briefly summarizes the paper highlights the main aspects of the research methodology (implementations, experiments, theories, ...) places the work in the wider context of the research literature (To help you accomplish this, you will want to find and read one or more of the papers referenced by the paper you choose.) indicates its main contributions describes the paper's strengths offers constructive criticism as to how the work could be improved
|
|
|
|
At times your summary is close to a paraphrase rather than a summary. (i.e. tell what ot saus -- don't just rephrase it. |
However, recent trends in the way networks are being interconnected and in how the users are using the system are quickly rendering the conventional firewall an insufficient and inefficient design. For example, at-home users outside the firewall who use their Internet connection to access their organization's servers on the inside need protection if encrypted tunnels aren't in place. Another situation that conventional firewalls do not handle well is when a machine inside a firewall is part of a network that uses a dynamical address scheme (that automatically assigns a physical address to a station whenever it boots up) because the internal IP addresses aren't static.
Despite these drawbacks, firewalls are still a very powerful and useful tool that can help protect a network from malevolent intruders. In fact, they are necessary for older, legacy applications that have no authentication or security features built in it. Although encrypting transmissions is possible and should be done for all implementations, it is not a viable solution for older applications.
Firewalls can also be used to enforce network policy; specifically restricting what can be accessed externally by users. For instance, in an effort to prevent users from visiting porn sites a network administrator may set the firewall to disallow outgoing requests to them.
To overcome the disadvantages of a conventional firewall while retaining its advantages, the concept of a distributed firewall is suggested. In a distributed firewall scheme the idea is to eliminate the dependency on topology by having the policy still centrally defined but making policy enforcement the responsibility of each endpoint. It would be implemented by having a compiler translate the policy language into an internal format saved on a policy file that would be exported to all hosts protected by a firewall via system management software. With this way, all inbound packets would be accepted and rejected by each host according to both policy and verified identity of the sender. To implement a Distributed firewall scheme, an administrator will need (1) a policy language that states which connections are allowed or disallowed, (2) a system management tool, and (3) ISPEC, a network-level encryption mechanism for TCP/IP.
1.2 Policies
Any policy language can be used as long as it is powerful enough to express the desired policy and it is able to identify inside hosts. There are two ways in which a host can be identified in a topology independent network: IP addresses and crytographic certificates used with IPSEC. Cryptographic certificates are preferred over IP address because they are difficult to spoof (falsify) and remain valid with the machine it belongs to even if it is physically moved.
1.3 Advantages of Distributed Firewalls
In most organizations, system management software packages are already used because it simplifies the administration, allows some level of central control and makes updates, via patches, easier to install. A distributed firewall system would use similar infrastructure.
The security administrator would be responsible for setting up the security policy in terms of host identifiers. Saved into a policy file, it would then be shipped out to all the hosts that participate in the distributed firewall. When a message leaves or arrives at a host, the host will check the policy file before processing it to verify their compliance.
If certificates identify hosts, distributed firewall policy enforcement becomes even more effective. This will protect the network from attacks using spoofed identities or subverted machines that don't normally communicate with one another whereas conventional firewalls would not. For example, in order for a network that uses a conventional firewall to receive mail properly, all the inside machines would have to permit unrestricted access to a port. An attack that originated from within the firewall could exploit that e-mail port. However, a network that uses a distributed firewall would be able to restrict access to that port to the mail gateway, thus eliminating this type of vulnerability.
A conventional firewall cannot know what a host intends and will sometimes rely on externally visible features of the protocols it handles. For example, if a TCP/IP packet has the ACK (acknowledge) bit set, the firewall might assume that it is part of an ongoing conversation with a host and let it in. Spoofing ACK packets can be used to "stealth scan" for active ports. Similarly, it is difficult to handle UDP packets as conventional firewalls are unable to distinguish between legal outbound queries or incoming attacks. With a distributed firewall, the sending host would know its own intent and would be able to handle these situations.
The most important advantage that distributed firewalls have over conventional firewalls is that it is able to protect hosts not within a topological boundary. The at-home user who uses the Internet to tunnel into his/her organization's network and generic web surfing isn't easily protected by the conventional approach. The best way to ensure the organization's security is to have the generic web surfing traffic tunneled into their server and back to the at-home user. However this is inefficient, violates most organization's usage policies and doesn't protect the user when the tunnel is not set up. A distributed firewall that included the at-home would be a better solution, as it would provide constant protection even if a tunnel was not set up. Messages from the organizational hosts would be authenticated by IPSEC and allowed more access while messages from other machines can be rejected.
1.4.1 Remote Nodes and IPSEC
Since IPSEC support is not currently widely available, a hybrid firewall implementation may be an acceptable compromise between functionality and cost. In a hybrid implementation, common at companies that have a major central site and some number of telecommuters, some hosts sit inside a conventional firewall while other hosts sit outside. The outside hosts are connected to the network through an IPSEC gateway at the central site. Although the remote hosts still have access to the inside hosts via the IPSEC tunnel, they are bound to the centralized security policy file that tells them how to process traffic to the rest of the Internet.
1.4.2 Distributed Firewalls and Topological Knowledge
Instead of using IPSEC for host identification, address-dependent policies can be distributed for each individual host to enforce. Although the addressed-based authentication is weaker, a security level comparable to conventional firewalls can be achieved by using a simple router to prevent address spoofing from external machines. The main disadvantage is that remote hosts cannot be protected under this scheme.
1.4.3 Application-Specific Tunnels
Specific applications and protocols are routed through an IPSEC tunnel to the inside of the firewall for processing while distributed firewall techniques are used for others. This is only useful in a situation where only a few protocols need special filtering.
1.5 Implementation Techniques
The most secure implementation of a distributed firewall would use end-to-end IPSEC. Each packet is associated with a certificate; the rights that have been granted that certificate determine the level of access that packet is permitted. Should a packet arrive with an unrecognized certificate or there is no IPSEC protection, the packet will be considered unauthorized and dropped.
Distributed firewalls are similar to host-based enforcement implemented in TCP wrappers or PC "personal firewall" software. However those schemes rely on IP addresses and do not include the integral centralized policy definition.
1.6 Change Management
Since access rights are granted to certificates in a distributed firewall, changing the certificates that are accepted can change the access rights. This can be used to ensure user compliance with the latest patch or policy configuration. For the former case, a host may check the certificate of an inbound packet to check if the machine it originated from incorporated that newest patch; if not, access could be limited or even denied. In the latter case, if the proper versions of the proper files were not present, the certificate could disallow itself be used for authentication. This can also be used to protect against new, insecure machines recently installed inside the network. If the appropriate filtering software and configurations have not been set up then a certificate will not be issued and the machine would be treated as if it were an outside machine.
1.7 Threat Comparison
The only way to fairly compare the strengths and weaknesses of distributed firewalls to conventional firewalls is in a closed, single-entry network. If the firewalls were reliant solely on packet filters, then a conventional firewall would be susceptible to "stealth scans". Otherwise, both types are excellent at rejecting requests for inappropriate services. Conventional firewalls are better for application-level proxies because the filtering code is generally very complex and not readily available to the host platforms. Both are rather ineffective against denial of service attacks. Distributed firewalls suffer more in attacks that focus on bombarding the IKE process with bogus security association requests as they slow down all hosts instead of being limited to a single machine in a conventional firewall. Conventional firewalls are more vulnerable to attacks that consume resources such as scanning many e-mail attachments for viruses. Both firewalls can detect attempted intrusions but conventional firewalls have an easier time centralizing all the information. Distributed firewalls do a better job at protecting against inside attacks. This threat can be reduced by limiting resources to those that use them, instead of letting everyone inside an organization have access to it, which is the case with conventional firewalls.
1.8 Conclusions
The strong security technology of end-to-end IPSEC is sometimes believed to be incompatible with conventional firewalls because it does not allow traffic analysis. This article claims otherwise by showing how IPSEC can be used to implement more secure firewalls while at the same time eliminating many of the limitations of conventional firewalls. The protection and centralized control of policy is kept while the dependence of topology, IP addresses and IPSEC conflicts are eliminated.
The article is a purely theoretical. At the time it was written, none of the systems proposed by the author were prototyped or tested.
3.1 A Primer on firewalls
The purpose of a firewall is to protect networked computers from intentional hostile intrusion that would result in loss of data, denial of service, system damage or loss of privacy [2]. A firewall can be implemented as a hardware device or a software program running on a secure host computer. A conventional firewall has two network interfaces, the "inside", which the conventional firewall is meant to protect, and the "outside" to which the inside is exposed. Typically the "inside" is an organization's private network and the "outside" is the entire Internet.
A conventional firewall can examine traffic routed between the two networks and can filter both inbound and outbound traffic based on the network administrator's criteria. It can log all attempts to access the private network and even trigger alarms when an unauthorized entry is detected. It can filter packets based on source and destination IP addresses (called address filtering) or based on the packet's protocol including its attributes and state (called protocol filtering).
3.2 IPSEC
IPSEC (IP SECurity) is a set of standards developed by the Internet Engineering Task Force (IETF). IPSEC is designed to solve two problems that the standard IP protocol suite failed to address: host-to-host authentication (to ensure a host is indeed communicating with the host it thinks its communicating with) and encryption (which will prevent unauthorized third-parties from monitoring transmissions) [4].
Firewalls were not designed to address either of these two issues. Although firewalls can help to reduce some of the risks present on an Internet without authentication or encryption, there are really two separate classes of problems here. IPSEC addresses the integrity and privacy of communication between hosts (not networks). Firewalls deal with the restrictions imposed on traffic between different networks in order to protect what's inside it.
3.3 Policy Languages
A firewall security policy should state which connections are allowed [1] and which practices that must be adhered to [5]. A policy should be able to specify and interpret credentials and relationships that permit the authorization of security-critical actions. Credentials, which are a form of encrypted certificates, describe the privileges that were granted to a group. In order to perform an action covered by the policy, the policy language must verify that the host named in the certificate is indeed authorized to do so.
The main contributions of this paper is that describes a method of implementing a firewall system that takes advantage of IPSEC while retaining most of the benefits of conventional firewalls. It also suggests ways of implementing hybrid firewalls that may be better in some instances where a high security is not such a priority but resources are. The paper also describes situations in which this would be most beneficial
Bellovin does a good job describing the underlying theory and fundamental components necessary to create a distributed firewall. His paper is concise, straight to the point and does not require a high level of applied technical knowledge to understand. Bellovin even describes hybrid conventional / distributed firewall setups in an effort to balance some of the practical issues such as costs and IPSEC support in implementation.
Bellovin seems to have written this paper solely for an audience of Network Administrators in mind. In order to understand the relevance of this paper, the reader must first know what a conventional firewall is supposed to do and how it is supposed to work. Instead of a single sentence in the abstract, Bellovin could have added two or three more lines so that less expert readers could keep up. He does this again with the concept of IPSEC. Without even explaining what the acronym means and what it describes, Bellovin casually mentions that some people wish to do away with firewalls because of it. Even, if there are such people (and if there are, they must be a small group as we have yet to find any proponents of that suggestion), Bellovin should tell his readers why they might think that way. A sentence describing how IPSEC was a new IP Security protocol that featured to incorporate host-to-host authentication and message encryption that virtually guaranteed a secure connection between two hosts would have sufficed.
While doing an adequate job describing the technical feasibility of distributed firewalls, Bellovin fails to address the financial and practical realities of the real world. While organizations with excess funds, manpower and time would undoubtedly jump on the distributed firewall bandwagon, we believe that most organizations would be unwilling to devote the resources required to implement such a system. It is difficult to justify the increase in protection against the extra costs of installing the appropriate software on every single host in a network and having a Security Administrator define a policy for each of them.
Bellovin's comparison of the two firewall schemes strengths and weaknesses against attacks is biased and unscientific. Networks will often contain two or more gateways to external networks (e.g. the Internet). In such situations, the bottleneck effect of the controlled entry point would be less of a concern. Also, Bellovin merely states the hypothetical outcomes of such attacks. It would have been nicer if some tests were done and if some statistics could be gathered that indicated whether or not there was a significant difference between the two.
All Network Administrators must make a trade-off between greater user-access and increased network security. While a distributed firewall does manage to retain the benefits offered by the IPSEC protocol and the centralized policy control of traditional firewalls, it is not a perfect solution. A distributed firewall would be most beneficial to organizations that have many remote hosts that need secure access to the private network. Most other organizations would probably be better off with a conventional firewall or a hybrid because of the cost and implementation issues.
While a graduate student in 1979 at the University of North Carolina at Chapel Hill, Steven M. Bellovin helped create USENET and was subsequently awarded for his contribution in1995 with the Usenix Lifetime Achievement Award, known, appropriate enough, as "The Flame". Having graduated with a Ph.D. in computer science, Dr. Bellovin now divides his time between being a member of the Internet Architecture Board and an AT&T Fellow in the Communications Information Systems Research Department at AT&T Labs Research in Florham Park, New Jersey. In 1994, Dr. Bellovin co-authored the book Firewalls and Internet Security: Repelling the Wily Hacker with William Cheswick.
Authentication: The process of determining the identity of a user that is attempting to access a system [5].
Crytographic: The process of writing or deciphering secret codes.
Firewall: A security scheme that prevents unauthorized users from gaining access to a computer network or monitors transfers of information to and from the network.
IP Address: A 32-bit address assigned to a computer that uses TCP/IP protocols.
IPSEC (IP SECurity): A protocol that protects and authenticates IP packets between hosts.
Packet: A small parcel of data sent across a network.
Protocol: A design that specifies the details of how computers shall behave [3].
Spoof: An attack whereby a system attempts to illicitly impersonate another system [5].
Server: A program that communicates with another over a network, usually doing something for it.
TCP (Transmission Control Protocol): The TCP/IP protocol that provides connection-oriented communication [3].
Topology: The shape of the network, how the computers are logically interconnected.
UDP (User Datagram Protocol): The TCP/IP protocol that provides connectionless communication service [3].
[1] Steven M. Bellovin, Distributed Firewalls. ; Login: November 1999, pp. 37-39
Postscript file (52.6 kb)
[2] M. Blaze, J. Feigenbaum, and A. Keromytis. KeyNote: Truest Management for Public-Key Infrastructures. In Proceedings of the 1998 Cambridge Security Protocols International Workshop, pages 59-63. Springer, LNCS vol. 1550, 1999.
[3] Douglas E. Comer, Computer Networks and Internets, Prentice Hall, 1997.
[4] Matt Curtin and Marcus J. Ranum, Firewalls FAQ version 10.0. 2 Jan 2001 06:39:01 GMT
http://www.faqs.org/faqs/firewalls-faq/
[5] Firewall Q&A. Vicom Technology Ltd. Reference Section.
http://www.vicomsoft.com/knowledge/reference/firewalls1.html
[6] Steven M Bellovin's homepage.
http://www.research.att.com/~smb/