A Pattern Language for Firewalls

Eduardo B. Fernandez, Maria M. Petrie,

Naeem Seliya, Nelly Delessy, and Angela Herzberg

Agenda

IntroductionThe Pattern LanguageThe Basic Firewall PatternThe Proxy-Based Firewall Pattern

IntroductionFirewall:

A choke point of entry (and exit) into a local networkAllows access to approved traffic to and from the local networkDenies access to unauthorized traffic to and from the local networkCan enforce security policies

Local Netw ork 2Local Netw ork 1

Firew all

The Pattern Language

Stateful FirewallAddress Filter Firewall(static packet filter)

Proxy-Based Firewall(application level)

Content-Based Firewall

Address Filtering

Address Filtering

Address Filtering

The Basic Firewall PatternIntent

To filter incoming and outgoing network traffic in a computer system, based on network addresses.

ContextComputer systems on a local network connected to the Internet and to external networks.

ProblemA local network is usually attacked from the outsideThe local network may be partitioned and attacks may come from other local networksThe private information should be maintained within the local network.

The Basic Firewall PatternForces

Need for filtering in a user-transparent formNeed to have a clear model of what is being filtered and howThe configuration of the firewalls must reflect the institution policiesThe configuration of the firewalls must be easy to changeLogging is necessary for auditing or defense purposes

*

Communicates

Through

The Basic Firewall PatternSolution

Firewall

RuleBase

1

Network Level

ImplementationLevel

*

*

requestService

*

LocalNetwork

address

Rule

in/out

ExplicitRule DefaultRule

* 1{ordered}

The Basic Firewall PatternDynamics

Filtering a Local Network’s Request Use Case. LN1 : Local

NetworkLN2 : Local

Network : Firewall : RuleBase

requestService

requestService

filterRequest

verify

checkRule

requestAccepted

requestAccepted

: Rule

The Basic Firewall PatternDynamics

Defining a Rule Use Case.

: Firewall : RuleBase : Administrator

addRule(rule, location)

addRule(rule)

ruleAdded

ruleAdded

<<actor>>

The Basic Firewall PatternConsequences

Advantages:A firewall filters all the traffic that passes through it based on network addresses and transparently to applicationsIt is possible to express the filtering policies of the institutions through its rules.A firewall facilitates the detection of possible attacks and to hold regular users responsible of their actions. A firewall lends to a systematic logging of incoming and outgoing messages.Low cost, it is included as part of many operating systems.Good performance. It only needs to look at packets headers.

The Basic Firewall PatternConsequences

Liabilities:A firewall’s effectiveness may be limited due to its rule set (order of precedence).A firewall’s effectiveness is limited to the point of entry into the local network, and once a potential attacker has passed through the firewall the security of the system may be breached. A firewall can only enforce security policies on traffic that goes through the firewall.A (basic) firewall cannot stop higher level attacks (email, FTP).

The Basic Firewall PatternConsequences

Liabilities:A firewall generally tends to adversely affect the usability, performance, and cost of the protected system.The security policies that a firewall enforces are different for different sites, networks, and systems. Addition of new rules may interfere with existing rules in the rule set; hence, a careful approach should be taken in adding and updating access rules.Not state awareA packet filter cannot recognize forged addresses from traffic coming from outside.

The Basic Firewall Pattern

Known UsesThis model is a basic firewall architecture that is seen in commercial firewall products. The basic firewall model is used as an underlying architecture for other types of firewalls that include more advanced features.

The Basic Firewall PatternRelated Patterns:

The authorization Pattern can be considered as a higher level pattern of the proposed Basic Firewall Pattern.The role-based access control pattern, a specialization of the authorization pattern, is applicable if the networks and their access rules are respectively defined in terms of roles and rights.The Firewall Pattern is also a special case of the Single-Point-of-Access

The Proxy-Based Firewall Pattern

IntentTo filter incoming and outgoing network traffic in a computer system based on application data inspection.To virtually separate the local network from the external network and its clients.

ContextComputer systems on a local network connected to the Internet and to external networks.A higher level of network traffic security is needed compared to the Basic Firewall context.

The Proxy-Based Firewall Pattern

ProblemThe Basic Filtering Firewall does not provide security at the application levelIt does not provide security against IP spoofing.

The Proxy-Based Firewall Pattern

ForcesForces of the Basic Firewall PatternThe user of the internal network may be required to configure the network

1

1

represents

Proxy* *

request Service

1

The Proxy-Based Firewall Pattern

Solution

RuleBase

1

Application Level

Network Level

*

Rule

in/out

ExplicitRule DefaultRule

* 1{ordered}

LocalNetwork

addressservice

Service

*port

ApplicationLevelFirewall

*

*

accessService

The Proxy-Based Firewall Pattern

LocalNetwork1 : LocalNetwork2 :: Application Level Firewall

: Proxy : Rule Base

requestService

requestService

filterRequest

verifyRequest

requestAccepted

requestService

provideService

provideService

provideService

<<actor>>

DynamicsProviding Service to Client’s Request Use Case.

ConsequencesAdvantages:

The firewall inspects, modifies (if needed), and filters all access requests based on predefined application proxies that are transparent to the client It is possible to express the institution’s filtering policies through its application proxies and their rules It is possible to modify certain portions of the information in cases where suspicious commands are included in/or the data segment of packets A firewall facilitates the detection of possible attacks and to hold regular users responsible of their actions.

The Proxy-Based Firewall Pattern

ConsequencesAdvantages:

It protects against possible implementation faults in the protocol stacks of the internal systems [Sch03]. The IP (Internet protocol) address of the internal network is always hidden to the external networks.A firewall lends to a systematic logging and tracking of all service requests going through it.High security performance since it inspects the complete packet including the headers and data segments.

The Proxy-Based Firewall Pattern

ConsequencesLiabilities:

High implementation cost due to the rebuilding of different protocols for each application.

Delay due to the application proxy overhead and the inspection of the data segment of packets.

Increased complexity of the firewall. Application Proxy Firewalls may require change in applications and/or the user’s interaction with the system.

A firewall generally tends to adversely affect the usability, performance, and cost of the protected system.

The Proxy-Based Firewall Pattern

ConsequencesLiabilities:

A firewall’s effectiveness is limited to the point of entry into the local network, and once a potential attacker has passed through the firewall the security of the system may be breached.A firewall can only enforce security policies on traffic that goes through the firewall .The security policies that a firewall enforces are different for different sites, networks, and systems. Addition of new rules for a given application proxy may interfere with existing rules in the rule set; hence, a careful approach should be taken in adding and updating access rules.Not state aware .

The Proxy-Based Firewall Pattern

Known UsesARGuE Guard. Some specific firewall products that use application proxies are Pipex Security Firewalls and InterGate Firewall.

The Proxy-Based Firewall Pattern

Related Pattern:The basic Address Filtering Firewall Pattern defines the packet filtering firewall model. The Authorization pattern defines the security model for the Basic Firewall Pattern. The Role-Based Access Control pattern, a specialization of the authorization pattern, is applicable if the networks and their access rules are respectively defined in terms of roles and rights. The Firewall pattern is also a special case of the Single-Point-of-Access.The Proxy Pattern

The Proxy-Based Firewall Pattern