Code Monkey home page Code Monkey logo

exafs's Introduction

ExaFS

ExaFS brings new functionality to the environment of routing protocols configuration for backbone network hardware security.

The tool extends network administrators toolset by adding an extra layer for configuration rules creation, validation, and authorization. With this new layer, a larger group of network administrators can safely create new BGP protocol rules to prevent DDoS and other forms of malicious cyber attacks.

ExaFS is open source with MIT license. The system is regularly used at CESNET - the Czech national e-infrastructure for science, research and education operator.

ExaFS provides both the user Web interface and the REST API for web service.

Key contributions of the system are user authorization mechanism and validation system for BGP commands.

Without ExaFS the system Root privileges are required for direct interaction with ExaBGP and networking hardware. ExaFS provides several user roles and access rights similarly to user roles in other software systems such as SQL. The system allows specifying user rights for various kinds of sub-nets following the network topology.

Validation system for BGP commands assures that only error-free messages can pass to the system BGP API. Both syntax and access rights are validated before a new rule can be stored in the database.

Thanks to the storage, all the rules can be restored quickly after a system reboot or failure. All rules are validated again, before sending them to ExaBPG from the storage, to prevent any malicious database manipulation.

ExaFS is an integral part of cybersecurity tools at CESNET. However, it can be used in any network where ExaBGP is available.

See how is ExaFS integrated into the network in the picture below.

ExaFS integration schema

Project presentations

System overview

ExaFS schema

The central part of the ExaFS is a web application, written in Python3.6 with Flask framework. It provides a user interface for ExaBGP rule CRUD operations. The application also provides the REST API with CRUD operations for the configuration rules. The web app uses Shibboleth authorization; the REST API is using token-based authorization.

The app creates the ExaBGP commands and forwards them to ExaAPI. All rules are carefully validated, and only valid rules are stored in the database and sent to the ExaBGP connector.

This second part of the system is another web application that replicates the received command to the stdout. The connection between ExaBGP daemon and stdout of ExaAPI is specified in the ExaBGP config.

Every time this API gets a command from ExaFS, it replicates this command to the ExaBGP daemon through the stdout. The registered daemon then updates the ExaBGP table – create, modify or remove the rule from command. Last part of the system is Guarda service. This systemctl service is running in the host system and gets a notification on each restart of ExaBGP service via systemctl WantedBy config option. For every restart of ExaBGP the Guarda service will put all the valid and active rules to the ExaBGP rules table again.

DOCS

Change Log

  • 0.7.3 - New possibility of external auth proxy.
  • 0.7.2 - Dashboard and Main menu are now customizable in config. App is ready to be packaged using setup.py.
  • 0.7.0 - ExaAPI now have two options - HTTP or RabbitMQ. ExaAPI process has been renamed, update of ExaBGP process value is needed for this version.
  • 0.6.2 - External config for ExaAPI
  • 0.6.0 - Bootstrap 5 in UI
  • 0.5.5 - API v3 - auth api key in cookie not in url
  • 0.5.4 - Right click menu on adress / Whois or Copy to clipboard
  • 0.5.3 - Dashboard update, forms with default action
  • 0.5.2 - API v2 with new keys
  • 0.5.1 - Bug fixes
  • 0.5.0 - New format of LOG table in database. Run migration scripts to update your DB. Removed foreign key user_id, author email is stored directly to logs for faster grep text search.
  • 0.4.8 - Enhanced String Filtering
  • 0.4.7 - Multi neighbor support enabled. See config example and update your config.py.
  • 0.4.6 - Route Distinguisher for VRF is now supported. See config example and update your config.py.

exafs's People

Contributors

jakubman1 avatar jirivrany avatar

Stargazers

avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar

Forkers

0dadj1an jakubman1

exafs's Issues

example shibboleth configuration

Good morning,

we are trying to deploy ExaFS with SSO through Shibboleth, however, we have encountered a few problems.

Problem no.1 is the absence of functional Shibboleth configuration example. We are using KeyCloak as IDP and there is not much resources online on how to configure both SP and IDP to make it work with apache as reverse proxy.

Would it be possible to add an example of Shibboleth configuration file into the docs, which we can use to crosscheck our configuration?

Problem no.2 is ExaFS itself, or rather flask-sso. We are getting flask_sso.SSOAttributeError, same as described in this issue. Not sure if it's because of Shibboleth misconfiguration or just because the library wasn't updated since 2015, but it may be a subject for another issue.

Note: The attribute mapping may differ for each IDP, e.g. keycloak doesn't provide 'eppn' out-of-the-box, but we can adjust the attribute map afterwards.

No secret key was set

Hi,

after installing the exafs, my apache server gives me error 500 and in the flowspec log file, there is the message:

[pid: 55079|app: 0|req: 6/6] 10.0.131.28 (p*******1) {122 vars in 2110 bytes} [Wed Mar 27 14:15:46 2019] GET / => generated 0 bytes in 7 msecs (HTTP/1.1 500) 0 headers in 0 bytes (0 switches on core 0)
Traceback (most recent call last):
  File "/home/deploy/www/venv/lib/python2.7/site-packages/flask/app.py", line 2309, in __call__
    return self.wsgi_app(environ, start_response)
  File "/home/deploy/www/venv/lib/python2.7/site-packages/flask/app.py", line 2295, in wsgi_app
    response = self.handle_exception(e)
  File "/home/deploy/www/venv/lib/python2.7/site-packages/flask/app.py", line 1741, in handle_exception
    reraise(exc_type, exc_value, tb)
  File "/home/deploy/www/venv/lib/python2.7/site-packages/flask/app.py", line 2292, in wsgi_app
    response = self.full_dispatch_request()
  File "/home/deploy/www/venv/lib/python2.7/site-packages/flask/app.py", line 1815, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/home/deploy/www/venv/lib/python2.7/site-packages/flask/app.py", line 1718, in handle_user_exception
    reraise(exc_type, exc_value, tb)
  File "/home/deploy/www/venv/lib/python2.7/site-packages/flask/app.py", line 1813, in full_dispatch_request
    rv = self.dispatch_request()
  File "/home/deploy/www/venv/lib/python2.7/site-packages/flask/app.py", line 1799, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "./flowapp/auth.py", line 16, in decorated
    if not check_auth(get_user()):
  File "./flowapp/auth.py", line 85, in check_auth
    session['app_version'] = __version__
  File "/home/deploy/www/venv/lib/python2.7/site-packages/werkzeug/local.py", line 351, in __setitem__
    self._get_current_object()[key] = value
  File "/home/deploy/www/venv/lib/python2.7/site-packages/flask/sessions.py", line 101, in _fail
    raise RuntimeError('The session is unavailable because no secret '
RuntimeError: The session is unavailable because no secret key was set.  Set the secret_key on the application to something unique and secret.

I am running LDAP authentication instead of ShibbolethSP though. Is the secret key generated somewhere or is it just missing from some config file?

Thanks

Bad value in created field in response when creating RTBH and IP Rules

When a rule is created using ExaFS API v3 and the datetime format is a timestamp, expires is used instead of created in the response. Causing the "expires" and "created" timestamps to be the same.

The following lines cause the bug:

exafs/flowapp/models.py

Line 276 in 673ae7a

created = int(datetime.timestamp(self.expires))

exafs/flowapp/models.py

Line 425 in 673ae7a

created = int(datetime.timestamp(self.expires))

exafs/flowapp/models.py

Line 552 in 673ae7a

created = int(datetime.timestamp(self.expires))

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.