Download pptx - Using distributed firewalls in securing LANs

Using Distributed Firewalls in Securing LANs

OUTLINE Security Issues Firewalls Distributed Firewalls Architectural similarities of NES, ADF & EFW Stateful Clustered Security Gateway (CSG) Distributed Firewalls Components of the Stateful CSG IPsec Benefits and Drawbacks of Stateful CSG Conclusion References

Security Issues

Some security issues affecting LANs are:

Eavesdropping Denial of service (DoS) Repudiation Spoofing.

Network device vulnerabilities

No support for update patches. Delay in release of update patches. User reluctance to install update

patches.

(Stallings and Stallings, 1999)

Firewalls A firewall is a network security system that monitors inflow and outflow of data

packets and analyses these packets based on security policies. It is a location for monitoring security–related events such as log audits and

alarms. It can serve as a platform for creating VPN using IPSec.

(Davis, 1995)

Some of the techniques used to control access and enforce security policies are:

Service Control Direction Control Behavior Control

Drawback of Firewalls Uses restricted topology of the network.

It assumes inside users are trusted and does not protect network from internal attacks that can bypass the firewall using dial out capabilities.

Difficult to process certain protocols (FTP, Real-Audio, etc.)

It does not give protection against the transfer of virus-infected programs or files.

Single points of access make firewalls hard to manage

(Davis, 1995)

Distributed FirewallsDistributed firewalls are mechanisms that enforce centrally managed security policies that are distributed to endpoints, forming a distributed firewall system.

Design of distributed firewalls are based on three elements:

Keynote – Firmato: A general policy language for defining security policies. Web Server: Mechanism to distribute security policies. IPSec: Security protocol that provides network level encryption.

Examples of Distributed Firewalls Network Edge Security (NES) Distributed Embedded Firewall (EFW) Automatic Distributed Firewall (ADF) Stateful Clustered Security Gateway (Stateful CSG)

(Ramsurrun and Soyjaudah, 2009)

Architectural similarities of NES, ADF & EFWDistributed firewalls are intended to be tamper resistant

Independent of the host operating system, being implemented on the host’s NIC.

NIC’s are used to store and perform packet filtering and cryptographic variables and subsystem management.

Uses the 3Com 3CR990 family of NIC cards.

Managed by a central, protected policy server.

Protects against IP Spoofing as the NIC is inaccessible.

Audit reports are sent to the audit manager in the policy server in the event of firewall policy violations.

(Meredith, 2003)

Drawbacks of NES, ADF & EFW

Large amount of Network traffic is generated due to heavy rate of audit messages.

Due to the limited processing power and memory on the NIC, its packet filtering

capability is limited and the NIC can be overloaded by network traffic even when

small firewall rulesets are used

High convergence time of the firewalls as every end-user host needs to be constantly

updated.(Ramsurrun and Soyjaudah, 2009)

Stateful Clustered Security Gateway Distributed FirewallsThis architecture consists of multiple firewall nodes actively working in parallel to filter network traffic, both internal and external.


Components of the Stateful CSG

Policy Distributor- Receives and reads update files created by the admin and distributes to the specified IP address of the CSMs using TCP protocol.

CSM- Receives and reads updates files by the csm_updatehandler() function , reconstructs it to ensure that it is error free. Sends the firewalls update to each of the CSG firewall nodes using unicast TCP connection.

During transmission of the update files, data as well as network security is achieved using a security protocol - IPsec.


IPsec IPsec is an IP layered protocol that protects the sending and receiving of

cryptographically–protected packets of any kind, without any modification (Alshamsi and Saito, 2005).

In distribution of firewall policies from the policy distributor to CSMs and for securing error reports and logs sent from the CSMs to the network admin in case of policy update file errors, IPsec is utilized to protect this data.


Benefits of Stateful CSGWhen CSG distributed firewall system is successfully implemented, the following attacks are addressed:

Insider attacks IP & MAC address spoofing Packet sniffing Denial of Service

In addition to the threat solved by Stateful CSG, some of the advantages of implementing Stateful CSG over other distributed firewall schemes are summarized in Table 1.


Characteristics EFW ADF NES Stateful CSG-baseFine-grained security × × × ✔Firewall tamper resistance ✔ ✔ ✔ ✔High scalability ✔ ✔ ✔ ✔Anti-spoofing ✔ ✔ ✔ ✔Anti-sniffing ✔ ✔ ✔ ✔Low overall network load × × × ✔Secure real-time ✔ ✔ ✔ ✔Low convergence time × × × ✔Low end-user host processing strain ✔ ✔ ✔ ✔Context knowledge × × × ×

(Ramsurrun and Soyjaudah, 2009)Table 1

It is a capital intensive approach to implement, due to its hardware based architecture.

Drawback of Stateful CSG

Conclusion In this presentation, different security issues in LANs were reviewed and how these threats are

addressed by implementing a distributed firewall scheme.

Different distributed firewall schemes were analysed and compared and then, we highlighted a particular distributed firewall (Stateful CSG) and how it is being implemented in securing LANs and its benefits.

The implementation of a load balancing NIC to protect against load balancing rule tamper by malicious end-user hosts.

References

Alshamsi, A. and Saito, T., 2005, March. A technical comparison of IPSec and SSL. In null (pp. 395-398). IEEE.Davis, C. (1995). Firewall Consortium. Network Security, 1995(9), p.9.Kahate, A. (2003). Cryptography and network security. New Delhi: Tata McGraw-Hill Pub.Markham, T. and Payne, C., 2001, June. Security at the network edge: A distributed firewall architecture. In discex (p. 0279). IEEE.Meredith, L.M., 2003, April. A summary of the autonomic distributed firewalls (ADF) project. In DARPA Information Survivability Conference and Exposition, 2003. Proceedings (Vol. 2, pp. 260-265). IEEE.Payne, C. and Markham, T., 2001, December. Architecture and applications for a distributed embedded firewall. In Computer Security Applications Conference, 2001. ACSAC 2001. Proceedings 17th Annual (pp. 329-336). IEEE.Ramsurrun, V. and Soyjaudah, K.M.S., 2009, January. A stateful CSG-based distributed firewall architecture for robust distributed security. In Communication Systems and Networks and Workshops, 2009. COMSNETS 2009. First International (pp. 1-10). IEEE.Slideshare.net, (2016). Rationalization and Defense in Depth - Two Steps Closer to the Clouds. [online] Available at: http://www.slideshare.net/OTNArchbeat/rationalization-and-defense-in-depth-two-steps-closer-to-the-clouds [Accessed 13 Jan. 2016].Stallings, W. and Stallings, W. (1999). Cryptography and network security. Upper Saddle River, N.J.: Prentice Hall.