Presentation is loading. Please wait.

Presentation is loading. Please wait.

Implementing a Distributed Firewall

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Implementing a Distributed Firewall"— Presentation transcript:

1 Implementing a Distributed Firewall
Sotiris Ioannidis Angelos D. Keromytis Steve M. Bellovin Jonathan M. Smith Presented By Jim Michaud Paper based off of paper by Nov Steve Bellovin

2 Outline Intro to Security and Firewalls
Problems with Current Firewalls Distributed Firewall Concept Distributed Firewall Implementation Conclusions

3 *Dieter Gollman, Computer Security, p 9
Intro to Security Computer/Network Security - The prevention and detection of unauthorized actions by users of computer systems* But what does “unauthorized” mean? It depends on the system’s “security policy” Define “system” Define Security *Dieter Gollman, Computer Security, p 9

4 Security Policy A “security policy” defines the security rules of a system. Without a defined security policy, there is no way to know what access is allowed or disallowed An example policy: (simple) Allow all connections to the web server Deny all other access

5 Firewalls In most systems today, the firewall is the machine that implements the “security policy” for a system A firewall is typically placed at the edge of a system and acts as a filter for unauthorized traffic Filters tend to be simple: source and destination addresses, source and destination ports, or protocol (tcp, udp, icmp)

6 Firewall Example Here we have 4 competing companies.
They have installed firewalls to protect their secrets from their competitors. Only Web server access is allowed from external hosts

7 Firewall Drawbacks Firewalls can become a bottleneck
Certain protocols (FTP, Real-Audio) are difficult for firewalls to process Assumes inside users are “trusted” Multiple entry points make firewalls hard to manage Users can circumvent access methods, by adding a modem (etc) without administrator’s consent. End-to-end encryption Idea is to not have firewall read entire application header to figure out

8 Distributed Firewall Concept
Security policy is defined centrally Enforcement of policy is done by network endpoint(s)

9 Standard Firewall Example
Not worried about DMZ’s for now, since it creates bottleneck

10 Standard Firewall Example Connection to web server

11 Standard Firewall Example Connection to intranet
Would need a separate firewall to protect against this.

12 Distributed Firewall Example

13 Distributed Firewall Example to web server

14 Distributed Firewall Example to intranet

15 Distributed Firewall Implementation
Language to express policies and resolving requests (KeyNote system) Mechanisms to distribute security policies (web server) Mechanism that applies security policy to incoming packet (Policy daemon and kernel updates)

16 KeyNote A language to describe security policies (RFC 2704)
Fields in an “assertion”: KeyNote Version – Must be first field, if present Authorizer – Mandatory field, identifies the issuer of the assertion Comment Conditions – The conditions under which the Authorizer trusts the Licensee Licensees – Identifies the authorized, should be public key, but can be IP address Local-Constants – Similar to environment variable Signature – Must be last, if present All field names are case-insensitive Blank lines not permitted within an assertion

17 KeyNote Policies and Credentials
Policies and Credentials have same basic syntax Policies are “local” Credentials are “delegated” and MUST be signed

18 KeyNote Example 1 Licensee is public key of a machine, but doesn’t have to be Blank line ends Signature is a hash of everything up to the newline before the signature field Could have entire file of these

19 KeyNote Example 2 KeyNote-Version: 2 Authorizer: “rsa-hex:1023abcd” Licensee: “IP: ” Conditions: < 1024 && @local_port == 22 ) -> “true”; Signature: “rsa-sha1-hex:bee11984” IP can be used as identifier, This trusts validity of IP address Note that this credential delegates to an IP address,

20 Distributed Firewall Implementation
Not a complete solution, only a prototype Done on OpenBSD Filters done in kernel space Focused on TCP connections only connect and accept calls When a connect is issued, a “policy context” is created Policy contect is a container for

21 User Space This design was not chosen because of the difficulty in “forcing” an application to use the modified library For example, “telnetd”, “ftpd”

22 Policy Context Policy context contains all the information that the Policy Daemon will need to decide whether to allow or disallow a packet No limit to the kind of data that can be associated with the context For a connect, context will include ID of user that initiated the connection, the destination address and destination port. For an accept, context will include similar data to connect, except that the source address and source port are also included

23 Implementation Design

24 Policy Daemon User level process that makes all the decisions based on policies Initial policies are read from a file Current implementation allows changes to policies but changes only affect “new” connections A host that does not run this daemon is not part of the “distributed firewall” Uses /dev/policy device Daemon receives request by reading the kernel device The daemon processes the request using the keyNote library and a decision the accept or deny is reached The daemon then writes the reply back to the kernel

25 Policy Device /dev/policy – pseudo device driver
Communication path between the Policy Daemon and the “modified” kernel Supports standard operations: open, close, read, write, ioctl Independent of type of application If /dev/policy has not been opened, then no connection filtering is done

26 Example of Connection to a Distributed Firewall
local host security policy: KeyNote-Version: 2 Authorizer: “POLICY” Licensees: ADMINISTRATIVE_KEY Assumes an IPSEC SA between hosts

27 Example of Connection to a Distributed Firewall
Credential provided to local host during IKE exchange KeyNote-Version: 2 Authorizer: ADMINISTRATIVE_KEY Licensees: USER_KEY Conditions: (app_domain == "IPsec policy" && encryption_algorithm == "3DES" && local_address == " ") -> "true"; (app_domain == "Distributed Firewall" && @local_port == 23 && encrypted == "yes" && authenticated == "yes") -> "true"; Signature: ...

28 Example of Connection to a Distributed Firewall

29 Conclusions Distributed firewalls allows the network security policy to remain the control of the system administrators Insiders may no longer be unconditionally treated as “trusted” Does not completely eliminate the need for traditional firewalls More research is needed in this area to determine robustness, efficiency, and scalability DoS attacks are mitigated easier at the network ingress point Intrusion detection are more effective when complete traffic information is available Protect endhosts that do not support distributed firewalls. Failsafe

30 Future Work High quality administration tools NEED to exist for distributed firewalls to be accepted Allow per-packet scanning as opposed to per-connection scanning Policy updating and revocation Credential discovery Need to add a way to walk through the list of connection and re-apply the policy Use ioctl call Users need a way to discover what they might need to supply the system in order to connect (see a problem with this)

31 Questions

Download ppt "Implementing a Distributed Firewall"

Similar presentations

Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
Network Security. Reasons to attack Steal information Modify information Deny service (DoS)

Network Security. Reasons to attack Steal information Modify information Deny service (DoS)
H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.

H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Data Security in Local Networks using Distributed Firewalls

Data Security in Local Networks using Distributed Firewalls
Www.BeyondSecurity.comwww.SecurITeam.com Beyond Security Ltd. Port Knocking Beyond Security Noam Rathaus CTO Sunday, July 11, 2004 Presentation on.

Beyond Security Ltd. Port Knocking Beyond Security Noam Rathaus CTO Sunday, July 11, 2004 Presentation on.
An Analysis of Firewalls

An Analysis of Firewalls
Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.

Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
A Brief Taxonomy of Firewalls

A Brief Taxonomy of Firewalls
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

Similar presentations

Ads by Google