A Physical Manifestation of Your Security Policy

CHAPTER 1

A firewall is system or group of system (router, proxy, gateway…) that implements a set of security rules to enforce access control between two networks to protect “inside” network from “outside network.It may be a hardware device or a software program running on a secure host computer. In either case, it must have at least two network interfaces, one for the network it is intended to protect, and one for the network it is exposed to. A firewall sits at the junction point or gateway between the two networks, usually a private network and a public network such as the Internet.

Hardware Firewall: Computer with Firewall Software:
Hardware firewall providing protection to Computer running firewall software toprovide a Local Network protection

A Firewall is…

A physical manifestation of your security policy.

One component of overall security architecture.

 A mechanism for limiting access by network elements and protocols.

A Firewall is not…

A cure-all for security shortcomings on platforms or in applications.

A complete security architecture.

Something that should be configured “on-the-fly”.

Effective protection against viruses (typically).

Conventional firewalls rely on the notions of restricted topology and control entry points to function. More precisely, they rely on the assumption that everyone on one side of the entry point--the firewall--is to be trusted, and that anyone on the other side is, at least potentially, an enemy.

Distributed firewalls are host-resident security software applications that protect the enterprise network's servers and end-user machines against unwanted intrusion. They offer the advantage of filtering traffic from both the Internet and the internal network. This enables them to prevent hacking attacks that originate from both the Internet and the internal network. This is important because the most costly and destructive attacks still originate from within the organization.

They are like personal firewalls except they offer several important advantages like central management, logging, and in some cases, access-control granularity. These features are necessary to implement corporate security policies in larger enterprises. Policies can be defined and pushed out on an enterprise-wide basis.

A feature of distributed firewalls is centralized management. The ability to populate servers and end-users machines, to configure and "push out" consistent security policies helps to maximize limited resources. The ability to gather reports and maintain updates centrally makes distributed security practical. Distributed firewalls help in two ways. Remote end-user machines can be secured. Secondly, they secure critical servers on the network preventing intrusion by malicious code and "jailing" other such code by not letting the protected server be used as a launch pad for expanded attacks.

Usually deployed behind the traditional firewall, they provide a second layer of defense. They work by enabling only essential traffic into the machine they protect, prohibiting other types of traffic to prevent unwanted intrusions. Whereas the perimeter firewall must take a generalist, common denominator approach to protecting servers on the network, distributed firewalls act as specialists.

CHAPTER 2

Some problems with the conventional firewalls that lead to Distributed firewalls are as follows.

Due to the increasing line speeds and the more computation intensive protocols that a firewall must support; firewalls tend to become congestion points. This gap between processing and networking speeds is likely to increase, at least for the foreseeable future; while computers (and hence firewalls) are getting faster, the combination of more complex protocols and the tremendous increase in the amount of data that must be passed through the firewall has been and likely will continue to outpace Moore’s Law .

There exist protocols, and new protocols are designed, that are difficult to process at the firewall, because the latter lacks certain knowledge that is readily available at the endpoints. FTP and RealAudio are two such protocols. Although there exist application-level proxies that handle such protocols, such solutions are viewed as architecturally “unclean” and in some cases too invasive.

Likewise, because of the dependence on the network topology, a PF can only enforce a policy on traffic that traverses it. Thus, traffic exchanged among nodes in the protected network cannot be controlled. This gives an attacker that is already an insider or can somehow bypass the firewall complete freedom to act.

Worse yet, it has become trivial for anyone to establish a new, unauthorized entry point to the network without the administrator’s knowledge and consent. Various forms of tunnels, wireless, and dial-up access methods allow individuals to establish backdoor access that bypasses all the security mechanisms provided by traditional firewalls. While firewalls are in general not intended to guard against misbehavior by insiders, there is a tension between internal needs for more connectivity and the difficulty of satisfying such needs with a centralized firewall.

IPsec is a protocol suite, recently standardized by the IETF, which provides network-layer security services such as packet confidentiality, authentication, data integrity, replay protection, and automated key management.

This is an artifact of firewall deployment: internal traffic that is not seen by the firewall cannot be filtered; as a result, internal users can mount attacks on other users and networks without the firewall being able to intervene.

Large networks today tend to have a large number of entry points (for performance, failover, and other reasons). Furthermore, many sites employ internal firewalls to provide some form of compartmentalization. This makes administration particularly difficult, both from a practical point of view and with regard to policy consistency, since no unified and comprehensive management mechanism exists.

End-to-end encryption can also be a threat to firewalls, as it prevents them from looking at the packet fields necessary to do filtering. Allowing end-to-end encryption through a firewall implies considerable trust to the users on behalf of the administrators.

Finally, there is an increasing need for finer-grained access control which standard firewalls cannot readily accommodate without greatly increasing their complexity and processing requirements.

CHAPTER 3

Distributed firewalls are host-resident security software applications that protect the enterprise network's critical endpoints against unwanted intrusion that is, its servers and end-user machines. In this concept, the security policy is defined centrally and the enforcement of the policy takes place at each endpoint (hosts, routers, etc). Usually deployed behind the traditional firewall, they provide a second layer of protection.

Since all the hosts on the inside are trusted equally, if any of these machines are subverted, they can be used to launch attacks to other hosts, especially to trusted hosts for protocols like rlogin. Thus there is a faithful effort from the industry security organizations to move towards a system which has all the aspects of a desktop firewall but with centralized management like Distributed Firewalls.

Distributed, host-resident firewalls prevent the hacking of both the PC and its use as an entry point into the enterprise network. A compromised PC can make the whole network vulnerable to attacks. The hacker can penetrate the enterprise network uncontested and steal or corrupt corporate assets.

Distributed firewalls are often kernel-mode applications that sit at the bottom of the OSI stack in the operating system. They filter all traffic regardless of its origin -- the Internet or the internal network. They treat both the Internet and the internal network as "unfriendly". They guard the individual machine in the same way that the perimeter firewall guards the overall network.

Distributed firewalls rest on three notions:

a)A policy language that states what sort of connections are permitted or prohibited,

b)Any of a number of systemmanagement tools, such as Microsoft's SMS or ASD, and

c)IPSEC, the network-level encryption mechanism for TCP/IP.

The basic idea is simple. A compiler translates the policy language into some internal format. The system management software distributes this policy file to all hosts that are protected by the firewall. And incoming packets are accepted or rejected by each "inside" host, according to both the policy and the cryptographically-verified identity of each sender.

CHAPTER 4

One of the most often used term in case of network security and in particular distributed firewall is policy. It is essential to know about policies. A “security policy” defines the security rules of a system. Without a defined security policy, there is no way to know what access is allowed or disallowed.

A simple example for a firewall is

Allow all connections to the web server.
Deny all other access.

The distribution of the policy can be different and varies with the implementation. It can be either directly pushed to end systems, or pulled when necessary.

The hosts while booting up pings to the central management server to check whether the central management server is up and active. It registers with the central management server and requests for its policies which it should implement. The central management server provides the host with its security policies.

For example, a license server or a security clearance server can be asked if a certain communication should be permitted. A conventional firewall could do the same, but it lacks important knowledge about the context of the request. End systems may know things like which files are involved, and what their security levels might be. Such information could be carried over a network protocol, but only by adding complexity.

The push technique is employed when the policies are updated at the central management side by the network administrator and the hosts have to be updated immediately. This push technology ensures that the hosts always have the updated policies at anytime.

The policy language defines which inbound and outbound connections on any component of the network policy domain are allowed, and can affect policy decisions on any layer of the network, being it at rejecting or passing certain packets or enforcing policies at the application layer.

Many possible policy languages can be used, including file-oriented schemes similar to Firmato, the GUIs that are found on most modern commercial firewalls, and general policy languages such as KeyNote. The exact nature is not crucial, though clearly the language must be powerful enough to express the desired policy. A sample is shown in Figure1.

inside_net=x509{name="*.example.com"};
mail_gw=x509{name="mailgw.example.com"};
time_server=IPv4{10.1.2.3};
allowsmtp(*,mail_gw);
allowsmtp(mail_gw,inside_net);
allowntp(time_server, inside_net);
allow*(inside_net,*);
Figure 1: A sample policy configuration file. SMTP from the outside can only reach the machine with a certificate identifying it as the mail gateway; it, in turn, can speak SMTP to all inside machines. NTP--a low-risk protocol that has its own application- level protection--can be distributed from a given IP address to all inside machines. Finally, all outgoing calls are permitted.

CHAPTER 5

What is important is how the inside hosts are identified. Today's firewalls rely on topology; thus, network interfaces are designated "inside", "outside", "DMZ", etc. We abandon this notion, since distributed firewalls are independent of topology.

A second common host designator is IP address. That is, a specified IP address may be fully trusted, able to receive incoming mail from the Internet, etc. Distributed firewalls can use IP addresses for host identification, though with a reduced level of security.

Our preferred identifier is the name in the cryptographic certificate used with IPSEC. Certificates can be a very reliable unique identifier. They are independent of topology; furthermore, ownership of a certificate is not easily spoofed. If a machine is granted certain privileges based on its certificate, those privileges can apply regardless of where the machine is located physically.

CHAPTER 6

* A central management system for designing the policies.

* A transmission system to transmit these polices.

* Implementation of the designed policies in the client end.

Central Management, a component of distributed firewalls, makes it practical to secure enterprise-wide servers, desktops, laptops, and workstations. Central management provides greater control and efficiency and it decreases the maintenance costs of managing global security installations. This feature addresses the need to maximize network security resources by enabling policies to be centrally configured, deployed, monitored, and updated. From a single workstation, distributed firewalls can be scanned to understand the current operating policy and to determine if updating is required.

Thepolicy distribution scheme should guarantee the integrity of the policy during transfer. The distribution of the policy can be different and varies with the implementation. It can be either directly pushed to end systems, or pulled when necessary.

The security policies transmitted from the central management server have to be implemented by the host. The host end part of the Distributed Firewall does provide any administrative control for the network administrator to control the implementation of policies. The host allows traffic based on the security rules it has implemented.

CHAPTER 7

The distributed firewall, of the type described in 7.2, uses a central policy, but pushes enforcement towards the edges. That is, the policy defines what connectivity, inbound and outbound, is permitted; this policy is distributed to all endpoints, which enforce it.

To implement a distributed firewall, we need a security policy language that can describe which connections are acceptable, an authentication mechanism, and a policy distribution scheme. As a policy specification language, we use the KeyNote trust-management system, further described in Section 7.1.As an authentication mechanism, we decided to use IPsec for traffic protection and user/host authentication. When it comes to policy distribution, we have a number of choices:

We can distribute the KeyNote (or other) credentials to the various end users. The users can then deliver their credentials to the end hosts through the IKE protocol. The users do not have to be online for the policy update; rather, they can periodically retrieve the credentials from a repository (web server). Since the credentials are signed and can be transmitted over an insecure connection, users could retrieve their new credentials even when the old ones have expired.

The credentials can be pushed directly to the end hosts, where they would be immediately available to the policy verifier. Since every host would need a large number, if not all, of the credentials for every user, the storage and transmission bandwidth requirements are higher than in the previous case.

The credentials can be placed in a repository where they can be fetched as needed by the hosts. This requires constant availability of the repository, and may impose some delays in the resolution of request (such as a TCP connection establishment).

While the first case is probably the most attractive from an engineeringpoint of view. Furthermore, some IPsec implementations do not support connection-grained security. Finally, since IPsec is not (yet) in wide use, it is desirable to allow for a policy-based filtering that does not depend on IPsec. Thus, it is necessary to provide a policy resolution mechanism that takes into consideration the connection parameters, the local policies, and any available credentials, and determines whether the connection should be allowed.

Trust Management is a relatively new approach to solving the authorization and security policy problem. Making use of public key cryptography for authentication, trust management dispenses with unique names as an indirect means for performing access control. Instead, it uses a direct binding between a public key and a set of authorizations, as represented by a safe programming language. This results in an inherently decentralized authorization system with sufficient expressibility to guarantee flexibility in the face of novel authorization scenarios.

Figure 1: Application Interactions with KeyNote. The Requester is typically a user that authenticates through some application-dependent protocol, and optionally provides credentials. The Verifier needs to determine whether the Requester is allowed to perform the requested action. It is responsible for providing to KeyNote all the necessary information, the local policy, and any credentials. It is also responsible for acting upon KeyNote’s response.

One instance of a trust-management system is KeyNote. KeyNote provides a simple notation for specifying both local security policies and credentials that can be sent over an untrusted network. Policies and credentials contain predicates that describe the trusted actions permitted by the holders of specific public keys (otherwise known as principals). Signed

Credentials, which serve the role of “certificates,” have the same syntax as policy assertions, but are also signed by the entity delegating the trust

Applications communicate with a “KeyNote evaluator” that interpretsKeyNote assertions and returns results to applications, as shown in Figure 1. However, different hosts and environments may provide a variety of interfaces to the KeyNote evaluator (library, UNIX daemon, kernel service, etc.).

A KeyNote evaluator accepts as input a set of local policy and credential assertions, and a set of attributes, called an “action environment,” that describes a proposed trusted action associated with a set of public keys (the requesting principals). The KeyNote evaluator determines whether proposed actions are consistent with local policy by applying the assertion predicates to the action environment. The KeyNote evaluator can return values other than simply true and false, depending on the application and the action environment definition.