A protocol and simulation for distributed communicating firewalls

The concept of distributing firewalls into the Internet was previously presented for the purpose of pushing LAN attacks away from a single firewall (R.N. Smith and S. Bhattacharya, 1997; 1999). The paper presents a protocol for firewalls to communicate information to enable distributed firewalls to isolate LAN attacks. Currently firewalls are used to protect a single LAN or extranet of collaborating units. However, each firewall in these configurations are individually managed. Our approach is to place firewalls out into the Internet that will cooperate and push the attack to a firewall that is nearer to the source of the attack. These distributed firewalls can be considered as gateway firewalls. We present a protocol of command and information packets used to take the offensive in the Internet war against hackers and crackers. The communicating firewalls would be placed in routers or switches acting as gateways throughout the Internet. The proposed protocol can be encapsulated as a security agent into any one of the popular router protocols (e.g., BGP and PNNI). We have currently chosen to place our protocol over BGP-4. In order to evaluate our new protocol, we have developed a distributed network protocol simulator which we also describe.

[1]  Robert N. Smith,et al.  Fault and leak tolerance in firewall engineering , 1998, Proceedings Third IEEE International High-Assurance Systems Engineering Symposium (Cat. No.98EX231).

[2]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[3]  R. N. Smith,et al.  Operating firewalls outside the LAN perimeter , 1999, 1999 IEEE International Performance, Computing and Communications Conference (Cat. No.99CH36305).

[4]  Wayne D. Grover,et al.  Optimal capacity placement for path restoration in STM or ATM mesh-survivable networks , 1998, TNET.

[5]  Robert N. Smith,et al.  Firewall placement in a large network topology , 1997, Proceedings of the Sixth IEEE Computer Society Workshop on Future Trends of Distributed Computing Systems.

[6]  Yakov Rekhter,et al.  A Border Gateway Protocol 4 (BGP-4) , 1994, RFC.