
Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
This paper proposes a distributed firewall solution to address the limitations of traditional firewalls, including congestion, inability to handle new protocols and encryption, lack of protection against internal attacks, and difficulty in managing large networks. The paper presents the design and implementation of a distributed firewall using the keynote trust management system and openbsd operating system. The system pushes enforcement towards individual network endpoints while maintaining central policy definition. The distributed firewall consists of a policy language, an authentication mechanism, and an enforcement mechanism.
Typology: Papers
1 / 1
This page cannot be seen from the preview
Don't miss anything!

Katharine Chang
The concept of a distributed firewall is proposed in order to avoid the shortcomings of traditional firewalls. This paper presents the design and implementation of a distributed firewall using the KeyNote trust management system and OpenBSD operating system. A firewall filters traffic between two networks according to some security policies. Traditional firewalls have the following weaknesses: First, with the expansion of network connectivity, firewalls tend to become congestion points. In addition, new protocols and end-to-end encryption can also be threats to firewalls because they prevent firewalls to look at the packet fields and do the filtering. Second, firewalls cannot protect networks from internal attacks. Third, unauthorized entry points can bypass all the security mechanisms of firewalls. And last, large networks employ internal firewalls, which make administration particularly difficult.
In distributed firewalls, security policy is defined centrally but pushes enforcement towards each individual network endpoints such as routers and hosts. The system propagates the central policy to all endpoints. The distributed firewall is comprised of the following three components: One, a language for expressing policies and resolving requests. Here the KeyNote trust management system is used as it allows delegation, and decentralized administration becomes possible. Two, an authentication mechanism for safely distributing security policies. Here the IPsec key management protocol through the Internet Key Exchange (IKE) negotiation is used to authenticate users and distribute credentials. And three, a mechanism that applies the security policy to incoming packets or connections that provides the enforcement part.
The implementation of the distributed firewall uses the openBSD operating system as the development platform. The system the authors implemented is composed of three components: a set of kernel extensions, a policy daemon, and a policy device driver. Kernel extensions modify two system calls, connect(2) and accept(2), in order to add some “filtering” mechanisms. The policy daemon is a user level process responsible for making decisions based on policies that are specified by some administrator and credentials. The policy device driver serves as a communication path between the user- space policy daemon and the modified system calls in the kernel. It supports the usual operations as open(2), close(2), read(2), write(2), and ioctl(2).
The authors pointed out some future work as the possible extensions to make the working prototype more complete. They also suggested that both distributed and traditional firewalls could exist together since traditional firewalls are still useful in certain tasks. In the paper the authors just showed the feasibility of the distributed firewall by presenting the working prototype. I think it will be better if they have shown some analysis and evaluation on their system and demonstrated the performance of their system-whether their system is efficient, scalable, or robust. The good thing about this work is they make use of KeyNote and IPsec. And I think it is nice to see KeyNote and IPsec working on some useful applications.