Distributed Firewalls: Design and Implementation using KeyNote and OpenBSD, Papers of Electrical and Electronics Engineering

This paper proposes a distributed firewall solution to address the limitations of traditional firewalls, including congestion, inability to handle new protocols and encryption, lack of protection against internal attacks, and difficulty in managing large networks. The paper presents the design and implementation of a distributed firewall using the keynote trust management system and openbsd operating system. The system pushes enforcement towards individual network endpoints while maintaining central policy definition. The distributed firewall consists of a policy language, an authentication mechanism, and an enforcement mechanism.

Typology: Papers

Pre 2010

Uploaded on 09/02/2009

koofers-user-8qg
koofers-user-8qg 🇺🇸

10 documents

1 / 1

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
EECS 598-2 Paper Review
Implementing a Distributed Firewall
Katharine Chang
The concept of a distributed firewall is proposed in order to avoid the
shortcomings of traditional firewalls. This paper presents the design and implementation
of a distributed firewall using the KeyNote trust management system and OpenBSD
operating system. A firewall filters traffic between two networks according to some
security policies. Traditional firewalls have the following weaknesses: First, with the
expansion of network connectivity, firewalls tend to become congestion points. In
addition, new protocols and end-to-end encryption can also be threats to firewalls
because they prevent firewalls to look at the packet fields and do the filtering. Second,
firewalls cannot protect networks from internal attacks. Third, unauthorized entry points
can bypass all the security mechanisms of firewalls. And last, large networks employ
internal firewalls, which make administration particularly difficult.
In distributed firewalls, security policy is defined centrally but pushes
enforcement towards each individual network endpoints such as routers and hosts. The
system propagates the central policy to all endpoints. The distributed firewall is
comprised of the following three components: One, a language for expressing policies
and resolving requests. Here the KeyNote trust management system is used as it allows
delegation, and decentralized administration becomes possible. Two, an authentication
mechanism for safely distributing security policies. Here the IPsec key management
protocol through the Internet Key Exchange (IKE) negotiation is used to authenticate
users and distribute credentials. And three, a mechanism that applies the security policy
to incoming packets or connections that provides the enforcement part.
The implementation of the distributed firewall uses the openBSD operating
system as the development platform. The system the authors implemented is composed of
three components: a set of kernel extensions, a policy daemon, and a policy device driver.
Kernel extensions modify two system calls, connect(2) and accept(2), in order to add
some “filtering” mechanisms. The policy daemon is a user level process responsible for
making decisions based on policies that are specified by some administrator and
credentials. The policy device driver serves as a communication path between the user-
space policy daemon and the modified system calls in the kernel. It supports the usual
operations as open(2), close(2), read(2), write(2), and ioctl(2).
The authors pointed out some future work as the possible extensions to make the
working prototype more complete. They also suggested that both distributed and
traditional firewalls could exist together since traditional firewalls are still useful in
certain tasks. In the paper the authors just showed the feasibility of the distributed
firewall by presenting the working prototype. I think it will be better if they have shown
some analysis and evaluation on their system and demonstrated the performance of their
system-whether their system is efficient, scalable, or robust. The good thing about this
work is they make use of KeyNote and IPsec. And I think it is nice to see KeyNote and
IPsec working on some useful applications.

Partial preview of the text

Download Distributed Firewalls: Design and Implementation using KeyNote and OpenBSD and more Papers Electrical and Electronics Engineering in PDF only on Docsity!

EECS 598-2 Paper Review

Implementing a Distributed Firewall

Katharine Chang

The concept of a distributed firewall is proposed in order to avoid the shortcomings of traditional firewalls. This paper presents the design and implementation of a distributed firewall using the KeyNote trust management system and OpenBSD operating system. A firewall filters traffic between two networks according to some security policies. Traditional firewalls have the following weaknesses: First, with the expansion of network connectivity, firewalls tend to become congestion points. In addition, new protocols and end-to-end encryption can also be threats to firewalls because they prevent firewalls to look at the packet fields and do the filtering. Second, firewalls cannot protect networks from internal attacks. Third, unauthorized entry points can bypass all the security mechanisms of firewalls. And last, large networks employ internal firewalls, which make administration particularly difficult.

In distributed firewalls, security policy is defined centrally but pushes enforcement towards each individual network endpoints such as routers and hosts. The system propagates the central policy to all endpoints. The distributed firewall is comprised of the following three components: One, a language for expressing policies and resolving requests. Here the KeyNote trust management system is used as it allows delegation, and decentralized administration becomes possible. Two, an authentication mechanism for safely distributing security policies. Here the IPsec key management protocol through the Internet Key Exchange (IKE) negotiation is used to authenticate users and distribute credentials. And three, a mechanism that applies the security policy to incoming packets or connections that provides the enforcement part.

The implementation of the distributed firewall uses the openBSD operating system as the development platform. The system the authors implemented is composed of three components: a set of kernel extensions, a policy daemon, and a policy device driver. Kernel extensions modify two system calls, connect(2) and accept(2), in order to add some “filtering” mechanisms. The policy daemon is a user level process responsible for making decisions based on policies that are specified by some administrator and credentials. The policy device driver serves as a communication path between the user- space policy daemon and the modified system calls in the kernel. It supports the usual operations as open(2), close(2), read(2), write(2), and ioctl(2).

The authors pointed out some future work as the possible extensions to make the working prototype more complete. They also suggested that both distributed and traditional firewalls could exist together since traditional firewalls are still useful in certain tasks. In the paper the authors just showed the feasibility of the distributed firewall by presenting the working prototype. I think it will be better if they have shown some analysis and evaluation on their system and demonstrated the performance of their system-whether their system is efficient, scalable, or robust. The good thing about this work is they make use of KeyNote and IPsec. And I think it is nice to see KeyNote and IPsec working on some useful applications.