978-1-4244-8003-6/10/$26.00 ©2010 IEEE

Disarming Firewall

Zubair A. Shaikh Department of Computer Science

FAST NUCES Karachi, Pakistan

zubair.shaikh@nu.edu.pk

Furqan Ahmed Department of Computer Science

Isra University Hyderabad, Pakistan

furqan.ahmed@nu.edu.pk

Abstract—We have focused on a particular mechanism of providing network security: firewall technology. Firewalls provide a false sense of security because they have inherent flaws that are continuously exploited by hackers. Current firewalls lack in providing adequate security against insiders. Literature suggests that these limitations arise from the deficiencies in firewall design. This paper presents a model of a firewall called disarming firewall. The model is composed of different components, each serving different purpose. The firewall protects against malicious insiders by limiting the attacking capabilities of each internal host. Knowing that obtaining knowledge of end systems is a precursor of an attack, the firewall hides the identity of OS and server software placed in DMZ from internal as well as external users. Another problem solved by the firewall is the general laziness in applying patches to the software. The auditing system of firewall actively monitors all systems in the perimeter and applies patches as soon as they are released.

Keywords-Network Security, Firewall, Disarmed Host

I. INTRODUCTION Security has gained a lot of attention over the last few

years. A lot of mechanisms are used to secure computer networks including Firewalls, Intrusion Detection System (IDS), Intrusion Prevention System (IPS), Antivirus Software etc. Our study focuses on one particular mechanism of network security, i.e. firewall technology.

Firewalls are considered as the first line of defense in network security. Inspite of their usefulness they have some inherent limitations that get exploited by hackers continuously. The basic flaws in the design of the firewall restrain it from providing adequate security. As a result new mechanisms like IDS and IPS are developed but have their own limitations [4].

Despite of developments in firewall technology security incidents continue to grow. A number of security incidents statistics [9] show that firewalls provide a false sense of security.

Any piece of software either operating system or server software will contain security related vulnerabilities [8]. In 2008 only, total vulnerabilities reported are 6058 [9]. These vulnerabilities often get exploited and a patch to the software is made available which network administrators apply. The network is secure until the next bug appears. This find-and-fix solution seems never ending.

Approximately 99% of all reported intrusions occur because of KNOWN and FIXED vulnerabilities [12]-[13]. In

[10], it is shown that a general belief that the number of intrusions decay after a patch for vulnerability is released is not correct. The reason is that the attackers react faster to new vulnerabilities than the defenders. As a result, known vulnerabilities are readily available for easy exploitation by the attackers. A perfect example of this is code red worm that exploits vulnerability in Microsoft IIS Server. This worm infected 250,000 hosts approximately [14]. The incidents should have been prevented because Microsoft released a patch for the vulnerability almost a month before the spread of the worm [10].

Firewalls are developed by modifying devices not meant for providing network security [5]. The primary reason being that firewalls have traditionally being designed with the notion to actually filter certain packets, meant for a specific network rather than being generic to handle all security. Hence we believe that the receipt of firewall design was not meant for security but rather for packet assessment in a specific network of an organization.

Literature suggests that the underlying flaw is in the firewall design. Causes of firewall failure include: faulty design premise, faulty design, platform dependence, emergence of new applications, and environmental problems [4]. Currently, firewall technology is an engineering solution rather than a scientifically based solution. It was never developed according to a reference model and only addresses acute problems at hand [1]. The dependence of software firewall on base operating system opens the door for exploiting the vulnerabilities of operating system [3]. Postings on news groups, such as bugtraq, frequently announce newly discovered vulnerabilities in firewall products. They may be indicative of underlying deficiencies in firewall design [17].

The rest of the paper is organized as follows. Section 2 introduces different works that are used in our model. Section 3 presents the Disarming Firewall model. Section 4 presents the evaluation of the model. Section 5 discusses concluding remarks of the paper.

II. RELATED WORK Our work makes use of different works and combines them

in a firewall model. It makes use of the advantages of different approaches while eliminating or mitigating the disadvantages. This motivates the presentation of disarming firewall.

A. Firewall Reference Model In [1], Schuba and Spafford have proposed a reference

model that can be used as a frame work to design firewall systems. The model can be applied to a single layer of the communication model as well as to multiple layers. The components of the reference model include authentication function, integrity assurance, access control and audit. There is a centralized security policy. The components can be deployed in a distributed fashion to achieve scaling.

B. Disarming Offense In [6], Bruschi and Rosti have given a new technique to

limit the attacking capabilities of the host. Thus, increasing security by connecting disarmed host to a network. They call this technique ‘Extrusion Detection’. They argue that some attacks can be detected and prevented at the source easily than at the destination. In [7], they developed a disarming tool called AngeL, which intercepts all network packets and drops those that it find as typical of a set of attacks. The tool is able to identify more than 70 attacks, both at the network level and at host level. This technique is a pro-active approach as opposed to intrusion detection systems which is a reactive approach.

C. SHIELD In [11], an approach based on the fact that generally people

are reluctant to patch their systems immediately is presented. Shield is vulnerability specific, exploit generic network filter installed in the end systems once a vulnerability is discovered,

but before a patch is applied. These filters examine the incoming or outgoing traffic of vulnerable applications, and correct traffic that exploit vulnerabilities.

D. Active Systems Management In [10], William A. Arbaugh presents an approach to secure

distributed systems management. Each managed host is in one of the three states: hardened, vulnerable, and compromised. Whenever a host comes in vulnerable or compromised state, steps are taken to bring the host back to hardened state. The auditing capability discussed does not depend on the base OS and keeps working even if the host is compromised. The approach is still under research and not implemented hence the effectiveness of the system can’t be guaranteed.

III. DISARMING FIREWALL This section presents our model of a firewall called

disarming firewall. This model is based on the reference model presented in [1]. The model is designed keeping security in focus and security is not compromised for performance reasons. The firewall model is based on three notions. First is that, most of the attacks come from the insiders. Limiting the attacking capabilities of individual hosts will result in a secure internal network. This will also increase global security since disarmed internal host can’t cause harm to rest of the internet.

Second is that, attacks are launched against known vulnerabilities. These vulnerabilities are in a particular version of the software. In any attack the attacker first tries to gain the

Figure 1. Disarming Firewall Model

version of the software in order to exploit its published vulnerability. The knowledge of the software version (like OS) obtained through fingerprinting or social engineering is critical for the success of attacks. Hiding the identity of OS or server software will contain the attacker to initiate attacks.

Third is that, security administrators may fail to apply software patches due to reasons like disruption, unreliability, irreversibility, and unawareness [11]. The example of this is the code red worm as mentioned in section 1. An automatic mechanism to apply software patches as soon as they appear will not leave vulnerable hosts inside the perimeter. This is possible with the advent of networks that deliver software updates [15].

A. The Model The model consists of several security components that

support each other to provide active defense of the network. This section describes a high-level view of the model. The detailed working of each component is discussed in the next section.

Fig. 1 shows the model of disarming firewall. The purpose of authentication function (AF), integrity function (IF) and access control function (ACF) is well-known. The disarming component (DC) at each host limits its attacking capabilities. This component detects two things: host compromise attempts and an attempt to initiate attack by the host. When DC detects any of the two things, it alarms the AAS component which takes action according to the security policy. The dashed boxes of AF, IF, and DC at the outsider host mention that the presence of these components at the remote host is not under the control of the firewall. In other words, the firewall can’t enforce the use of these components.

The fingerprinting scrubber (FS) placed in front of DMZ, prevents network scans made by insiders or outsiders, through transparently modifying traffic before reaching the public servers. From insider’s point of view, it acts as an additional layer of protection along with DC, since most attacks come from insiders. For outsiders it discourages attackers who do not use or remove AF, IF, and DC security components. The main purpose of FS is to block attempts to gain knowledge of public servers.

The active audit system (AAS) adds the auditing capability to the firewall. AAS monitors each internal host and DMZ server actively and upon receiving alarm from DC it takes remedial action. It is also connected to a security update delivery network and checks whether updates are available. If a patch is available it fetches and applies it at the insider host or DMZ servers.

B. Disarming Firewall Components This section describes each component of the firewall in

fig. 1, in detail. The expected functionality of each component is stated with some hints for the implementation. Fig. 2 depicts the detailed functionality of the firewall components.

1) Authentication Function (AF) Authentication provides the assurance of the claimed

identity. The goal of the AF is to ascertain the claimed identity

of the source. There are two instances of AF in the model. One on the intranet interface of the firewall and the other at the internet interface. The internal(external) AF communicates with insider(outsider) AF through some authentication mechanism and provides strong authentication. There are many authentication mechanisms that can be used [1]; like Kerberos and certificate based authentication. Liebl provides a comprehensive bibliography on authentication in distributed systems in [18].

2) Integrity Function (IF) The integrity function protects communication traffic from

unnoticed and unauthorized modifications, such as insertion, replacement, or deletion [21]. Like AF, IF also has an instance at the internal and external interfaces. The internal(external) IF communicates with insider(outsider) IF through some integrity mechanism to prevent modification of communicated data. Any integrity assurance mechanism mentioned in [1] can be used. Schneier and Stinson describe a number of such mechanisms in [19], and [20].

3) Disarming Component (DC) The DC component is expected to protect each host from

compromise and also to limit the host from initiating any attack at other hosts. The presence of DC on the external host can’t be guaranteed. On the other hand, its presence can be ascertained on the insider hosts, since each insider must have the component in place in order to be part of the internal network and to access network services. The technique can be implemented by modifying the client side component of Microsoft ISA server [22]. This strategy mitigates the continuous insider threat because the component cannot be removed by local users. The DC component at inside host makes it a disarmed host and they combine to make a disarmed network. Such disarmed networks on the internet will increase global security.

In order to detect host compromises, the DC keeps some threshold values as mentioned in [7]. For example, the amount of memory and rate of increase of memory a process can acquires, the rate of increase in threads a process creates and maximum number of processes per user. The value of these thresholds is critical for the success of this technique. Attacks aimed at gaining higher privileges at the host are also detected.

Attacks initiated by the insider host can be divided into three types: attacks that exploit network or transport layer protocol vulnerability, attacks that exploit application layer protocol vulnerability, and attempt to circumvent the firewall by connecting to internet through a modem. The method presented in [6] and [7] can be adopted to handle first type of attack. Any method used must limit the number of connections that a host can make with a server. The second type of attacks can be handled using different approaches like checking for attack signatures, protocol scrubbing, [16] etc.

Another function that the DC can perform is not to allow the insiders to circumvent the firewall by connecting to the internet directly. This functionality will remove the vulnerability which can’t be blocked by any firewall to date.

When the DC detects that the host is being compromised, it blocks the incoming traffic and sends an alarm to AAS

component. When the DC notices that the host is trying to initiate an attack, it blocks outgoing traffic and sends an alarm to the AAS component. The AAS component then takes appropriate action. If such detection is a false positive, the effect is negligible since only one host is blocked to send or receive traffic. Other hosts on the network remain unaffected as opposed to the approach in [16].

4) Access Control Function (ACF) The access control function decides which traffic can enter

from the internet to the DMZ or internal network and from intranet to the DMZ or internet. This decision is based on a security policy. Different policies are there for traffic entering from the internet called external policy and for traffic entering from the intranet called internal policy. There are two instances

of the ACF in the model - one at the external interface which implements the external policy and the other at the internal interface which implements the internal policy. There are a number of approaches to express and enforce the security policies. Going into the details of such approaches is out of the scope of this thesis.

ACF can be implemented as stateful inspection firewall or proxy firewall or both. It depends on the level of security an organization wish to establish. At the internal interface forward proxy can be used while at the external interface reverse proxy can be used.

5) Fingerprinting Scrubber (FS) The need of this component arise from the fact that any

attack starts with gathering information about the target through port scanning, social engineering, OS and application

fingerprinting. Most vulnerabilities correspond to a specific version of a software which is removed from the subsequent release. Hence, knowing the version of the OS is essential for the attacker to proceed further. The FS component tries to block fingerprinting scans made to know the identity of the OS on which the server software is running.

In [2], Watson et al, provide an implementation of the fingerprinting scrubber. The FS successfully hides the identity of OS. In our firewall model, FS is placed in front of DMZ so that traffic coming from internet or intranet can’t guess the OS of servers placed in DMZ. The administrators have to make sure that no one could gain the knowledge of OS through social engineering.

6) Active Audit System (AAS) This component is equivalent to Audit Function in [1]. The

difference is that rather than just recording system events, it keeps monitoring the internal hosts actively using the mechanism in [10]. The mechanism uses three states for each monitored system namely: hardened, vulnerable, and compromised. The system tries to keep all hosts at hardened state. Upon receiving signals from DC, the AAS takes appropriate action based on the security policy.

Another functionality of AAS is that it is connected to a Security Updates Delivery Network (SUDN) like [15]. As soon as there is a security patch available for any software in the intranet or DMZ, it fetches the patch and applies it. The assumption is that it knows the versions of the OS and server applications running in the DMZ or intranet. By doing this,

Figure 2. Detailed Functional Model of Disarming Firewall

AAS prevents the general laziness of network defenders to apply patches, hence not giving attackers the chance to exploit any vulnerability.

There is a time interval between the discovery of vulnerability and the application of patch. During this interval the host is vulnerable. When a vulnerability is reported, AAS applies a vulnerability specific SHIELD [11] on end systems containing the software. This shield is removed when a patch is applied. The shield monitors traffic entering the host and drop traffic that exploit that vulnerability.

This component is like an independent auditor capable of detecting problems in real time. Each managed host is supposed to have an embedded processor (EP) and a wireless network interface card (WNIC) to access audit network (AN). The EP waits for the signal from DC or AAS to take appropriate action. EP can access the system input-output bus and on receiving signal from DC blocks incoming (if host is being attacked) or outgoing (if host is initiating an attack) traffic of the host and also informs the AAS through WNIC. AAS then takes appropriate action (like reinstalling the OS) based on the security policy. AAS contacts EP through AN for applying a SHIELD or a patch.

IV. EVALUATION OF THE MODEL

A. Reuse of Existing Work The model combines different works in a firewall model.

These components coordinate with each other to provide active defense of the network perimeter. At the basis of the disarming firewall model is the firewall reference model [1]. The DC component is taken from [6] and [7]. The FS component is taken from [2] and SHIELD is taken from [11]. The AAS component is taken from [10]. Either the component is used as it is (like FS and SHIELD component), or some more functionality is added (like DC and AAS component).

B. Scalable Design The firewall model scales well with the addition of new

nodes in LAN or DMZ. Whenever a new client is added to the network AF, IF & DC components are installed. The installation can be manual for small networks and automatic for large networks. A new internal host in LAN or server in DMZ also communicates with the AAS through some interface and registers itself for active monitoring. This communication with the AAS can be made compulsory for the insider in order to use network services.

C. Cost Feasibility The cost of the firewall model is the sum of the costs of all

the components. The cost of deploying the model is surely higher than the traditional firewalls. The AAS component is likely to be the most expensive since each internal host and server require an out-of-band interface to communicate with the AAS.

D. Performance Analysis A single packet traveling from LAN to internet is first

examined by DC component, then by IF and AF components at

the host. After reaching the internal firewall they are examined by AF, IF, and ACF. The performance mainly depends on processing of DC component. In [7] it is shown that for outgoing traffic 7% to 15% throughput reduction is observed but it does not effect the performance. For the incoming traffic there is 12.6% reduction which is still not serious. The main concern is of attack signatures used to analyze out-going packets. As they increase, the time to analyze each outgoing packet increases.

If the request is for any DMZ server then the packet is also processed by FS component. In [2] the performance of FS is evaluated and the results show that it matches the performance of a plain IP forwarding gateway. Hence the presence of FS component does not become a performance bottle neck. In fact, the performance will be effected but it can be neglected for security reasons.

E. Technical Issues Some technical issues are yet to be answered. First is that,

the AAS uses out-of-band auditing which does not depend on the underlying operating system. How the AAS communicates with the internal hosts and DMZ servers in OS independent manner? We suggest the use of stand-alone embedded processor as mentioned in [10].

Another is that, how the DC component communicates with the out-of-band interface? Some protocol need to be designed which describe issues like whether the host is being attacked or is trying to initiate an attack.

The presence of SUDN is critical for AAS component to provide active defense. In the absence of SUDN it takes action according to the security policy on receiving alarm from DC component.

Another issue is that how the DC component prevents the installation of a modem. The physical installment of a modem can’t be blocked. While installing of the driver of the modem should be blocked. The actual mechanism need to be explored further.

F. Strengths The disarming firewall model combines the strengths of

different approaches to provide security. The main strengths of the disarming firewall are: limiting the attacking capabilities of internal host, hiding the identity of OS and server software in DMZ to prevent attacks and actively monitoring and patching the software in the DMZ and intranet.

The firewall model overcomes a problem in traditional firewalls regarding VPN traffic. Mobile users need access to enterprise data while out of office. So they use VPN in order to gain access in a secure manner. VPN’s can not protect the mobile user’s laptop or home computer, and these computers become a potential vector for malice into the enterprise because these are essentially dual homed to the enterprise’s intranet and the Internet. They present the path of least resistance into the enterprise’s intranet for an attacker [10]. Traditional firewalls can do less to traffic that is end-to-end encrypted. As disarming firewall has AF, IF and DC at each end host, end-to-end encryption can be done securely. Any malicious activity at the

end host can be detected by DC and preventive measures can be taken. Note that this detection can be ensured only at insiders.

G. Weaknesses Limitations of different approaches results in the limitations

of our firewall model. The main limitation is that the AF, IF and DC component at the outsider is not under the control of firewall. They can be removed or bypassed by remote users. As a result the remote user is not disarmed from firewall perspective and can launch attacks against the network firewall is defending.

At present, the DC component does not detect all types of attacks initiated by the hosts. It uses signature based approach at the application layer. Distribution of attack signatures at each host is difficult. Also, as the number of signatures increases the time spent on each packet increases.

There is no implemented solution of active out-of-band auditing of systems. The idea presented in [10] is still under research. The firewall relies on the SUDN for applying patches to the software in internal hosts and DMZ servers. The availability of such a network is necessary for the working of auditing capability of the firewall. SUDN is responsible for the reliable and safe delivery of software patches. If the SUDN is compromised then the security of network protected by disarming firewall is also under threat.

The disarming firewall is only able to prevent known attacks that exploit vulnerability in a software installed on a host in the DMZ or internal LAN. Attacks that exploit protocol vulnerabilities are not blocked by the firewall.

V. CONCLUSION The model combines different components presented in

literature in a model. The model extends traditional firewalls by adding these components in places where traditional firewalls are helpless in providing security. The actual implementation of the model is out of the scope of this work. The overall security provided by the firewall depends on the effectiveness of individual components. Improvement in the working of these components results in the improvement of the firewall. Each component is open for future research.

Our grand objective is to design and develop a scalable framework of a firewall that can handle all known vulnerabilities as well as can handle that which will appear continuously. At the same time that framework should be optimized enough to handle high packet loads.

REFERENCES [1] C.L. Schuba and E.H. Spafford. “A Reference Model for Firewall

Technology.” In Proceedings of the 13th Annual Computer Security Applications Conference (ACSAC), IEEE Computer Society, pp. 133-145, December 1997.

[2] David Watson, Metthew Smart, G. Robert Malan, and Farnam Jahanian. “Protocol Scrubbing: Network Security Through Transparent Flow Modification.” IEEE/ACM Transactions on Networking, Vol. 12, No. 2, pp. 261-273, April 2004.

[3] M. Strebe and C. Perkins. Firewalls 2nd Edition. Sybex, 2003. [4] C. Sample, M. Nickle, and I. Poynter. Firewall and IDS Shortcomings.

SANS Network Security, October 2000. Available: http://downloads.securityfocus.com/library/072400firewall.pdf.

[5] Lucent Technologies. Overcoming Common Firewall Limitations. October, 2003. http://storage.itpapers.com/whitepapers/Brick_wpLtr_102803.pdf.

[6] D. Bruschi, E. Rosti. “Disarming offense to facilitate defense.” In Proceedings of the New Security Paradigm Workshop 2000, pp 69-75, September 2000.

[7] D. Bruschi, E. Rosti. “AngeL: A Tool to Disarm Computer Systems.” Proceedings of the New Security Paradigms Workshop, pp.63-69, September 2001.

[8] C. Cowan, C. Pu, and H. Hinton. “Death, Taxes, and Imperfect Software: Surviving the Inevitable.” In ACM Proceedings of the New Security Paradigms Workshop, pp. 54-70, September 1998.

[9] CERT Statistics, http://www.cert.org/stats/, 2009. [10] W. A. Arbaugh. “Active Systems Management: The Evolution of

Firewalls.” In Invited paper to the Third International Workshop on Information Security Applications, pp. 19–30, August 2002. Available: http://www.cs.umd.edu/~waa/pubs/asm-firewall.pdf

[11] Helen J. Wang, Chuanxiong Guo, Daniel R. Simon, and Alf Zugenmaier. “SHIELD: Vulnerability-Driven Network Filters for Preventing Known Vulnerability Exploits.” In ACM SIGCOMM Computer Communications Review, Vol. 34, No. 4, October 2004.

[12] W. A. Arbaugh, W. L. Fithen, and J. McHugh. “Windows of Vulnerability: A Case Study Analysis.” IEEE Computer, vol. 33, pp. 52–59, December 2000.

[13] H. Browne, W. A. Arbaugh, J. McHugh, and W. L. Fithen. “A Trend Analysis of Exploitations.” In Proceedings of the 2001 IEEE Symposium on Security and Privacy, pp. 214 – 229, May 2001.

[14] CERT. “Code Red Worm Exploiting Buffer Overflow In IIS Indexing Service DLL.” July 2001. Available: http://www.cert.org/advisories/CA-2001-19.html

[15] J. Li, P. L. Reiher, and G. J. Popek. “Resilient Self-Organizing Overlay Networks for Security Update Delivery.” IEEE Journal on Selected Areas in Communications (JSAC), Vol. 22, No. 1, pp. 189-202, January 2004.

[16] Jelena Mirkovic, Gregory Prier, Peter Reiher. “Source-End DDoS Defense.” In Proceedings of the Second IEEE International Symposium on Network Computing and Applications, pp. 171, 2003.

[17] M. Frantzen, F. Kerschbaum, E. Schultz, and S. Fahmy. “A Framework for Understanding Vulnerabilities in Firewalls Using a Dataflow Model of Firewall Internals.” Computers and Security, vol. 20, no. 3, pp. 263–270, May 2001.

[18] A. Liebl. “Authentication in Distributed Systems. A Bibliography.” ACM Operating System Review, pages 31-41, Oct. 1993.

[19] B. Schneier. Applied Cryptography. John Wiley & Sons, Inc., second edition, 1995.

[20] D. R. Stinson. Cryptography – Theory & Practice. CRC Press Inc., 1995.

[21] D. E. Denning. Cryptography and Data Security. Addison-Wesley, 1982.

[22] T. Shinder, D. L. Shinder, M. Grasdal. Configuring ISA Server 2000. Syngress, 2001.