A secure web-based global management system for firewall/VPN devices

A firewall is a security device placed between a private network and a public network such as the Internet. It is designed to protect the private network resources from unauthorized user access. Today, various firewalls are widely used in many places (e.g., Internet data centers, company headquarters, branch office, telecommuters' homes). What is desperately needed is a management system that can easily configure, monitor and manage multi-site deployed firewalls from a central location. For flexibility, such a management system must be divided into components and needs to use an open management protocol, such as the Simple Network Management Protocol (SNMP). Yet the SNMP has a security defect. Further, the proposed standard Management Information Base (MIB) for firewalls is insufficient for supporting centralized global management of a lot of firewall devices. In this paper, we present the design and implementation of a secure Web and SNMP-based global firewall management system. We have focused on two aspects: 1) extending the existing proposed standard MIB to support the configuration and monitoring of hundreds or thousands of firewall and VPN devices; 2) providing secure communication among global manager system components in order to provide secure firewall management. We also present our work on developing our firewall global manager (FGM) on commercial firewall/VPN devices.

[1]  William Cheswick,et al.  Firewalls and Internet Security , 1994 .

[2]  Jeffrey D. Case,et al.  Simple Network Management Protocol (SNMP) , 1989, RFC.

[3]  Elizabeth D. Zwicky,et al.  Building internet firewalls , 1995 .

[4]  Mark R. Crispin Internet Message Access Protocol - Version 4rev1 , 1996, RFC.

[5]  Cindy Grall Firewall Management Information Base , 1998 .

[6]  James Won-Ki Hong,et al.  Web-based intranet services and network management , 1997 .

[7]  Tim Howes,et al.  Lightweight Directory Access Protocol , 1995, RFC.

[8]  Randall J. Atkinson,et al.  Security Architecture for the Internet Protocol , 1995, RFC.

[9]  Andrew G. Malis,et al.  A Framework for IP Based Virtual Private Networks , 2000, RFC.

[10]  Sandeep K. Singhal,et al.  Designing an academic firewall: policy, practice, and experience with SURF , 1996, Proceedings of Internet Society Symposium on Network and Distributed Systems Security.

[11]  Alan O. Freier,et al.  The SSL Protocol Version 3.0 , 1996 .

[12]  Glen Zorn,et al.  Point-to-Point Tunneling Protocol (PPTP) , 1999, RFC.

[13]  Kaushal Chari,et al.  Firewalls , 2002, Encyclopedia of Information Systems.

[14]  Roy T. Fielding,et al.  Hypertext Transfer Protocol - HTTP/1.1 , 1997, RFC.

[15]  Dan Harkins,et al.  The Internet Key Exchange (IKE) , 1998, RFC.

[16]  Uri Blumenthal,et al.  User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3) , 1998, RFC.

[17]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..