Implementing a distributed firewall

Conventional rewalls rely on topology restrictions and controlled network entry points to enforce traAEc ltering. Furthermore, a rewall cannot lter traAEc it does not see, so, e ectively, everyone on the protected side is trusted. While this model has worked well for small to medium size networks, networking trends such as increased connectivity, higher line speeds, extranets, and telecommuting threaten to make it obsolete. To address the shortcomings of traditional rewalls, the concept of a \distributed rewall" has been proposed. In this scheme, security policy is still centrally de ned, but enforcement is left up to the individual endpoints. IPsec may be used to distribute credentials that express parts of the overall network policy. Alternately, these credentials may be obtained through out-of-band means. In this paper, we present the design and implementation of a distributed rewall using the KeyNote trust management system to specify, distribute, and resolve policy, and OpenBSD, an open source UNIX operating system.

[1]  Jeffrey C. Mogul,et al.  The packer filter: an efficient mechanism for user-level network code , 1987, SOSP '87.

[2]  Wietse Z. Venema,et al.  TCP Wrapper: Network Monitoring, Access Control, and Booby Traps , 1992, USENIX Summer.

[3]  William Lefebvre,et al.  Restricting Network Access to System Daemons under SunOS , 1992 .

[4]  S. Bellovin Distributed Firewalls , 1994 .

[5]  Randall J. Atkinson,et al.  Security Architecture for the Internet Protocol , 1995, RFC.

[6]  Bill Cheswick,et al.  Firewalls and internet security - repelling the wily hacker , 2003, Addison-Wesley professional computing series.

[7]  David A. Patterson,et al.  Serverless network file systems , 1995, SOSP.

[8]  Joan Feigenbaum,et al.  Decentralized trust management , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[9]  Jeanna Neefe Matthews,et al.  Serverless network file systems , 1996, TOCS.

[10]  Dan Thomsen,et al.  Role based access control framework for network enterprises , 1998, Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217).

[11]  Dan Harkins,et al.  The Internet Key Exchange (IKE) , 1998, RFC.

[12]  Angelos D. Keromytis,et al.  Cryptography in OpenBSD: An Overview , 1999, USENIX Annual Technical Conference, FREENIX Track.

[13]  Angelos D. Keromytis,et al.  Trust Management and Network Layer Security Protocols , 1999, Security Protocols Workshop.

[14]  Tuomas Aura,et al.  Distributed Access-Rights Managements with Delegations Certificates , 2001, Secure Internet Programming.

[15]  Avishai Wool,et al.  Firmato: a novel firewall management toolkit , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[16]  J. Feigenbaum,et al.  The KeyNote trust management system version2, IETF RFC 2704 , 1999 .

[17]  Joan Feigenbaum,et al.  The Role of Trust Management in Distributed Systems Security , 2001, Secure Internet Programming.

[18]  Jan Vitek,et al.  Secure Internet Programming: Security Issues for Mobile and Distributed Objects , 1999 .

[19]  Jeffrey C. Mogul,et al.  Simple and Flexible Datagram Access Controls for UNIX-based Gateways , 1999 .

[20]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[21]  Joan Feigenbaum,et al.  The KeyNote Trust-Management System Version 2 , 1999, RFC.

[22]  Angelos D. Keromytis,et al.  Transparent Network Security Policy Enforcement , 2000, USENIX Annual Technical Conference, FREENIX Track.

[23]  Simon N. Kimani Access rights management with delegation certificates , 2002 .