Presentation

advertisement
Firewall in the Internet Security
By
Dou Wang, Ying Chen, Jiaying Shi
School of Computer Science
University of Windsor
November 2007
Outline
Introduction of Firewall
Packet filtering
Firewall policy management
Firewall implementation
Comments
Conclusions
Introduction
What is firewall?
Firewall is a collection of components interposed
between two networks that filter traffic
between them according to some security
policy. [5] They are strategically placed
between internal network and outside Internet
network (e.g., the Internet service provider). It
always appeared on the edge, which apart
trusted networks from un-trusted networks.
Introduction
Introduction
What is firewall management ?
Basically, the management program configured
in two ways: default-deny and default-allow
policy. The former approach is by far more
secure in security but usually many networks
will deploy the latter approach due to the
difficulty in configuration and limitation of
certain knowledge.
Introduction
Introduction
Firewalls can be divided into the following categories by
working principle:
Packet filtering firewall, it has a list of firewall security rules which are
able to block traffic based on IP protocol, IP address and IP port
number.
Stateful firewall, it is more intelligent on keeping track of active
connections. Because it employs state machines to maintain
state associated with established protocol connections.
Deep packet inspection firewall, it will actually examine the data in
the packet.
Application-aware firewall, which is similar to deep packet inspection
firewall, and it understands certain protocols and could parse
them, so that signatures or rules can be specially addressed in
protocol.
Introduction
Introduction
Firewalls also can be divided into the following
categories by usage:
Personal firewall, this generally refers to software runs on your
workstation and acts as a packet filtering firewall.
Distributed firewall, its security policy is defined centrally but
enforced at each individual network endpoint. Policy distribution
can take various forms.
Layer 2 firewall (transparent bridge mode ) allows to be inserted
without disrupting operation of network. This feature let it easy
deployment and mitigate an ongoing attack.
Introduction
Introduction
Additional services from firewall:
Network Address Translation
Split-horizon DNS
Mitigating Host Fingerprinting
Virtual Private Network
Damage Mitigation
Intrusion Prevention Systems (IPS)
Host-subnet Quarantining
Introduction
Packet filtering
In the paper: “Adaptive Statistical Optimization Techniques for
Firewall Packet Filtering”, it discusses the packet filtering
optimization in two aspects.
The first aspect they propose an approximation algorithm that
analyzes firewall policy rules off-line and generates different
near-optimal solutions and constructs a set of rules that can
reject the maximum number of unwanted packets as early as
possible.
The other aspect they propose using statistical search tree based on
the matching-frequency of different field values in the policy, as
calculated from the traffic. They present two tree structures:
near-optimal cascade tree structure for single-threaded
processing; parallel tree structure for network processor platforms.
Packet filtering
First part discusses the early traffic rejection.
There are three algorithms comprise the main operations of the early
rejection module.
In Algorithm 1, builds up of the candidate rejection rule list out of
different solutions to the set cover problem takes place. [3]
Algorithm 2, periodically adds or moves rules according to the
performance gain/loss of each rule.
Algorithm 3 shows the per-packet operation of filtering and shows
the location of early rejection relative to normal packet filtering,
as well as the update of statistics required for early rejection.
Packet filtering
Second part discusses the statistic optimization.
In statistical optimization part, the following steps
involved:
A. Locality of matching properties in firewall filtering
B. Statistical matching tree
C. Matching tree construction using alphabetic trees
D. Policy matching algorithms using alphabetic trees
E. Tree reconstruction and updates
Firewall policy deployment
The paper: “On the Safety and Efficiency of Firewall
Policy Deployment” provides the first formal definition
and theoretical analysis of safety in firewall policy
deployment.
As ample research is focus on tools for policy
specification, correctness analysis and optimization,
few has on firewall policy deployment.
Firewall policy deployment
A firewall controls traffic by examining the contents of network
packets, which is why a firewall is also called a packet filtering
device. Five packet fields are most commonly used for traffic
filtering: protocol type, source IP address, source port,
destination IP address, and destination port.
In every packet, each of the five fields assumes a specific
value, such as <TCP, 192.168.5.7, 1352, 10.1.1.1, 23>. Fields
other than those in the 5-tuple, e.g., IP TOS (Type
of Service) and TTL (Time to Live) values.
Firewall policy deployment
Table1: Results of Experiments of Firewall Policy Deployment
[2]
Firewall implementation
The paper: “Nedgty: Web Services Firewall” introduce a open source
web service firewall applying business specific rules in a
centralized manner.
It also secure web services against denial of services, buffer
overflow and XML denial of services attacks.
Write
rules
Interface
Log
Existing
rules
Parsed XML
Parser
Repository Rules
Validation Unit
Parsed XML
Packet Queue
Packet Payload
SOAP packets
Request verdict
Valid SOAP
Packet Forger
Soap Filter
Port 80 traffic
Packet from Client
IPTables
Set Verdict
Non-SOAP Packets
SOAP Packet
Server
Comments
We noticed that there are still some limitations or drawbacks in their
firewall systems:
The very first is those firewalls do very little, if anything, against the
attack from the inside network. (e.g. there are attackers on the
inside network, for example, a disgruntled employee)
The second is firewall found relatively difficult to handle some
protocols as they involved multiple and seemingly independent
packet flows. Take FTP for example, a control connection is
initiated by client to server, while data connections are initiated by
server to client.
The third is end-to-end encryption can be a threat to firewalls,
because it prevents firewalls from looking at the packet fields,
where filtering should be done.
Comments
Solution of end-to-end encryption:
When encryption is used for confidentiality (often called Virtual
Private Networks), there are two general cases:
Encryption is performed by the firewall, i.e. it is the endpoint of a
VPN. The firewall could understand and filter the actual protocol
used within the VPN and provide intelligent logging.
Encryption is performed by a host inside the firewall (End-to-End
encryption). The VPN becomes a point of entry for an attacker
that the Firewall administrator cannot detect. Therefore, the VPN
end-point inside the firewall must be VERY well configured /
monitored and use firewall mechanisms such as strong
authentication.
Conclusions
From the centralized, single threaded convention firewall
to become distributed and multi-threaded much
intelligent modern firewall, the safety and efficiency
have been both enhanced by deployed different kinds
of techniques.
From the first generation firewall focused on packet
filtering and the second generation firewall on state,
the third generation turned on application-aware,
including intrusion prevention system that greatly
enhance security functionality.
Reference
[1] Bebawy, R.; Sabry, H.; El-Kassas, S.; Hanna, Y.; Youssef, Y.; “Nedgty: Web
Services Firewall”, Web Services, 2005. ICWS 2005. Proceedings. 2005 IEEE
International Conference on 11-15 July 2005
[2] Zhang, Charles C.; Winslett, Marianne; Gunter, Carl A.; “On the Safety and
Efficiency of Firewall Policy Deployment” Security and Privacy, 2007. SP '07.
IEEE Symposium on 20-23 May 2007 Page(s):33 - 50
[3] Hamed, H.; El-Atawy, A.; Al-Shaer, E.; “Adaptive Statistical Optimization
Techniques for Firewall Packet Filtering”, 25th IEEE International Conference
on Computer Communications. April 2006 Page(s):1 – 12
[4] Introduction of Firewall security,
http://www.secureworks.com/research/articles/firewall-security, 2007
[5] C.Douligeris and D.N. Serpanos, “Network Security: Current Status and
Future Directions”, 2007 the Institute of Electrical and Electronics Engineers,
Inc.
[6] Firewall, http://en.wikipedia.org/wiki/Firewall, 2007
Reference
?
Download