Proceedings of the International Conference , “Computational Systems and Communication Technology”

8th , MAY 2010 - by Cape Institute of Technology,

Tirunelveli Dt-Tamil Nadu,PIN-627 114,INDIA

Design of Policy Based Packet Filtering Firewall

V. Anantha Krishna1, Dr. T. Aruldoss Albert Victoire2,

1.Research Scholar ,Department of Computer Science and Engineering,2.Asst.Professor, Department of Electrical and Electronics Engineering, Anna University Coimbatore,Coimbatore,India-641047

1.Email_address:

Proceedings of the International Conference , “Computational Systems and Communication Technology”

8th , MAY 2010 - by Cape Institute of Technology,

Tirunelveli Dt-Tamil Nadu,PIN-627 114,INDIA

Abstract

A Firewall is a computer that filters traffic going into and out of the corporate network. If there are known security holes in protocols such as anonymous ftp. The firewall might simply disallow anonymous ftp requests or shunt them off to an isolated ftp server. It might also deny a request to access the mail port on all machines except the mail server. Depending on the security philosophy, the firewalls can also filtering rules to the traffic between the corporate network and the Internet. This firewall is packet filtering system based on policies working at windows. Different policies are to be configured for incoming and outgoing packets arriving on different interfaces, taking into consideration the arrival time of the packets , the source and destination IP address, source and destination ports and protocol. Also considering sub_nettting, overcoming the internal spoof attacks and NAT ( Network Address Translation) taking us a step further in making our firewall run more efficiently.

1.Introduction:-

The range of network security is very broad. It roots in low-level security enforcement mechanism on the level of IP packets (packet filtering).If we go beyond individual packets Analysis, we are now dealing with technique called “stateful inspection”. The next level of network security is high-level enterprise security policies like RBAC, and their application to network firewalls. Finally, taking into account network topology, with multiple perimeters of policy enforcement and possibly internal sectioning into security zones, we are now dealing with notion of distributed firewalls and distributed Intrusion Detection Systems (IDS). There is ongoing research in the areas mentioned above. However in this paper, we will deal mostly with the most fundamental level - packet filtering. A packet filtering engine lies at the core of most network security mechanisms

Fig 1 : Firewall between Internet and Network

1.1.Firewall Types:

The following is a detailed discussion of the 4 firewall categories:

1.1.1.Packet Filtering Firewalls:-

The first generation of firewall architectures appeared around 1985 and came out of

Cisco's IOS software division. These are called packet filter firewalls. Packet Filtering is usually performed by a router as part of a firewall. A normal router decides where to direct the data, a packet filtering router decides if it should forward the data at all. Packet Filtering rules can be set on the following: physical network interface the packet arrives on; source or destination IP address, the type of transport layer (TCP, UDP, ICMP), or the transport layer source or destination ports. Packet filtering firewalls are low cost, have only a small effect on the network performance, and do not require client computers to be configured in any particular way. However, packet filtering firewalls are not considered to be very secure on their own because they do not understand application layer protocols. Therefore, they cannot make content-based decisions on the packets, which makes them less secure than application layer and circuit level firewalls. Another disadvantage of Packet filtering firewalls are they are stateless and do not retain the state of a connection. They also have very little or no logging capability which makes it hard to detect if the network is under attack. Testing the grant and deny rules is also difficult which may leave the network vulnerable or incorrectly configured.

1.1.2.Circuit Level Gateways:-

Around 1989-1990, Dave Presotto and Howard Trickey of AT&T Bell Labs pioneered the second generation of firewall architectures with research in circuit relays which were called circuit level gateways. Circuit level gateways are used for TCP connections to observe handshaking between packets to ensure a requested session is legitimate. Normally, it would store the following information: a unique session identifier, the state of the connection (i.e., handshake established or closing), sequencing information, source or destination IP address, and the physical network

interface through which the packet arrives or departs. The firewall then checks to see if the sending host has permission to send to the destination, and that the receiving host has permission to receive from the sender.

Fig 1.1.1 : Packet filtering Firewall incoming/outgoing traffic flow

If the connection is acceptable, all packets are routed through the firewall with no more security tests. The advantages of circuit level gateways is that they are usually faster than application layer firewalls because

they perform less evaluations and they can also protect a network by blocking connections between specific Internet sources and internal hosts. The main disadvantages to circuit level gateways are that they cannot restrict access to protocol subsets other than TCP and similarly to packet filtering, testing the grant and deny rules can be difficult which may leave the network vulnerable or incorrectly configured.

Fig 1.1.2: .Circuit Level Gateways incoming/outgoing traffic flow

1.1.3.Application Level Gateways:

The third generation of firewall architectures called Application level gateways was independently researched and developed during the late 1980s and early 1990s mainly by Gene Spafford of Purdue University, Marcus Ranum, and Bill Cheswick of AT&T Bell Laboratories. Application level gateways or proxy firewalls are software applications with two primary modes (proxy server or proxy client). When a user on a trusted network wants to connect to a service on an untrusted network such as the Internet, the request is directed to the proxy server on the firewall. The proxy server pretends to be the real server on the Internet. It checks the request and decides whether to permit or deny the request based on a set of rules. If the request is approved, the server passes the request to the proxy client, which contacts the real server on the Internet. Connections from the Internet are made to the proxy client, which then passes them on to the proxy server for delivery to the real client. This method ensures that all incoming connections are always made with the proxy client, while outgoing connections are always made with the proxy server. Therefore, there is no direct connection between the trusted and untrusted networks. The main advantages are that application level gateways can set rules based on high level protocols, maintain state information about the communications passing through the firewall server, and can keep detailed activity records. The main disadvantages are its complex filtering and access control decisions can require significant computing resources which can cause performance delays and its vulnerability to operating system and application level bugs.

Fig 1.1.3: Application Level Gateways incoming/outgoing traffic flow

1.1.4.Stateful Multilayer Inspection Firewalls:

Fig1.1.4: Stateful Multilayer Inspection Firewallsincoming / outgoing traffic flow

Check Point Software released the first commercial product based on this fourth generation architecture in 1994 called stateful multilayer inspection firewalls. Stateful multilayer inspection firewalls provide the best security of the four firewall types by monitoring the data being communicated at application socket or port layer as well as the protocol and address level to verify that the request is functioning as expected. An example is if during an FTP session the port numbers being used or an IP address were to change, the firewall would not permit the connection to continue. Another advantage is when a specific session is complete, any ports that were being used are closed. Stateful inspection systems can dynamically open and close ports for each session which differs from basic packet filtering that leaves ports in a constant opened or closed state. The main disadvantage to stateful multilayer inspection firewalls is that they can be costly because they require the purchase of additional hardware and/or software that is not normally packaged with a network device.

2 Definition of Packet Filtering:-

2.1 Processing Model:-

Packet filtering is a core functionality of network firewalls. The main idea is that the firewall resides on a network Node (Host or Router) and inspects all network traffic. Inspection is performed in accordance to network security policy (which we will discuss in detail later). Based on this policy, the firewall makes a decision regarding what action to perform on a given packet. The most commonly performed actions are:

Accept the packet is permitted to pass through

Deny/Drop the packet is silently dropped

Some firewalls allow additional actions, which does not necessarily affect the packet’s traversal of the firewall, but are invoked for side effects. Common examples are:-Accounting the packet counter associated with this rule is incremented Reject the packet is rejected, notifying the server via ICMP message The low-level implementation of packet matching and the algorithms for doing this efficiently are commonly referred to as packet classification problem. It is mostly dealing with performance and resource usage constraints. There is a significant body of research on this subject and although it is closely related to the subject of this article, we will try not to do well too much on actual matching algorithms, but rather concentrate on formalization of firewall behavior and the subsequent application of such formalization.

2.2 Policy:-

The firewall’s behavior is controlled by the “Policy”. Policy consists of “Rules. Each rule consist of condition and action. Condition describes the criteria used to match individual packets. Action describes the activity to be performed if matches have been made. Basic conditions consist of tests, matching individual fields of the packet such as source address, destination address, packet type, etc. In the case of stateful inspection, connection-related variables like connection state could be checked. Finally, various system state variables like current time of day, CPU load, or system-wide configuration parameters could be taken into account. The condition could be viewed as a predicate. Usually, for a packet to match a condition, all tests must be satisfied (logical conjunction).The sequence of rules processing differs significantly between various firewall implementations. There are two common matching strategies: “single trigger” processing means that an action of the first matching rule will be performed. “multi-trigger” processing means that all rules will be matched and an action from the last matching rule will be performed. Some firewalls like ipfilter support “multi-trigger” policy by default, but allow individual rules to specify quick option which signifies that no further processing should be done on matched packet. Some firewall like iptables have even more complex processing logic, which allows for branching by organizing rules in into chains and providing special actions to redirect control from one chain to another. Hari mentions another interesting strategy, where each of the filter fields are assigned priorities and the filter with the most specific matching field with the highest priority is selected. This allows, for example, in packet matching to give a highest priority to match based on the source IP rather than on destination IP.

3. Formal Models:-

Fig 3: Example of policy representation as a tree string

One direction of research is the definition of special high-level languages (sometimes graphical) to describe firewall policy. In such languages, the policy representation is translated to the native policy description language of an actual firewall platform. Examples are: Firewall Builder, HLFL, FLIP, Firmato, INSPECT, ,XACML. Some of these languages allow you to describe the policy of a single firewall, while others allow you to define an organization security policy which is translated to policy files for multiple firewalls. The research in this area is fragmented. A single, generally accepted mathematical model describing firewall policies is yet to emerge. Below we highlight some of the work in this area: Ehab S. Al-Shaer and Hazem H. Hamed ,use fixed rule structure, they call “5-tuple filter”: order, protocol, src ip, src port, dst ip, dst port, action In order to formally model firewall policy, these researchers start by defining the relationship between rules in the policy. Then they define the following relations between two rules: “completely disjoined”, “exactly matched”, “inclusively matched”, “partially disjoing”, “correlated”. Next Al-Shaer and Hamed prove that these relationships are distinct and that their union represents the universal set of relations between any two k-tuple filters in a firewall policy. The policy is represented as a single-rooted tree, where each node represents a field of a filtering rule and each branch at this node represents a possible value of the associated tree.

An example of such a tree taken from is shown at Figure Hari et al. consider a much simpler packet filtering model, where each filter is k-tuple (F[1], F[2], . . . , F[k]) and where each field F[i] is a prefix bit Figure 3: Example of policy representation as a tree string. This model could be used not only in firewalls, but also for routing. Note that all matching is done only by matching prefix bit strings. However, as shown in it is always possible to represent a sub range of [0, 2k] as at most 2k prefixes. The chosen models have an interesting property, on which they base their algorithms: If filter fields are prefix fields, then each field of a filter is either a strict subset of, or equal to, or a strict superset of, or completely disjoint from the corresponding field in any other filter. In other words, it is not possible to have partial overlaps of fields. Partial overlaps can only occur when the fields are arbitrary ranges, not prefixes. Using that property, they propose to solve a filter conflict problem by reordering as cycle elimination problem in directed graph. There are some efforts related to analysis of firewall policies, using machine reasoning techniques. In particular, in describes Expert System built using Constraint Logic Programming (CLP). Considering each rule as 6-tuple or ranges along with action taken (“permit” or “deny”), the system represents them as constraints on the 6-dimensional packet space. Each rule is a 6-dimensional hypercube. Capretta et al. in using Coq proof assistant to detect conflicts in firewall policies. Their “conflict” definition is two rules for which exists a request for which they give an opposite action.Then they proceed to prove formally soundness and completeness to establish the correctness of their algorithm.

Another approach to policy modeling is using geometric interpretation. For example, Eppstein suggests that each rule could be represented as a collection of d-dimensional ranges [l1i , r1i ] × . . . × [ldi , rd i ], an action Ai and priority pi. Similarly, each packet can be viewed as a d-dimensional vector of values [P1, . . . , Pd]. A filter i applies to packet if Pj 2 [lji , rji ]. Epspstein proceeds to formally define packet classification problem and filter conflict detection problem using this Geometrical abstraction and suggests algorithms for solving them. The multidimensional range searching problem from computational geometry is related to the filter conflict detection problem. Multiple algorithms exist to solve this problem, surveyed in . In particular, as mentioned in , Edelsbrunner has proposed an algorithm which in the worst case can solve this problem in O((log(N))2k−1+R) where N is number or k-dimensional rectangle boxes and R is number of boxes intersecting the query box. Unfortunately, the filter conflict problem is somewhat different from the multi-dimensional rectangle intersection problem. While a filter contained inside another filter is not a conflict, the corresponding rectangles are considered intersecting in the geometric framework. Thus, the number of rectangle intersections R can be much bigger than the number of filter conflicts C. Secondly, even for modest values of N and k , the worst-case time and space bound guaranteed by this data structure are hopelessly bad. Guttman et al. describe group of network security related problems and modeling frameworks that lead to their solutions: We focus the modeling work on representing behavior as a function of configurations, and predicting the consequences of interactions among differently configured devices. While Guttman et al. cover both packet filtering firewalls and IPSec gateways, Uribe et al. build upon their work, extending it by including specifications and requirements for Network Itrusion Detection Systems (NIDSs). Yuan et al. in FIREMAN are one of few researches who go beyond a simple linear policy model and consider what they call Complex Chain Model, covering more complex policy organization similar to one implemented in popular Linux firewall Netfilter. They also introduce the notion of ACL Graph, formed by a combination of multiple ACLs accross the trajectory of the packet. Using this graph they provide some analysis of anomalies in distributed firewall configuration.

4.PROCESS:-

This firewall is packet filtering system based on policies working at windows. This policy database is stored Ms_Access is configurable with JAVA as a language tool. This task is carried out by a simple JDBC-ODBC driver that delivers policies from ms_access to user space depending on configured policies the firewall will either drop or allow the packet into the network. Different policies are to be configured for incoming and outgoing packets arriving on different interfaces, taking into consideration the arrival time of the packets , the source and destination IP address, source and destination ports and protocol. Also considering sub_nettting, overcoming the internal spoof attacks and NAT(Network Address Translation) taking us a step further in making our firewall run more efficiently. This project developed with Java language in win 2000 environment to run over multi home host. The steps involved in creating a firewall policy are as follows: 1.Identification of network applications deemed necessary 2. identification of vulnerabilities associated with applications 3.Cost-benefits analysis of methods for securing the applications 4. Creation of applications traffic matrix showing protection method, and implementing a firewall rule set5. Creation of firewall rule set based on applications traffic matrix.