1

Design of a High-Performance ATM Firewall

Written by Jun Xu and Mukesh Singhal

Presented by Yiting Nan

March 27, 2000

CS 551/651 SOFTWARE SECURITY

2

Index

• Motivation• Existing approaches• QoF logical design• QoF physical design

3

Firewall• Definition:A network firewall is a device that controls communications

across the boundary between trusted and untrusted network. • Purpose:To control access by denying unauthorized communications.

It also provides a single point where security and auditing can be imposed.

• Where to putTypically operate at the IP, TCP, and/or application layer in

the OSI reference model.

4

ATM and Traditional Network

• ATM– Switched virtual connections

– Fixed length cells

• Tradition Network– Connectionless

– Share medium

– Various length cells

– Broadcast network

5

Motivation

• packet-filtering needs to terminate an end-to-end ATM connection in the middle in order to extract IP packets for inspection. High SAR* overhead

• Filtering bandwidth is below 100Mbps, much less than ATM rate of OC-3c, OC-12c**

*SAR: Segmentation and Reassemble.

** OC-3c:155Mbps, OC-12c: 622Mbps

6

Packet-level filtering is indispensable• ATM forum: avoid packet filtering, exert discretion

at connection establishment time– no way to check the contents after the connection established.

• SVC is requested when each new service started. – Considerable change to the whole TCP/IP stack and existing

applications– SVC explosion - a new SVC for each transport layer flow

• Apply cryptographic measures end-to-end, – authentication and encryption do not automatically ensure proper

access control, – need to inspect content after connection– need to connect between untrusted parties

* SVC - Switched virtual connection

7

Existing approaches - ATLAS

A line filter that scans an ATM physical link to perform packet-level filtering at OC-3c.

• To avoid SAR, for each packet it only checks the first cell. Pass or fail!

• Use a policy cache architecture to speed up. Core unit is policy cache. (CAM)If hit cache, the packet’s cells are forwarded. Otherwise

the first cell go through a software-screening process and other cells are buffered in a queue.

8

Limitation and drawbacks of ATLAS

• Does not accept IP packets with IP option fields

• CAM is not scalable.

• Not friendly for management and administration.

9

Quality of Firewall (QoF)

Applies security measures of different strength to traffic with different risk levels in order to achieves a nice tradeoff between performance and security.

Four classes (High QoF will be applied to the more dangerous connections)

A B C D

Safest dangerous

10

Call Screening

Proxy Traffic Monitoring Packet Filtering

Firewall Management

VC-SpecificTCP/IP rules

VC-SpecificTCP/IP rules

VC-SpecificProxy Option

Unsafe PacketsTraffic Profile

Unsafe PacketsTraffic Profile

Unsafe PacketsTraffic Profile

D B C

Invalid CallsSignaling Profile

Call Screening RulesManagement Commands

Logical design of ATM firewall

11

Call-Screening Service

Call-screening rules includes:

1. Source identity

2. Destination identity

3. Authentication information

4. QoF of the new connection to be established

5. Information needed for packet-level inspection

12

Packet-Filtering Service

• filtering the first (or two) cell only • A layer-4-route cache architecture

A forward decision is made not only on the basis of destination address, but also on source address, port numbers, protocol, and possibly some other fields.

• Last Cell Hostage (LCH)

All cells of a packet except the last one is “hostage” before the software inspection is finished.

13

Traffic-Monitoring Service

• Nearly as secure as the packet-filtering service for TCP traffic and introduces no latency even when a cache miss occurs (after-the-fact nature).

• Monitor the headers of IP packets contained in class B connections.

• Might used with SSH or VPN cryptography and maintaining state information for half-open connections.

14

Proxy Service• Acts as an application-level gateway (a proxy server)

for a number of Internet protocols.

• Unlike the packet-filtering service which looks only at the header of the packet, proxy service monitors the execution of the protocol and filters at the application level.

• Since it need to understand the protocol and requires SAR, it commonly be performed at the rate of a traditional firewall.

• Another usage is to “oversee” the execution of ISAKMP.

15

Firewall Management Service

Controls and manages other security services in the ATM firewall and provides user-friendly administration tools to network managers. Log two types of events:

1. The violation of security policy.

2. The profile information on each connection.

16

Physical components of the ATM firewall

ATM Firewall Switch

TrustedATMLAN

UntrustedATMLAN

FirewallManagementServer

ProxyServer

Traffic MonitoringServer

17

ATM Switch

IM

IM

OM

OM

SONET SONET

SM CAC

CSF

Internal structure of an ATM switch

OAM Cells Signaling Cells

18

ATM Firewall Switch - IM

Enhanced VP/VC Table

Signalingcells filter

Managementcells filter Enhanced header translation

cells

User Cells

TCP/IP Express Check

IP option check

TCP/IP Software Check

CAC OM

SignalingCells Management cells

19

ATM Firewall Switch (Continue)

• OM – Involved in implementing the LCH scheme

• CAC– Implement call screening service and cryptograph

• SM– Add firewall management

• CSF– handle processing of T-Monitor bit.

20

Other components

• Traffic-Monitoring Server– An ATM-attached workstation equipped with policy

cache hardware to perform header checking at high speed.

• Proxy Server– A traditional proxy firewall equipped with ATM

interfaces.

21

Links related to ATM security• ATM Firewall Performance Evaluation

http://tebbit.eng.umd.edu/people/carrozzi/project.html

• ATM Security page, http://www.itr.unisa.edu.au/~dstowww/atm_security

• Carsten Benecke Uwe Ellermann,“Securing 'Classical IP over ATM Networks’” Firewall-Laboratory for High-Speed Networks

Fachbereich Informatik, Universit at Hamburg http://www.fwl.dfn.de/eng/team/cb

• Firewall Laboratory for High-Speed Networkshttp://www.cert.dfn.de/eng/fwl/

22

Questions?

23

ATLAS ATM-Line-Access-And-Security.

• An ATM-Firewall filtering cells with a speed of OC-3c.• Supports Classical-IP, LAN-Emulation and FORE-IP

over ATM, MPOA over ATM. CISCO´s 7513 is not able to filter on layer 3 (needed for MPOA) but ATLAS

will.

• Can set more then 1000 Filters without any performance degradation.

• If two ATLAS-Systems talk to each other across an ATM-Network you can encrypt the data as well.

24

Limitations of Firewall

• Cannot protect against attacks that do not pass through the firewall. Proprietary data can also be transmitted via modem or

media.

• Cannot protect very well against viruses.

25

ATM basics

• ATM cellsATM is based on 53-byte cell structure. Application data is placed

into ATM Protocol Data Units (PDU) of up to 9180 bytes that are segmented into fixed sized cells. Cells are multiplexed onto network links and reassembled into PDUs at the endpoint of the ATM network.

Each fixed size cell ahs a 5-byte header followed by 48-byte payload. The head identifies the payload-type, VPI(Virtual path identifier), VCI(virtual channel identifier), and header error check. VPI and VCI make up the VC(Virtual circuit) identifier. The VC label is used to perform a table lookup in a switch table and a label swapping function is done in hardware to quickly switch the fixed size cells.

26

ATM basics (Continue)

ATM cell payload structure is dependent on the type of service being used. The ATM Adaptation Layer (AAL) was designed to support different services and types of traffic. The AAL maps the ATM layer services to the upper layers of the protocol stack through the Convergence Sublayer (CS) and SAR functions. The ATM Layer is mainly concerned with management of the cell headers during receiving and sending of ATM cells.

ATM is efficient in its use of bandwidth because it multiplexes multiple streams of traffic onto network links using a technique known as cell interleaving. Cells from many different flows can be interleaved on a physical link avoiding the problem encountered in data networks where a small, real-time packets can get stuck in a transmission queue behind large packets.