The use and usability of direction-based filtering in firewalls

The common match fields in firewall rules refer to a packet's source and destination IP addresses, protocol, and source and destination port numbers. However, most firewalls are also capable of filtering based on a packet's direction: which network interface card the packet is crossing, and whether the packet is crossing the interface from the network into the firewall (''inbound'') or vice versa (''outbound''). Taking a packet's direction into account in the firewall's rules is extremely useful: it lets the firewall administrator protect against source address spoofing, write effective egress-filtering rules, and avoid unpleasant side-effects when referring to subnets that span the firewall. Unfortunately, the firewall's definition of a packet's direction is different from what users normally assume. If interface eth0 connects the firewall to the internal network, then, from a user's perspective, ''inbound on eth0'' is actually ''Outbound'' traffic. This discrepancy makes it very confusing for firewall administrators to use the packet direction correctly, and creates a significant usability problem. In this paper we review the usefulness of direction-based filtering, identify the usability problem, and critically review the approaches taken by several major firewall vendors. Most vendors expose the raw and confusing functionality to the firewall administrators, while one vendor (Check Point) hides the functionality entirely. Both approaches leave much to be desired. However, recent advances in firewall research show that better alternatives exist: the Firmato prototype demonstrates that the firewall management software can compute the directions algorithmically for a perimeter firewall.

[1]  Avishai Wool Architecting the Lumeta Firewall Analyzer , 2001, USENIX Security Symposium.

[2]  Avishai Wool,et al.  Fang: a firewall analysis engine , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[3]  Keith J. Jones,et al.  10th USENIX Security Symposium , 2001, login Usenix Mag..

[4]  Marcus J. Ranum,et al.  Web Security Sourcebook , 1997 .

[5]  Elizabeth D. Zwicky,et al.  Building internet firewalls , 1995 .

[6]  Avishai Wool Combating the Perils of Port 80 at the Firewall , 2002, login Usenix Mag..

[7]  Gavriel Salvendy,et al.  Usability and Security An Appraisal of Usability Issues in Information Security Methods , 2001, Comput. Secur..

[8]  Avishai Wool,et al.  Firmato: A novel firewall management toolkit , 2004, TOCS.

[9]  S. M. Bellovin,et al.  Security problems in the TCP/IP protocol suite , 1989, CCRV.

[10]  Avishai Wool How Not to Configure Your Firewall: A Field Guide to Common Firewall Configurations , 2001, LISA.

[11]  Andy Fox,et al.  Cisco Secure PIX Firewalls , 2001 .

[12]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[13]  J. Doug Tygar,et al.  Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 , 1999, USENIX Security Symposium.

[14]  Daniela Gerd tom Markotten,et al.  Usability meets security - the Identity-Manager as your personal security assistant for the Internet , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[15]  S M Dorman Electronic mailing lists. , 1999, The Journal of school health.

[16]  Dameon D. Welch-Abernathy Essential Check Point Firewall-1: An Installation, Configuration, and Troubleshooting Guide , 2002 .