2. OUTLINE
Security Issues
Firewalls
Distributed Firewalls
Architectural similarities of NES, ADF & EFW
Stateful Clustered Security Gateway (CSG) Distributed Firewalls
Components of the Stateful CSG
IPsec
Benefits and Drawbacks of Stateful CSG
Conclusion
References
3. Security Issues
Some security issues affecting LANs
are:
Eavesdropping
Denial of service (DoS)
Repudiation
Spoofing.
Network device vulnerabilities
No support for update patches.
Delay in release of update patches.
User reluctance to install update
patches.
(Stallings and Stallings, 1999)
4. Firewalls
A firewall is a network security system that monitors inflow and outflow of data
packets and analyses these packets based on security policies.
It is a location for monitoring security–related events such as log audits and
alarms.
It can serve as a platform for creating VPN using IPSec.
(Davis, 1995)
Some of the techniques used to control access and enforce security
policies are:
Service Control
Direction Control
Behavior Control
5. Drawback of Firewalls
Uses restricted topology of the network.
It assumes inside users are trusted and does not protect network from internal
attacks that can bypass the firewall using dial out capabilities.
Difficult to process certain protocols (FTP, Real-Audio, etc.)
It does not give protection against the transfer of virus-infected programs or files.
Single points of access make firewalls hard to manage
(Davis, 1995)
6. Distributed Firewalls
Distributed firewalls are mechanisms that enforce centrally managed security policies that are distributed to
endpoints, forming a distributed firewall system.
Design of distributed firewalls are based on three elements:
Keynote – Firmato: A general policy language for defining security policies.
Web Server: Mechanism to distribute security policies.
IPSec: Security protocol that provides network level encryption.
Examples of Distributed Firewalls
Network Edge Security (NES)
Distributed Embedded Firewall (EFW)
Automatic Distributed Firewall (ADF)
Stateful Clustered Security Gateway (Stateful CSG)
(Ramsurrun and Soyjaudah, 2009)
7. Architectural similarities of NES, ADF & EFW
Distributed firewalls are intended to be tamper resistant
Independent of the host operating system, being implemented on the host’s NIC.
NIC’s are used to store and perform packet filtering and cryptographic variables and subsystem management.
Uses the 3Com 3CR990 family of NIC cards.
Managed by a central, protected policy server.
Protects against IP Spoofing as the NIC is inaccessible.
Audit reports are sent to the audit manager in the policy server in the event of firewall policy violations.
(Meredith, 2003)
8. Drawbacks of NES, ADF & EFW
Large amount of Network traffic is generated due to heavy rate of audit messages.
Due to the limited processing power and memory on the NIC, its packet filtering
capability is limited and the NIC can be overloaded by network traffic even when
small firewall rulesets are used
High convergence time of the firewalls as every end-user host needs to be constantly
updated.
(Ramsurrun and Soyjaudah, 2009)
9. Stateful Clustered Security Gateway Distributed Firewalls
This architecture consists of multiple firewall nodes actively working in parallel
to filter network traffic, both internal and external.
(Ramsurrun and Soyjaudah, 2009)
10. Components of the Stateful CSG
Policy Distributor- Receives and reads update
files created by the admin and distributes to
the specified IP address of the CSMs using
TCP protocol.
CSM- Receives and reads updates files by the
csm_updatehandler() function , reconstructs it
to ensure that it is error free. Sends the
firewalls update to each of the CSG firewall
nodes using unicast TCP connection.
During transmission of the update files, data as
well as network security is achieved using a
security protocol - IPsec.
(Ramsurrun and Soyjaudah, 2009)
11. IPsec
IPsec is an IP layered protocol that protects the sending and receiving of
cryptographically–protected packets of any kind, without any modification
(Alshamsi and Saito, 2005).
In distribution of firewall policies from the policy distributor to CSMs and for
securing error reports and logs sent from the CSMs to the network admin in case
of policy update file errors, IPsec is utilized to protect this data.
(Ramsurrun and Soyjaudah, 2009)
12. Benefits of Stateful CSG
When CSG distributed firewall system is successfully implemented, the following
attacks are addressed:
Insider attacks
IP & MAC address spoofing
Packet sniffing
Denial of Service
In addition to the threat solved by Stateful CSG, some of the advantages of
implementing Stateful CSG over other distributed firewall schemes are summarized
in Table 1.
(Ramsurrun and Soyjaudah, 2009)
14. It is a capital intensive approach to implement, due to its hardware based architecture.
Drawback of Stateful CSG
15. Conclusion
In this presentation, different security issues in LANs were reviewed and how these threats
are addressed by implementing a distributed firewall scheme.
Different distributed firewall schemes were analysed and compared and then, we
highlighted a particular distributed firewall (Stateful CSG) and how it is being implemented
in securing LANs and its benefits.
The implementation of a load balancing NIC to protect against load balancing rule tamper
by malicious end-user hosts.
16. References
Alshamsi, A. and Saito,T., 2005, March. A technical comparison of IPSec and SSL. In null (pp. 395-398). IEEE.
Davis, C. (1995). Firewall Consortium. Network Security, 1995(9), p.9.
Kahate, A. (2003). Cryptography and network security. New Delhi:Tata McGraw-Hill Pub.
Markham,T. and Payne, C., 2001, June. Security at the network edge: A distributed firewall architecture. In discex (p. 0279). IEEE.
Meredith, L.M., 2003, April. A summary of the autonomic distributed firewalls (ADF) project. In DARPA Information Survivability Conference and
Exposition, 2003. Proceedings (Vol. 2, pp. 260-265). IEEE.
Payne, C. and Markham,T., 2001, December. Architecture and applications for a distributed embedded firewall. In Computer Security Applications
Conference, 2001. ACSAC 2001. Proceedings 17th Annual (pp. 329-336). IEEE.
Ramsurrun,V. and Soyjaudah, K.M.S., 2009, January. A stateful CSG-based distributed firewall architecture for robust distributed security. In
Communication Systems and Networks andWorkshops, 2009. COMSNETS 2009. First International (pp. 1-10). IEEE.
Slideshare.net, (2016). Rationalization and Defense in Depth -Two Steps Closer to the Clouds. [online]Available at:
http://www.slideshare.net/OTNArchbeat/rationalization-and-defense-in-depth-two-steps-closer-to-the-clouds [Accessed 13 Jan. 2016].
Stallings, W. and Stallings, W. (1999). Cryptography and network security. Upper Saddle River, N.J.: Prentice Hall.