Click here to load reader

Using distributed firewalls in securing LANs

  • View

  • Download

Embed Size (px)

Text of Using distributed firewalls in securing LANs

Using Distributed Firewalls in Securing LANs

OUTLINESecurity IssuesFirewallsDistributed FirewallsArchitectural similarities of NES, ADF & EFWStateful Clustered Security Gateway (CSG) Distributed FirewallsComponents of the Stateful CSGIPsecBenefits and Drawbacks of Stateful CSGConclusionReferences

Security IssuesSome security issues affecting LANs are:

EavesdroppingDenial of service (DoS)RepudiationSpoofing.Network device vulnerabilities

No support for update patches.Delay in release of update patches.User reluctance to install update patches.

(Stallings and Stallings, 1999)

FirewallsA firewall is a network security system that monitors inflow and outflow of data packets and analyses these packets based on security policies.It is a location for monitoring securityrelated events such as log audits and alarms. It can serve as a platform for creating VPN using IPSec.

(Davis, 1995)Some of the techniques used to control access and enforce security policies are:

Service ControlDirection ControlBehavior Control

Drawback of FirewallsUses restricted topology of the network.

It assumes inside users are trusted and does not protect network from internal attacks that can bypass the firewall using dial out capabilities.

Difficult to process certain protocols (FTP, Real-Audio, etc.)

It does not give protection against the transfer of virus-infected programs or files.

Single points of access make firewalls hard to manage(Davis, 1995)

Distributed FirewallsDistributed firewalls are mechanisms that enforce centrally managed security policies that are distributed to endpoints, forming a distributed firewall system.

Design of distributed firewalls are based on three elements:

Keynote Firmato: A general policy language for defining security policies. Web Server: Mechanism to distribute security policies.IPSec: Security protocol that provides network level encryption.

Examples of Distributed Firewalls

Network Edge Security (NES)Distributed Embedded Firewall (EFW)Automatic Distributed Firewall (ADF)Stateful Clustered Security Gateway (Stateful CSG)

(Ramsurrun and Soyjaudah, 2009)

Architectural similarities of NES, ADF & EFW

Distributed firewalls are intended to be tamper resistant

Independent of the host operating system, being implemented on the hosts NIC.NICs are used to store and perform packet filtering and cryptographic variables and subsystem management.Uses the 3Com 3CR990 family of NIC cards.Managed by a central, protected policy server.Protects against IP Spoofing as the NIC is inaccessible. Audit reports are sent to the audit manager in the policy server in the event of firewall policy violations.

(Meredith, 2003)

Drawbacks of NES, ADF & EFWLarge amount of Network traffic is generated due to heavy rate of audit messages.Due to the limited processing power and memory on the NIC, its packet filtering capability is limited and the NIC can be overloaded by network traffic even when small firewall rulesets are usedHigh convergence time of the firewalls as every end-user host needs to be constantly updated.(Ramsurrun and Soyjaudah, 2009)

Stateful Clustered Security Gateway Distributed FirewallsThis architecture consists of multiple firewall nodes actively working in parallel to filter network traffic, both internal and external.

(Ramsurrun and Soyjaudah, 2009)

Components of the Stateful CSGPolicy Distributor- Receives and reads update files created by the admin and distributes to the specified IP address of the CSMs using TCP protocol.

CSM- Receives and reads updates files by the csm_updatehandler() function , reconstructs it to ensure that it is error free. Sends the firewalls update to each of the CSG firewall nodes using unicast TCP connection.

During transmission of the update files, data as well as network security is achieved using a security protocol - IPsec.

(Ramsurrun and Soyjaudah, 2009)

IPsecIPsec is an IP layered protocol that protects the sending and receiving of cryptographicallyprotected packets of any kind, without any modification (Alshamsi and Saito, 2005).

In distribution of firewall policies from the policy distributor to CSMs and for securing error reports and logs sent from the CSMs to the network admin in case of policy update file errors, IPsec is utilized to protect this data.

(Ramsurrun and Soyjaudah, 2009)

Benefits of Stateful CSGWhen CSG distributed firewall system is successfully implemented, the following attacks are addressed:

Insider attacks IP & MAC address spoofing Packet sniffingDenial of Service

In addition to the threat solved by Stateful CSG, some of the advantages of implementing Stateful CSG over other distributed firewall schemes are summarized in Table 1.(Ramsurrun and Soyjaudah, 2009)

Characteristics EFWADFNESStateful CSG-baseFine-grained security Firewall tamper resistance High scalability Anti-spoofing Anti-sniffing Low overall network load Secure real-time Low convergence time Low end-user host processing strain Context knowledge

(Ramsurrun and Soyjaudah, 2009)Table 1

It is a capital intensive approach to implement, due to its hardware based architecture.

Drawback of Stateful CSG

Conclusion In this presentation, different security issues in LANs were reviewed and how these threats are addressed by implementing a distributed firewall scheme.

Different distributed firewall schemes were analysed and compared and then, we highlighted a particular distributed firewall (Stateful CSG) and how it is being implemented in securing LANs and its benefits.

The implementation of a load balancing NIC to protect against load balancing rule tamper by malicious end-user hosts.


Alshamsi, A. and Saito, T., 2005, March. A technical comparison of IPSec and SSL. In null (pp. 395-398). IEEE.Davis, C. (1995). Firewall Consortium. Network Security, 1995(9), p.9.Kahate, A. (2003). Cryptography and network security. New Delhi: Tata McGraw-Hill Pub.Markham, T. and Payne, C., 2001, June. Security at the network edge: A distributed firewall architecture. In discex (p. 0279). IEEE.Meredith, L.M., 2003, April. A summary of the autonomic distributed firewalls (ADF) project. In DARPA Information Survivability Conference and Exposition, 2003. Proceedings (Vol. 2, pp. 260-265). IEEE.Payne, C. and Markham, T., 2001, December. Architecture and applications for a distributed embedded firewall. In Computer Security Applications Conference, 2001. ACSAC 2001. Proceedings 17th Annual (pp. 329-336). IEEE.Ramsurrun, V. and Soyjaudah, K.M.S., 2009, January. A stateful CSG-based distributed firewall architecture for robust distributed security. In Communication Systems and Networks and Workshops, 2009. COMSNETS 2009. First International (pp. 1-10)., (2016). Rationalization and Defense in Depth - Two Steps Closer to the Clouds. [online] Available at: [Accessed 13 Jan. 2016].Stallings, W. and Stallings, W. (1999). Cryptography and network security. Upper Saddle River, N.J.: Prentice Hall.

Search related