Implementing a Distributed Firewall
Transcript of Implementing a Distributed Firewall
![Page 1: Implementing a Distributed Firewall](https://reader034.fdocuments.us/reader034/viewer/2022051522/58a01a891a28abb8498c3bf5/html5/thumbnails/1.jpg)
1
Implementing a Distributed Firewall
Sotiris IoannidisAngelos D. Keromytis
Steve M. BellovinJonathan M. Smith
Presented ByJim Michaud
![Page 2: Implementing a Distributed Firewall](https://reader034.fdocuments.us/reader034/viewer/2022051522/58a01a891a28abb8498c3bf5/html5/thumbnails/2.jpg)
2
Outline
• Intro to Security and Firewalls• Problems with Current Firewalls• Distributed Firewall Concept• Distributed Firewall Implementation• Conclusions
![Page 3: Implementing a Distributed Firewall](https://reader034.fdocuments.us/reader034/viewer/2022051522/58a01a891a28abb8498c3bf5/html5/thumbnails/3.jpg)
*Dieter Gollman, Computer Security, p 9 3
Intro to Security
• Computer/Network Security - The prevention and detection of unauthorized actions by users of computer systems*
• But what does “unauthorized” mean?• It depends on the system’s “security
policy”
![Page 4: Implementing a Distributed Firewall](https://reader034.fdocuments.us/reader034/viewer/2022051522/58a01a891a28abb8498c3bf5/html5/thumbnails/4.jpg)
4
Security Policy
• A “security policy” defines the security rules of a system.
• Without a defined security policy, there is no way to know what access is allowed or disallowed
• An example policy: (simple)– Allow all connections to the web server– Deny all other access
![Page 5: Implementing a Distributed Firewall](https://reader034.fdocuments.us/reader034/viewer/2022051522/58a01a891a28abb8498c3bf5/html5/thumbnails/5.jpg)
5
Firewalls
• In most systems today, the firewall is the machine that implements the “security policy” for a system
• A firewall is typically placed at the edge of a system and acts as a filter for unauthorized traffic
• Filters tend to be simple: source and destination addresses, source and destination ports, or protocol (tcp, udp, icmp)
![Page 6: Implementing a Distributed Firewall](https://reader034.fdocuments.us/reader034/viewer/2022051522/58a01a891a28abb8498c3bf5/html5/thumbnails/6.jpg)
6
Firewall Example
Internet
Company 2
Company 4
Company 1
Company 3
Firewall
FirewallFirewall
Firewall
![Page 7: Implementing a Distributed Firewall](https://reader034.fdocuments.us/reader034/viewer/2022051522/58a01a891a28abb8498c3bf5/html5/thumbnails/7.jpg)
7
Firewall Drawbacks
• Firewalls can become a bottleneck• Certain protocols (FTP, Real-Audio) are
difficult for firewalls to process• Assumes inside users are “trusted”• Multiple entry points make firewalls hard
to manage
![Page 8: Implementing a Distributed Firewall](https://reader034.fdocuments.us/reader034/viewer/2022051522/58a01a891a28abb8498c3bf5/html5/thumbnails/8.jpg)
8
Distributed Firewall Concept
• Security policy is defined centrally• Enforcement of policy is done by
network endpoint(s)
![Page 9: Implementing a Distributed Firewall](https://reader034.fdocuments.us/reader034/viewer/2022051522/58a01a891a28abb8498c3bf5/html5/thumbnails/9.jpg)
9
Standard Firewall Example
Corporate NetworkCorporateFirewallInternet
InternalExternal
ExternalHost
InternalHost
1
InternalHost
2(untrusted)
Webserver
IntranetWebserver(companyprivate)
![Page 10: Implementing a Distributed Firewall](https://reader034.fdocuments.us/reader034/viewer/2022051522/58a01a891a28abb8498c3bf5/html5/thumbnails/10.jpg)
10
Standard Firewall Example Connection to web server
Corporate NetworkCorporateFirewallInternet
InternalExternal
ExternalHost
InternalHost
1
InternalHost
2(untrusted)
Webserver
IntranetWebserver(companyprivate)
![Page 11: Implementing a Distributed Firewall](https://reader034.fdocuments.us/reader034/viewer/2022051522/58a01a891a28abb8498c3bf5/html5/thumbnails/11.jpg)
11
Standard Firewall Example Connection to intranet
Corporate NetworkCorporateFirewallInternet
InternalExternal
ExternalHost
InternalHost
1
InternalHost
2(untrusted)
Webserver
IntranetWebserver(companyprivate)
blocked byfirewall connection
allowed,but should
not be
![Page 12: Implementing a Distributed Firewall](https://reader034.fdocuments.us/reader034/viewer/2022051522/58a01a891a28abb8498c3bf5/html5/thumbnails/12.jpg)
12
Distributed Firewall Example
Corporate NetworkInternet
InternalExternal
ExternalHost
InternalHost
1
InternalHost
2(untrusted)
Webserver
IntranetWebserver(companyprivate)
InternalHost
(telecommuting)
![Page 13: Implementing a Distributed Firewall](https://reader034.fdocuments.us/reader034/viewer/2022051522/58a01a891a28abb8498c3bf5/html5/thumbnails/13.jpg)
13
Distributed Firewall Example to web server
Corporate NetworkInternet
InternalExternal
ExternalHost
InternalHost
1
InternalHost
2(untrusted)
Webserver
IntranetWebserver(companyprivate)
InternalHost
(telecommuting)
![Page 14: Implementing a Distributed Firewall](https://reader034.fdocuments.us/reader034/viewer/2022051522/58a01a891a28abb8498c3bf5/html5/thumbnails/14.jpg)
14
Distributed Firewall Example to intranet
Corporate NetworkInternet
InternalExternal
ExternalHost
InternalHost
1
InternalHost
2(untrusted)
Webserver
IntranetWebserver(companyprivate)
InternalHost
(telecommuting)
![Page 15: Implementing a Distributed Firewall](https://reader034.fdocuments.us/reader034/viewer/2022051522/58a01a891a28abb8498c3bf5/html5/thumbnails/15.jpg)
15
Distributed Firewall Implementation
• Language to express policies and resolving requests (KeyNote system)
• Mechanisms to distribute security policies (web server)
• Mechanism that applies security policy to incoming packet (Policy daemon and kernel updates)
![Page 16: Implementing a Distributed Firewall](https://reader034.fdocuments.us/reader034/viewer/2022051522/58a01a891a28abb8498c3bf5/html5/thumbnails/16.jpg)
16
KeyNote
• A language to describe security policies (RFC 2704)• Fields in an “assertion”:
– KeyNote Version – Must be first field, if present
– Authorizer – Mandatory field, identifies the issuer of the assertion
– Comment– Conditions – The conditions under which the Authorizer trusts the Licensee
– Licensees – Identifies the authorized, should be public key, but can be IP address
– Local-Constants – Similar to environment variable
– Signature – Must be last, if present
• All field names are case-insensitive• Blank lines not permitted within an assertion
![Page 17: Implementing a Distributed Firewall](https://reader034.fdocuments.us/reader034/viewer/2022051522/58a01a891a28abb8498c3bf5/html5/thumbnails/17.jpg)
17
KeyNote Policies and Credentials
• Policies and Credentials have same basic syntax
• Policies are “local”• Credentials are “delegated” and MUST
be signed
![Page 18: Implementing a Distributed Firewall](https://reader034.fdocuments.us/reader034/viewer/2022051522/58a01a891a28abb8498c3bf5/html5/thumbnails/18.jpg)
18
KeyNote Example 1
![Page 19: Implementing a Distributed Firewall](https://reader034.fdocuments.us/reader034/viewer/2022051522/58a01a891a28abb8498c3bf5/html5/thumbnails/19.jpg)
19
KeyNote Example 2
KeyNote-Version: 2Authorizer: “rsa-hex:1023abcd”Licensee: “IP:158.130.6.141”Conditions: (@remote_port < 1024 &&
@local_port == 22 ) -> “true”;Signature: “rsa-sha1-hex:bee11984”
Note that this credential delegates to an IP address,
![Page 20: Implementing a Distributed Firewall](https://reader034.fdocuments.us/reader034/viewer/2022051522/58a01a891a28abb8498c3bf5/html5/thumbnails/20.jpg)
20
Distributed Firewall Implementation
• Not a complete solution, only a prototype
• Done on OpenBSD• Filters done in kernel space• Focused on TCP connections only
– connect and accept calls– When a connect is issued, a “policy
context” is created
![Page 21: Implementing a Distributed Firewall](https://reader034.fdocuments.us/reader034/viewer/2022051522/58a01a891a28abb8498c3bf5/html5/thumbnails/21.jpg)
21
User Space
• This design was not chosen because of the difficulty in “forcing” an application to use the modified library
• For example, “telnetd”, “ftpd”
![Page 22: Implementing a Distributed Firewall](https://reader034.fdocuments.us/reader034/viewer/2022051522/58a01a891a28abb8498c3bf5/html5/thumbnails/22.jpg)
22
Policy Context• Policy context contains all the information that the
Policy Daemon will need to decide whether to allow or disallow a packet
• No limit to the kind of data that can be associated with the context
• For a connect, context will include ID of user that initiated the connection, the destination address and destination port.
• For an accept, context will include similar data to connect, except that the source address and source port are also included
![Page 23: Implementing a Distributed Firewall](https://reader034.fdocuments.us/reader034/viewer/2022051522/58a01a891a28abb8498c3bf5/html5/thumbnails/23.jpg)
23
Implementation Design
![Page 24: Implementing a Distributed Firewall](https://reader034.fdocuments.us/reader034/viewer/2022051522/58a01a891a28abb8498c3bf5/html5/thumbnails/24.jpg)
24
Policy Daemon
• User level process that makes all the decisions based on policies
• Initial policies are read from a file• Current implementation allows changes to policies
but changes only affect “new” connections• A host that does not run this daemon is not part of
the “distributed firewall”
![Page 25: Implementing a Distributed Firewall](https://reader034.fdocuments.us/reader034/viewer/2022051522/58a01a891a28abb8498c3bf5/html5/thumbnails/25.jpg)
25
Policy Device
• /dev/policy – pseudo device driver• Communication path between the Policy
Daemon and the “modified” kernel• Supports standard operations: open, close, read, write, ioctl
• Independent of type of application
![Page 26: Implementing a Distributed Firewall](https://reader034.fdocuments.us/reader034/viewer/2022051522/58a01a891a28abb8498c3bf5/html5/thumbnails/26.jpg)
26
Example of Connection to a Distributed Firewall
• local host security policy:KeyNote-Version: 2Authorizer: “POLICY”Licensees: ADMINISTRATIVE_KEY
• Assumes an IPSEC SA between hosts
![Page 27: Implementing a Distributed Firewall](https://reader034.fdocuments.us/reader034/viewer/2022051522/58a01a891a28abb8498c3bf5/html5/thumbnails/27.jpg)
27
Example of Connection to a Distributed Firewall
• Credential provided to local host during IKE exchange
KeyNote-Version: 2Authorizer: ADMINISTRATIVE_KEYLicensees: USER_KEYConditions:
(app_domain == "IPsec policy" &&encryption_algorithm == "3DES" &&local_address == "158.130.006.141")-> "true";(app_domain == "Distributed Firewall" &&@local_port == 23 &&encrypted == "yes" &&authenticated == "yes") -> "true";
Signature: ...
![Page 28: Implementing a Distributed Firewall](https://reader034.fdocuments.us/reader034/viewer/2022051522/58a01a891a28abb8498c3bf5/html5/thumbnails/28.jpg)
28
Example of Connection to a Distributed Firewall
Remote Host
local host158.130.6.141
(running PolicyDaemon)
IPSEC SA
TCP connect (23)context created
local port=23encrypted="yes"
authenticated="yes"
Policy Daemonchecks context
vs.credential
continue TCPsession
Returns TRUE
![Page 29: Implementing a Distributed Firewall](https://reader034.fdocuments.us/reader034/viewer/2022051522/58a01a891a28abb8498c3bf5/html5/thumbnails/29.jpg)
29
Conclusions
• Distributed firewalls allows the network security policy to remain the control of the system administrators
• Insiders may no longer be unconditionally treated as “trusted”
• Does not completely eliminate the need for traditional firewalls
• More research is needed in this area to determine robustness, efficiency, and scalability
![Page 30: Implementing a Distributed Firewall](https://reader034.fdocuments.us/reader034/viewer/2022051522/58a01a891a28abb8498c3bf5/html5/thumbnails/30.jpg)
30
Future Work
• High quality administration tools NEED to exist for distributed firewalls to be accepted
• Allow per-packet scanning as opposed to per-connection scanning
• Policy updating and revocation• Credential discovery
![Page 31: Implementing a Distributed Firewall](https://reader034.fdocuments.us/reader034/viewer/2022051522/58a01a891a28abb8498c3bf5/html5/thumbnails/31.jpg)
31
Questions