Code ExchangeSearchRepository
This repository is deprecated; please follow the main search page or use the ‘Related code repos’ widget on the right side of the current page.

Royal Nova Sword

Royal Nova Sword - Automate allow listing for industrial network.

This repo contains prototype implementation of automated allow listing for
entire industrial network.

Background

Today, many of vendor proprietary protocols and custom protocols are used in
industry production networks. In such environment, signature based deep packet
inspection technology doesn't work very well. Allow listing is sometime an only
viable option to securing such network. However, creating and applying access
control list by hand is time consuming and error prone method.

That challenge let an idea emerging - let switch create alow list automatically.

Royal Nova Sword expands the idea from a switch to entire network. In concept,
Royal Nova Sword leans all traffic flowing through whole network and generates
allow list for entire system automatically. It can apply not only switches but
also routers, wireless LAN controllers and even clouds as long as you can obtain
flow information and you can apply access control to networking gears and
software components.

Prototyping

This repo contains prototype implementation of the concept Royal Nova Sword.
For simplicity, this prototype only manipulate a switch.

This prototype provides command and web GUI to make a switch learn, lock, and
unlock traffic flows.

Build

You need Haskell Stack to
build backend. You need Elm to build frontend.

Pre-compiled frontend code is already contained in this repo as
/static/index.html. If you want to modify frontend source code, modify
/frontend/src/Main.elm, compile it by Elm compiler, then copy generated
index.html under /static.

Building backend

Run stack build at top level directory of this repo.

$ stack build

You will get executables rns-learn, rns-lock, rns-reset, and rns-web under .stack-work. Real path will something look like .stack-work/dist/x86_64-osx/Cabal-3.0.1.0/build/rns-web/rns-web.

Building frontend

The source repo comes with pre-compiled frontend so you don't have to build by
your self but in case you want to build it, follow this instruction.

  1. Navigate to frontend directory.
  2. Run elm make src/Main.elm command.
  3. Follow error printed by Elm compiler. You may need to install some
    dependency by elm install, then run elm make src/Main.elm again.
  4. Finally you will get index.html.
  5. Copy index.html to ../static/.

Below is typical log.

$ elm make src/Main.elm
Starting downloads...

  ● elm/json 1.1.3
  ● elm/url 1.0.0
  ● elm/time 1.0.0
  ● elm/bytes 1.0.8
  ● elm/file 1.0.5
  ● elm/http 2.0.0
  ● elm/html 1.0.0
  ● elm/browser 1.0.2
  ● mdgriffith/elm-ui 1.1.8
  ● elm/virtual-dom 1.0.2
  ● elm/core 1.0.5

Dependencies ready!
Success! Compiled 1 module.

    Main ───> index.html

$

Usage

Prepare your switch accept RESTCONF. This prototype only tested with Cisco
IE-3400 with expansion module running Cisco IOS XE 17.3.1.

Start web GUI.

$ .stack-work/dist/x86_64-osx/Cabal-3.0.1.0/build/rns-web/rns-web SWITCH-ADDRESS USERNAME PASSWORD

Open the web GUI at http://localhost:8081 from your
browser.

Press "Learn" button to start learning flow. Press "Lock" to lock down the
switch. Press "Unlock" to remove all access control list from the switch.
Performance is not optimized. You may need to wait several seconds to complete
your request.

Learning

When you press "Learn" button (or you run rns-learn command), the app deletes
all access control lists and NetFlow configurations, create a Flexible NetFlow
monitor configuration and apply it to some interfaces. Once it completed, the
switch stats populating a custom NetFlow record cache.

Locking

When you press "Lock" button, (or you run rns-learn command), the app queries
NetFlow cache, convert obtained flow information to access control list requests
in RESTCONF, then add those access control lists and apply them to appropriate
interfaces.

Unlocking

When you press "Unlock" button (or you run rns-reset command), the app removes
access control lists and NetFlow configurations from the switch.

Important Note

This prototype only learns and locks traffic flows on interface range from
GigabitEthernet2/1 thru GigabitEthernet2/4. Any traffic flows on other port
is not impacted.

Detailed internal API document

Modules implemented under /src has Haddock annotation. You can generate detailed API documentation for the modules by executing Haddock with following command.

$ stack haddock
View code on GitHub

  • Owner

    nnshimaza

  • Contributors

    +1Github contributor

  • Categories

  • Products

    IOS XE

  • Programming Languages

    HTML

  • License

    Other
Related code repos

    Code Exchange Community

    Get help, share code, and collaborate with other developers in the Code Exchange community.View Community
    Disclaimer:
    Cisco provides Code Exchange for convenience and informational purposes only, with no support of any kind. This page contains information and links from third-party websites that are governed by their own separate terms. Reference to a project or contributor on this page does not imply any affiliation with or endorsement by Cisco.