Firewall in the Internet Security By Dou Wang, Ying Chen, Jiaying Shi School of Computer Science University of Windsor November 2007 Outline Introduction of Firewall Packet filtering Firewall policy management Firewall implementation Comments Conclusions Introduction What is firewall? Firewall is a collection of components interposed between two networks that filter traffic between them according to some security policy. [5] They are strategically placed between internal network and outside Internet network (e.g., the Internet service provider). It always appeared on the edge, which apart trusted networks from un-trusted networks. Introduction Introduction What is firewall management ? Basically, the management program configured in two ways: default-deny and default-allow policy. The former approach is by far more secure in security but usually many networks will deploy the latter approach due to the difficulty in configuration and limitation of certain knowledge. Introduction Introduction Firewalls can be divided into the following categories by working principle: Packet filtering firewall, it has a list of firewall security rules which are able to block traffic based on IP protocol, IP address and IP port number. Stateful firewall, it is more intelligent on keeping track of active connections. Because it employs state machines to maintain state associated with established protocol connections. Deep packet inspection firewall, it will actually examine the data in the packet. Application-aware firewall, which is similar to deep packet inspection firewall, and it understands certain protocols and could parse them, so that signatures or rules can be specially addressed in protocol. Introduction Introduction Firewalls also can be divided into the following categories by usage: Personal firewall, this generally refers to software runs on your workstation and acts as a packet filtering firewall. Distributed firewall, its security policy is defined centrally but enforced at each individual network endpoint. Policy distribution can take various forms. Layer 2 firewall (transparent bridge mode ) allows to be inserted without disrupting operation of network. This feature let it easy deployment and mitigate an ongoing attack. Introduction Introduction Additional services from firewall: Network Address Translation Split-horizon DNS Mitigating Host Fingerprinting Virtual Private Network Damage Mitigation Intrusion Prevention Systems (IPS) Host-subnet Quarantining Introduction Packet filtering In the paper: “Adaptive Statistical Optimization Techniques for Firewall Packet Filtering”, it discusses the packet filtering optimization in two aspects. The first aspect they propose an approximation algorithm that analyzes firewall policy rules off-line and generates different near-optimal solutions and constructs a set of rules that can reject the maximum number of unwanted packets as early as possible. The other aspect they propose using statistical search tree based on the matching-frequency of different field values in the policy, as calculated from the traffic. They present two tree structures: near-optimal cascade tree structure for single-threaded processing; parallel tree structure for network processor platforms. Packet filtering First part discusses the early traffic rejection. There are three algorithms comprise the main operations of the early rejection module. In Algorithm 1, builds up of the candidate rejection rule list out of different solutions to the set cover problem takes place. [3] Algorithm 2, periodically adds or moves rules according to the performance gain/loss of each rule. Algorithm 3 shows the per-packet operation of filtering and shows the location of early rejection relative to normal packet filtering, as well as the update of statistics required for early rejection. Packet filtering Second part discusses the statistic optimization. In statistical optimization part, the following steps involved: A. Locality of matching properties in firewall filtering B. Statistical matching tree C. Matching tree construction using alphabetic trees D. Policy matching algorithms using alphabetic trees E. Tree reconstruction and updates Firewall policy deployment The paper: “On the Safety and Efficiency of Firewall Policy Deployment” provides the first formal definition and theoretical analysis of safety in firewall policy deployment. As ample research is focus on tools for policy specification, correctness analysis and optimization, few has on firewall policy deployment. Firewall policy deployment A firewall controls traffic by examining the contents of network packets, which is why a firewall is also called a packet filtering device. Five packet fields are most commonly used for traffic filtering: protocol type, source IP address, source port, destination IP address, and destination port. In every packet, each of the five fields assumes a specific value, such as <TCP, 192.168.5.7, 1352, 10.1.1.1, 23>. Fields other than those in the 5-tuple, e.g., IP TOS (Type of Service) and TTL (Time to Live) values. Firewall policy deployment Table1: Results of Experiments of Firewall Policy Deployment [2] Firewall implementation The paper: “Nedgty: Web Services Firewall” introduce a open source web service firewall applying business specific rules in a centralized manner. It also secure web services against denial of services, buffer overflow and XML denial of services attacks. Write rules Interface Log Existing rules Parsed XML Parser Repository Rules Validation Unit Parsed XML Packet Queue Packet Payload SOAP packets Request verdict Valid SOAP Packet Forger Soap Filter Port 80 traffic Packet from Client IPTables Set Verdict Non-SOAP Packets SOAP Packet Server Comments We noticed that there are still some limitations or drawbacks in their firewall systems: The very first is those firewalls do very little, if anything, against the attack from the inside network. (e.g. there are attackers on the inside network, for example, a disgruntled employee) The second is firewall found relatively difficult to handle some protocols as they involved multiple and seemingly independent packet flows. Take FTP for example, a control connection is initiated by client to server, while data connections are initiated by server to client. The third is end-to-end encryption can be a threat to firewalls, because it prevents firewalls from looking at the packet fields, where filtering should be done. Comments Solution of end-to-end encryption: When encryption is used for confidentiality (often called Virtual Private Networks), there are two general cases: Encryption is performed by the firewall, i.e. it is the endpoint of a VPN. The firewall could understand and filter the actual protocol used within the VPN and provide intelligent logging. Encryption is performed by a host inside the firewall (End-to-End encryption). The VPN becomes a point of entry for an attacker that the Firewall administrator cannot detect. Therefore, the VPN end-point inside the firewall must be VERY well configured / monitored and use firewall mechanisms such as strong authentication. Conclusions From the centralized, single threaded convention firewall to become distributed and multi-threaded much intelligent modern firewall, the safety and efficiency have been both enhanced by deployed different kinds of techniques. From the first generation firewall focused on packet filtering and the second generation firewall on state, the third generation turned on application-aware, including intrusion prevention system that greatly enhance security functionality. Reference [1] Bebawy, R.; Sabry, H.; El-Kassas, S.; Hanna, Y.; Youssef, Y.; “Nedgty: Web Services Firewall”, Web Services, 2005. ICWS 2005. Proceedings. 2005 IEEE International Conference on 11-15 July 2005 [2] Zhang, Charles C.; Winslett, Marianne; Gunter, Carl A.; “On the Safety and Efficiency of Firewall Policy Deployment” Security and Privacy, 2007. SP '07. IEEE Symposium on 20-23 May 2007 Page(s):33 - 50 [3] Hamed, H.; El-Atawy, A.; Al-Shaer, E.; “Adaptive Statistical Optimization Techniques for Firewall Packet Filtering”, 25th IEEE International Conference on Computer Communications. April 2006 Page(s):1 – 12 [4] Introduction of Firewall security, http://www.secureworks.com/research/articles/firewall-security, 2007 [5] C.Douligeris and D.N. Serpanos, “Network Security: Current Status and Future Directions”, 2007 the Institute of Electrical and Electronics Engineers, Inc. [6] Firewall, http://en.wikipedia.org/wiki/Firewall, 2007 Reference ?