Towards universitas indonesia_next_generation_firewall_service
-
Upload
tonny-adhi-sabastian -
Category
Technology
-
view
241 -
download
0
Transcript of Towards universitas indonesia_next_generation_firewall_service
Towards Universitas Indonesia
Next Generation Firewall Service
Tonny Adhi Sabastian, M. Kom
APRU 5th Education and Research Technology Forum
The Hongkong University of Science and Technology
28th - 30th January 2015
Introduction
Research & Development Team
● Gladhi Guarddin , M. Kom ([email protected])
Researcher - Lecturer, Pervasive Computing Lab,
Faculty of Computer Science
Division Head of Information System Development,
Office of Information System Development and
Services
● Tonny Adhi Sabastian, M. Kom ([email protected])
Research Assistant - Lecturer, Pervasive Computing
Lab, Faculty of Computer Science
ICT Network Coordinator,
5th APRU Education and Reseach Technology Forum
Introduction
Research & Development Team
● Alfan Presekal ([email protected])
Student, Faculty of Engineering
● Harrish M. Nazief ([email protected])
Student, Faculty of Computer Science
● Raden Rheza ([email protected])
Staff, Network Infrastructure Service, Office of Information
System Development and Services
5th APRU Education and Reseach Technology Forum
Presentation Overview
❏ Introduction to Our Research Lab
❏ Next Generation Firewall (NGFW) Concept
❏ Experiments on NGFW at Universitas
Indonesia
❏ NGFW Prototype at Universitas Indonesia
5th APRU Education and Reseach Technology Forum
Pervasive Computing Research Lab. : What we do ?
Smart Space Research
5th APRU Education and Reseach Technology Forum
Outcome 2013 - 2014
2014
5th APRU Education and Reseach Technology Forum
Zigbee REST Gateway
API
Zigbee Lighting using ZLL
Next Generation Firewall Concept
5th APRU Education and Reseach Technology Forum
“Next Generation Firewalls are Deep Packet Inspection
Firewalls that move beyond port / protocol inspection
and blocking to add application level inspection,
intrusion prevention, and bringing intelligence from
outside the firewall”
Ali Kapucu,
Kent State University
“Making a Firewall to become Content Aware and
Context Aware”
Next Generation Firewall Concept
5th APRU Education and Reseach Technology Forum
Current Internet Condition
Next Generation Firewall Concept
5th APRU Education and Reseach Technology Forum
Deep Packet Inspection
Next Generation Firewall Concept
5th APRU Education and Reseach Technology Forum
Deep Packet Inspection
Next Generation Firewall Concept
5th APRU Education and Reseach Technology Forum
Challenges on NGFW :
● Performance on DPI Techniques
○ Regular Expression and String Matching (Aho-
Corasick Algorithm)
○ Machine Learning
● User Privacy
Next Generation Firewall Experiments on UI
5th APRU Education and Reseach Technology Forum
● Started on 2012
● Using Free/Open Source Software Stock
○ Debian GNU/Linux 7
○ IPTables & IPSet
○ JASIG CAS (Common Authentication System) for
Single Sign On Authentication
[http://jasig.github.io/cas/4.0.0/index.html]
○ One Production Environment and One Prototyping
Environment
Next Generation Firewall Experiments on UI
5th APRU Education and Reseach Technology Forum
Production Environment
● Using Linux Kernel 2.6.32.x, unsupported for
kernel 3.x
● IPSet for list of authenticated IP from UI SSO
● IPtables L7-Netfilter [http://l7-
filter.clearfoundation.com/]
○ L7-Netfilter is not developed since 2013
○ Static regex pattern per protocol
○ In kernel regex library
Next Generation Firewall Experiments on UI
5th APRU Education and Reseach Technology Forum
Prototyping Environment
● Using Linux Kernel 3.2.x
● Active development state
● IPSet for list of authenticated IP from UI SSO
● IPtables nDPI-Netfilter
[http://www.ntop.org/products/ndpi/]
[https://github.com/ewildgoose/ndpi-netfilter/]
○ Per protocol pattern search - Aho-Corasick
algorithm
○ Buggy netfilter conntrack
● Published at International Conference on Advance
Computer Science & Information System, 2014
Next Generation Firewall Experiments on UI
5th APRU Education and Reseach Technology Forum
Buggy Netfilter Patch
Next Generation Firewall Experiments on UI
5th APRU Education and Reseach Technology Forum
Typical Deployment Architecture
Next Generation Firewall Experiments on UI
5th APRU Education and Reseach Technology Forum
Rules Example
#iptables -A INSPEKSI -m ndpi --twitter -j ACCEPT
#iptables -A INSPEKSI -m ndpi --yahoo -j STD_PROTO
#iptables -A INSPEKSI -m ndpi --steam -j REJECTED_PROTO
#iptables -A INSPEKSI -m ndpi --dropbox -j STD_PROTO
#iptables -A INSPEKSI -m ndpi --h323 -j STD_PROTO
Next Generation Firewall Experiments on UI
5th APRU Education and Reseach Technology Forum
Authorization Portal*
Next Generation Firewall Experiments on UI
5th APRU Education and Reseach Technology Forum
SSO Portal
Deployment Result
Legacy implementation, we don’t know if
somebody tunneled Bittorrent packets
DPI implementation is able to capture and
filtered a target protocol
Next Plan
● Traffic Classifier (using machine learning)
● DPI Technique (also using machine learning)
● Automatic provisioning on Firewall and
Bandwidth Management
References
5th APRU Education and Reseach Technology Forum
Acharya, H. B., Joshi, A., & Gouda, M. G. (2010). Firewall Modules and Modular Firewalls. 2010 18th IEEE
International Conference on Network Protocols (pp. 174-182). Kyoto: IEEE.
Alcock, S., & Nelson, R. (2013). Measuring the Accuracy of Open-Source Payload-Based Traffic Classifiers Using
Popular Internet Applications. IEEE Workshop on Network Measurements (pp. 956-963). Sydney: IEEE.
Allot Communications. (2007). Digging Deeper into DPI. Allot Communications.
Al-Shaer, E. S., & Hamed, H. H. (2002). Design and Implementation of Firewall Advisor Tools. Chicago: DePaul
University.
Ou, G. (2009, October 27). Understanding Deep Packet Inspection (DPI) Technology. Retrieved from Digital Society:
http://www.digitalsociety.org/2009/10/understanding-deep-packet-inspection-technology/
Papatheodoulou, N., & Sklavos, N. (2009). Architecture & System Design Authentication, Authorization, &
Accounting Services. IEEE, 1831-1837.
Parsons, C. (2008). Deep Packet Inspection in Perspective: Tracing its lineage and surveilance potentials. The New
Transparency Surveilance and Social Sorting, 1-16.
References
5th APRU Education and Reseach Technology Forum
Harish Muhammad Nazief, Tonny Adhi Sabastian, Alfan Presekal, Gladhi Guarddin (2014). Development of
University of Indonesia Next Generation Firewall Prototype and Access Control With Deep Packet
Inspection. 2014 IEEE International Conference on Advance Computer Science and Information System.
Jakarta: IEEE.
Thomason, S. (2012). Improving Network Security: Next Generation Firewallas and Advanced Packet Inspection
Devices. Global Journal of Computer Science and Technology Network, Web & Security, 47-49.
Wang, C. (2009, June 4). Forrester: Deep Packet Inspection as an Enabling Technology. Retrieved from CSO Online:
http://www.csoonline.com/article/2124061/network-security/forrester--deep-packet-inspection-as-an-
enabling-technology.html