Review of
‘Implementing a Distributed Firewall’
by Ioannidis, Keromytis, Bellovin , and Smith
written by Anupam Garg
The paper presents a design and implementation of a distributed firewall using the Keynote trust management system to specify, distribute and resolve policy. A sample implementation is done in OpenBSD system.
To implement a distributed firewall, three components are needed.
First: a language for expressing the security policies and resolving requests. Keynote has been chosen for this purpose and the choice has been justified with well thought and precise reasons. However Keynote enforces monotonicity, which can restrict the expressiveness of the policies.Also keynote trusts the validity of IP address as an identifier. However IP address can be easily spoofed, thereby undermining the utility of the firewall. The authors have failed to address this issue.
Second: a mechanism to safely distribute security policies. The authors use IPsec and have reasoned as to why they use it.
Third: a mechanism that applies the security policies, i.e. the enforcement part. The implementation to enforce policies consists of Kernel extensions, a user level daemon process and a device driver, which is used for two way communication between the kernel and policy daemon. The sample implementation was done for TCP connections, and consists of changing connect and accept system calls. For every connection, the kernel talks to the policy daemon and allows the connection only if the policy daemonauthenticates it. The authors acknowledge the overheads involved, and propose some schemes as part of future work. Still, I think the overheads will severely limit the granularity at which the distributed firewall can be applied. Also for each connection, the policy daemontries to get the relevant credentials that are needed to authorize the connection. This opens up a possibility to mount a DOS attack on the machines having the distributed firewall, and on the server which provide the credentials.
The paper compares traditional firewall with distributed firewall. The authors recognize some shortcomings of the distributed firewall. However in my opinion, the authors fail to recognize many shortcomings. A firewall creates two domains, one trusted and other not trusted. The replication of this behavior is not possible by distributed firewall. Also the authors point out that it’s easy to establish backdoor access that bypasses the traditional firewall. However in distributed firewall, the security of a machine lies with the local administrator, which normally isn’t as good as the network administrator. Since the credentials are stored and mostly associated with a machine, they can be stolen by compromising a machine. As such distributed firewall makes it easier to create backdoor entries, esp. by compromising systems.