NOX at Home Logo

Requirements and Functional Specifications

The motivations for and principles driving our project translate to a number of specific requirements and an associated functional specification.

Allow administrators to configure policies on their network using high level names

Administrators must be able to configure policies for users and/or machines on their network as well as groups thereof. This includes loosely defined classes of users such as anonymous users or invited guests (e.g. an administrator may have policies set up for any friend who is using the network temporarily), and policys for unknown users. To enable this functionality, we need our system allow our users to:

  • Add/remove users or machines
  • Create groups of users and/or machines
  • Add/remove users or machines to/from groups
  • Configure evidence sources for individual users or machines
  • Configure policy applications for individual or groups of users or machines
  • Configure policy applications for unknown users and machines

Identify users and machines on a network using active and passive mechanisms

Active and passive methods of user and machine identification must be able to provide the system some degree of confidence that a specific user or machine is active on the network at a given time. New evidence applications must have a way to interact with the system. Specifically, the software must:

  • Intercept any network traffic with a specific criteria
  • Look at intercepted network traffic for evidence that it belongs to a specific user or machine
  • Accept direct user authentication through a captive portal type interface
  • Identify where (IP, MAC, previously identified machine) a user is active
  • Alert the rest of the system that a user or machine is known to be or suspected to be active. In cases where a user or machine is only suspected to be active, information about the likelihood must be provided
  • Identify new evidence applications and incorporate them into the system

Maintain a view of the current network state

The system should be able to aggregate the messages from various evidence sources and make a decision about their meaning. These decisions should be recorded as a coherent and comprehensive view of what users and machines are active on the network at any given time. To support this, the software must provide the following functionality:

  • Aggregate and store messages from evidence applications
  • Analyze such evidence messages and make a decision on where and if a user is active on the network
  • Store decisions about active users and machines on the network as the network state
  • Provide network state information to policy applications
  • Provide network state information to administrators using a web interface

Integrate arbitrary network policies

The system needs to provide a means for independently developed network policy applications to run. They should have the ability to access network state decisions from the network view and the ability to be configured from the main web interface. Our system must provide the following functionality to support such policy applications:

  • Identify new policy applications and incorporate them into the system
  • Have a means for such applications to retrieving information from the network view
  • Have a means for such applications to know what users/machines/groups are set up on the system