Security issues are critical in networked information systems, e.g., with financial information, corporate proprietary information, contractual and legal information, human resource data, medical records, etc. The paper addresses such diversity of security needs among the different information and resources connected over a secure data network. Installation of firewalls across the data network is a popular approach to providing a secure data network. However, single, individual firewalls may not provide adequate security protection to meet the users needs. The cost of super firewalls, design flaws, as well as implementation inappropriateness with such firewalls may retain security loopholes. The idea proposed is to introduce a cascade of (potentially simpler and less expensive) firewalls in the secure data network, where, between the attacker node and the attacked node, multiple firewalls are expected to provide an added degree of protection. This approach, broadly following the theme of redundancy in engineering systems' design, will increase the confidence and provide more completeness in the level of security protection by the firewalls. The cascade of (i.e., multiple) firewalls can be placed across the secure data network in many ways, not all of which are equally attractive from cost and end-to-end delay perspectives. Toward this, we present heuristics for placement of these firewalls across the different nodes and links of the network in a way that different users can have the level of security they individually need, without having to pay added hardware costs or excess network delay. Three metrics are proposed to evaluate these heuristics: cost, delay, and reduction of attacker's traffic. Performance of these heuristics is presented using simulation, along with some early analytical results. Our research also extends the firewall technology into the well-known advantages of distributed firewalls. Furthermore, the distributed firewalls can be designed to cooperate and stop an attacker's traffic closest to the attack point, thereby reducing the amount of hacker's traffic into the network.
[1]
Adrian Nye,et al.
Managing INTERNET Information Services
,
1994,
WWW Spring 1994.
[2]
Victor R. Lesser,et al.
Sharing Metainformation to Guide Cooperative Search Among Heterogeneous Reusable Agents
,
1997,
IEEE Trans. Knowl. Data Eng..
[3]
Donn B. Parker,et al.
Information Security in a Nutshell
,
1997,
Inf. Secur. J. A Glob. Perspect..
[4]
Bhavani Thuraisingham,et al.
Security Constraints in a Multilevel Secure Distributed Database Management System
,
1995,
IEEE Trans. Knowl. Data Eng..
[5]
Robert N. Smith,et al.
Firewall placement in a large network topology
,
1997,
Proceedings of the Sixth IEEE Computer Society Workshop on Future Trends of Distributed Computing Systems.
[6]
Bill Cheswick,et al.
Firewalls and internet security - repelling the wily hacker
,
2003,
Addison-Wesley professional computing series.
[7]
Timothy W. Finin,et al.
KQML as an agent communication language
,
1994,
CIKM '94.
[8]
R. N. Smith,et al.
Operating firewalls outside the LAN perimeter
,
1999,
1999 IEEE International Performance, Computing and Communications Conference (Cat. No.99CH36305).
[9]
Janice Winsor.
Solaris Advanced System Administrator's Guide
,
1993
.
[10]
Tom Sheldon.
Windows NT Security Handbook
,
1996
.
[11]
Rolf Oppliger,et al.
Internet security: firewalls and beyond
,
1997,
CACM.
[12]
Elizabeth D. Zwicky,et al.
Building internet firewalls
,
1995
.