Firewall in the Internet Security

ByDou Wang, Ying Chen, Jiaying Shi

School of Computer ScienceUniversity of Windsor

November 2007

Outline

Introduction of FirewallPacket filtering Firewall policy managementFirewall implementationCommentsConclusions

Introduction

What is firewall?Firewall is a collection of components

interposed between two networks that filter traffic between them according to some security policy. [5] They are strategically placed between internal network and outside Internet network (e.g., the Internet service provider). It always appeared on the edge, which apart trusted networks from un-trusted networks.

Introduction

Introduction

What is firewall management ?Basically, the management program

configured in two ways: default-deny and default-allow policy. The former approach is by far more secure in security but usually many networks will deploy the latter approach due to the difficulty in configuration and limitation of certain knowledge.

Introduction

IntroductionFirewalls can be divided into the following categories

by working principle:

Packet filtering firewall, it has a list of firewall security rules which are able to block traffic based on IP protocol, IP address and IP port number.

Stateful firewall, it is more intelligent on keeping track of active connections. Because it employs state machines to maintain state associated with established protocol connections.

Deep packet inspection firewall, it will actually examine the data in the packet.

Application-aware firewall, which is similar to deep packet inspection firewall, and it understands certain protocols and could parse them, so that signatures or rules can be specially addressed in protocol.

Introduction

Introduction

Firewalls also can be divided into the following categories by usage:

Personal firewall, this generally refers to software runs on your workstation and acts as a packet filtering firewall.

Distributed firewall, its security policy is defined centrally but enforced at each individual network endpoint. Policy distribution can take various forms.

Layer 2 firewall (transparent bridge mode ) allows to be inserted without disrupting operation of network. This feature let it easy deployment and mitigate an ongoing attack.

Introduction

Introduction

Additional services from firewall:

Network Address TranslationSplit-horizon DNSMitigating Host FingerprintingVirtual Private NetworkDamage Mitigation Intrusion Prevention Systems (IPS) Host-subnet Quarantining

Introduction

Packet filteringIn the paper: “Adaptive Statistical Optimization Techniques for

Firewall Packet Filtering”, it discusses the packet filtering optimization in two aspects.

The first aspect they propose an approximation algorithm that analyzes firewall policy rules off-line and generates different near-optimal solutions and constructs a set of rules that can reject the maximum number of unwanted packets as early as possible.

The other aspect they propose using statistical search tree based on the matching-frequency of different field values in the policy, as calculated from the traffic. They present two tree structures: near-optimal cascade tree structure for single-threaded processing; parallel tree structure for network processor platforms.

Packet filtering

First part discusses the early traffic rejection.

There are three algorithms comprise the main operations of the early rejection module.

In Algorithm 1, builds up of the candidate rejection rule list out of different solutions to the set cover problem takes place. [3]

Algorithm 2, periodically adds or moves rules according to the performance gain/loss of each rule.

Algorithm 3 shows the per-packet operation of filtering and shows the location of early rejection relative to normal packet filtering, as well as the update of statistics required for early rejection.

Packet filtering

Second part discusses the statistic optimization.

In statistical optimization part, the following steps involved:

A. Locality of matching properties in firewall filteringB. Statistical matching treeC. Matching tree construction using alphabetic treesD. Policy matching algorithms using alphabetic treesE. Tree reconstruction and updates

Firewall policy deployment

The paper: “On the Safety and Efficiency of Firewall Policy Deployment” provides the first formal definition and theoretical analysis of safety in firewall policy deployment.

As ample research is focus on tools for policy specification, correctness analysis and optimization, few has on firewall policy deployment.

Firewall policy deployment

A firewall controls traffic by examining the contents of network packets, which is why a firewall is also called a packet filtering device. Five packet fields are most commonly used for traffic filtering: protocol type, source IP address, source port, destination IP address, and destination port.

In every packet, each of the five fields assumes a specificvalue, such as <TCP, 192.168.5.7, 1352, 10.1.1.1, 23>. Fieldsother than those in the 5-tuple, e.g., IP TOS (Typeof Service) and TTL (Time to Live) values.

Firewall policy deployment

Table1: Results of Experiments of Firewall Policy Deployment [2]

Firewall implementation

The paper: “Nedgty: Web Services Firewall” introduce a open source web service firewall applying business specific rules in a centralized manner.

It also secure web services against denial of services, buffer overflow and XML denial of services attacks.

IPTables

Soap Filter

Packet QueueParser

InterfaceValidation Unit

Packet Forger

Server

Repository

Packet from Client Non-SOAP Packets

Write rules Log Existing rules

Port 80 traffic

Valid SOAP

Rules

Parsed XMLRequest verdict

SOAP packetsPacket Payload

Parsed XML

SOAP PacketSet Verdict

CommentsWe noticed that there are still some limitations or drawbacks in

their firewall systems:The very first is those firewalls do very little, if anything, against

the attack from the inside network. (e.g. there are attackers on the inside network, for example, a disgruntled employee)

The second is firewall found relatively difficult to handle some protocols as they involved multiple and seemingly independent packet flows. Take FTP for example, a control connection is initiated by client to server, while data connections are initiated by server to client.

The third is end-to-end encryption can be a threat to firewalls, because it prevents firewalls from looking at the packet fields, where filtering should be done.

CommentsSolution of end-to-end encryption:When encryption is used for confidentiality (often called Virtual

Private Networks), there are two general cases:Encryption is performed by the firewall, i.e. it is the endpoint of

a VPN. The firewall could understand and filter the actual protocol used within the VPN and provide intelligent logging.

Encryption is performed by a host inside the firewall (End-to-End encryption). The VPN becomes a point of entry for an attacker that the Firewall administrator cannot detect. Therefore, the VPN end-point inside the firewall must be VERY well configured / monitored and use firewall mechanisms such as strong authentication.

Conclusions

From the centralized, single threaded convention firewall to become distributed and multi-threaded much intelligent modern firewall, the safety and efficiency have been both enhanced by deployed different kinds of techniques.

From the first generation firewall focused on packet

filtering and the second generation firewall on state, the third generation turned on application-aware, including intrusion prevention system that greatly enhance security functionality.

Reference

[1] Bebawy, R.; Sabry, H.; El-Kassas, S.; Hanna, Y.; Youssef, Y.; “Nedgty: Web Services Firewall”, Web Services, 2005. ICWS 2005. Proceedings. 2005 IEEE International Conference on 11-15 July 2005

[2] Zhang, Charles C.; Winslett, Marianne; Gunter, Carl A.; “On the Safety and Efficiency of Firewall Policy Deployment” Security and Privacy, 2007. SP '07. IEEE Symposium on 20-23 May 2007 Page(s):33 - 50

[3] Hamed, H.; El-Atawy, A.; Al-Shaer, E.; “Adaptive Statistical Optimization Techniques for Firewall Packet Filtering”, 25th IEEE International Conference on Computer Communications. April 2006 Page(s):1 – 12

[4] Introduction of Firewall security, http://www.secureworks.com/research/articles/firewall-security, 2007

[5] C.Douligeris and D.N. Serpanos, “Network Security: Current Status and Future Directions”, 2007 the Institute of Electrical and Electronics Engineers, Inc.

[6] Firewall, http://en.wikipedia.org/wiki/Firewall, 2007

Reference

?