity (19)
- Healthcare (18)
- Military Avionics (15)
- Culture & Careers (14)
- FACE (13)
- Connectivity Technology (10)
- Connext DDS Pro (10)
- JADC2 (10)
- ROS 2 (10)
- Connext DDS Tools (7)
- Connext DDS Micro (6)
- Databus (6)
- Transportation (5)
- Case + Code (4)
- Connext DDS (4)
- Connext DDS Cert (4)
- Energy Systems (4)
- FACE Technical Standard (4)
- Oil & Gas (3)
- RTI Labs (3)
- Research (3)
- Robotics (3)
- #A&D (2)
- Connext Conference (2)
- Edge Computing (2)
- MDO (2)
- MS&T (2)
- TSN (2)
- ABMS (1)
- C4ISR (1)
- ISO 26262 (1)
- L3Harris (1)
- LabView (1)
- MathWorks (1)
- National Instruments (1)
- Simulation (1)
- Tech Talks (1)
- UAM (1)
- Videos (1)
- eVTOL (1)