Towards Universitas Indonesia

Next Generation Firewall Service

Tonny Adhi Sabastian, M. Kom

(tonny.adhi@ui.ac.id)

APRU 5th Education and Research Technology Forum

The Hongkong University of Science and Technology

28th - 30th January 2015

Introduction

Research & Development Team

● Gladhi Guarddin , M. Kom (adin@ui.ac.id)

Researcher - Lecturer, Pervasive Computing Lab,

Faculty of Computer Science

Division Head of Information System Development,

Office of Information System Development and

Services

● Tonny Adhi Sabastian, M. Kom (tonny.adhi@ui.ac.id)

Research Assistant - Lecturer, Pervasive Computing

Lab, Faculty of Computer Science

ICT Network Coordinator,

5th APRU Education and Reseach Technology Forum

Introduction

Research & Development Team

● Alfan Presekal (alfanpresekal@gmail.com)

Student, Faculty of Engineering

● Harrish M. Nazief (harishmuhammadnazief44@gmail.com)

Student, Faculty of Computer Science

● Raden Rheza (rheza.raden@ui.ac.id)

Staff, Network Infrastructure Service, Office of Information

System Development and Services

5th APRU Education and Reseach Technology Forum

Presentation Overview

❏ Introduction to Our Research Lab

❏ Next Generation Firewall (NGFW) Concept

❏ Experiments on NGFW at Universitas

Indonesia

❏ NGFW Prototype at Universitas Indonesia

5th APRU Education and Reseach Technology Forum

Pervasive Computing Research Lab. : What we do ?

Smart Space Research

5th APRU Education and Reseach Technology Forum

Outcome 2013 - 2014

2013

5th APRU Education and Reseach Technology Forum

Location Extractor

Outcome 2013 - 2014

2014

5th APRU Education and Reseach Technology Forum

Zigbee REST Gateway

API

Zigbee Lighting using ZLL

Next Generation Firewall Concept

5th APRU Education and Reseach Technology Forum

“Next Generation Firewalls are Deep Packet Inspection

Firewalls that move beyond port / protocol inspection

and blocking to add application level inspection,

intrusion prevention, and bringing intelligence from

outside the firewall”

Ali Kapucu,

Kent State University

“Making a Firewall to become Content Aware and

Context Aware”

Next Generation Firewall Concept

5th APRU Education and Reseach Technology Forum

A Legacy Firewall

Next Generation Firewall Concept

5th APRU Education and Reseach Technology Forum

Current Internet Condition

Next Generation Firewall Concept

5th APRU Education and Reseach Technology Forum

Deep Packet Inspection

Next Generation Firewall Concept

5th APRU Education and Reseach Technology Forum

Deep Packet Inspection

Next Generation Firewall Concept

5th APRU Education and Reseach Technology Forum

What NGFW can do ?

Next Generation Firewall Concept

5th APRU Education and Reseach Technology Forum

Challenges on NGFW :

● Performance on DPI Techniques

○ Regular Expression and String Matching (Aho-

Corasick Algorithm)

○ Machine Learning

● User Privacy

Next Generation Firewall Experiments on UI

5th APRU Education and Reseach Technology Forum

● Started on 2012

● Using Free/Open Source Software Stock

○ Debian GNU/Linux 7

○ IPTables & IPSet

○ JASIG CAS (Common Authentication System) for

Single Sign On Authentication

[http://jasig.github.io/cas/4.0.0/index.html]

○ One Production Environment and One Prototyping

Environment

Next Generation Firewall Experiments on UI

5th APRU Education and Reseach Technology Forum

Production Environment

● Using Linux Kernel 2.6.32.x, unsupported for

kernel 3.x

● IPSet for list of authenticated IP from UI SSO

● IPtables L7-Netfilter [http://l7-

filter.clearfoundation.com/]

○ L7-Netfilter is not developed since 2013

○ Static regex pattern per protocol

○ In kernel regex library

Next Generation Firewall Experiments on UI

5th APRU Education and Reseach Technology Forum

Prototyping Environment

● Using Linux Kernel 3.2.x

● Active development state

● IPSet for list of authenticated IP from UI SSO

● IPtables nDPI-Netfilter

[http://www.ntop.org/products/ndpi/]

[https://github.com/ewildgoose/ndpi-netfilter/]

○ Per protocol pattern search - Aho-Corasick

algorithm

○ Buggy netfilter conntrack

● Published at International Conference on Advance

Computer Science & Information System, 2014

Next Generation Firewall Experiments on UI

5th APRU Education and Reseach Technology Forum

Buggy Netfilter Patch

Next Generation Firewall Experiments on UI

5th APRU Education and Reseach Technology Forum

Typical Deployment Architecture

Next Generation Firewall Experiments on UI

5th APRU Education and Reseach Technology Forum

Rules Example

#iptables -A INSPEKSI -m ndpi --twitter -j ACCEPT

#iptables -A INSPEKSI -m ndpi --yahoo -j STD_PROTO

#iptables -A INSPEKSI -m ndpi --steam -j REJECTED_PROTO

#iptables -A INSPEKSI -m ndpi --dropbox -j STD_PROTO

#iptables -A INSPEKSI -m ndpi --h323 -j STD_PROTO

Next Generation Firewall Experiments on UI

5th APRU Education and Reseach Technology Forum

Authorization Portal*

Next Generation Firewall Experiments on UI

5th APRU Education and Reseach Technology Forum

SSO Portal

Deployment Result

Legacy implementation, we don’t know if

somebody tunneled Bittorrent packets

DPI implementation is able to capture and

filtered a target protocol

Next Plan

● Traffic Classifier (using machine learning)

● DPI Technique (also using machine learning)

● Automatic provisioning on Firewall and

Bandwidth Management

References

5th APRU Education and Reseach Technology Forum

Acharya, H. B., Joshi, A., & Gouda, M. G. (2010). Firewall Modules and Modular Firewalls. 2010 18th IEEE

International Conference on Network Protocols (pp. 174-182). Kyoto: IEEE.

Alcock, S., & Nelson, R. (2013). Measuring the Accuracy of Open-Source Payload-Based Traffic Classifiers Using

Popular Internet Applications. IEEE Workshop on Network Measurements (pp. 956-963). Sydney: IEEE.

Allot Communications. (2007). Digging Deeper into DPI. Allot Communications.

Al-Shaer, E. S., & Hamed, H. H. (2002). Design and Implementation of Firewall Advisor Tools. Chicago: DePaul

University.

Ou, G. (2009, October 27). Understanding Deep Packet Inspection (DPI) Technology. Retrieved from Digital Society:

http://www.digitalsociety.org/2009/10/understanding-deep-packet-inspection-technology/

Papatheodoulou, N., & Sklavos, N. (2009). Architecture & System Design Authentication, Authorization, &

Accounting Services. IEEE, 1831-1837.

Parsons, C. (2008). Deep Packet Inspection in Perspective: Tracing its lineage and surveilance potentials. The New

Transparency Surveilance and Social Sorting, 1-16.

References

5th APRU Education and Reseach Technology Forum

Harish Muhammad Nazief, Tonny Adhi Sabastian, Alfan Presekal, Gladhi Guarddin (2014). Development of

University of Indonesia Next Generation Firewall Prototype and Access Control With Deep Packet

Inspection. 2014 IEEE International Conference on Advance Computer Science and Information System.

Jakarta: IEEE.

Thomason, S. (2012). Improving Network Security: Next Generation Firewallas and Advanced Packet Inspection

Devices. Global Journal of Computer Science and Technology Network, Web & Security, 47-49.

Wang, C. (2009, June 4). Forrester: Deep Packet Inspection as an Enabling Technology. Retrieved from CSO Online:

http://www.csoonline.com/article/2124061/network-security/forrester--deep-packet-inspection-as-an-

enabling-technology.html

Q & A

5th APRU Education and Reseach Technology Forum

Thank You

5th APRU Education and Reseach Technology Forum