140 JOURNAL OF ELECTRONIC SCIENCE AND TECHNOLOGY, VOL. 11, NO. 2, JUNE 2013 Security-State Adjustable Gateway with Threat-Based Configuration Chin-Fu Kuo, Yung-Feng Lu, and Chi-Ying Chen Abstract⎯This paper proposes a configurable secure International Data Corporation highlights that the security gateway architecture which allows the system is the greatest challenge for the adoption of cloud[1]. Hence, administrators to dynamically configure the security security is a huge concern for cloud users, and it becomes mechanisms upon deployment or during the run-time. an important issue that provides a secure way to use the Rather than allowing the system administrators to turn cloud. To improve the mutual trust between users and the on or off individual security mechanisms, the proposed cloud provider, the cloud security alliance (CSA)[2],[3] has architecture allows the administrators to configure the developed a security guide that identifies many areas for gateway based on the security threats to be overcome. concern in cloud computing. The cloud network and The current common architecture leads to tremendous perimeter security is one of the most challenging issues. administration overhead and increases the chance of Hence, protecting the information from illegal access has misconfiguration vulnerability. We propose a novel become an inevitable issue for IT product vendors and software architecture to aid the product designers to developers. avoid the misconfiguration vulnerability and the In this paper, we are concerned with how to configure end-users to ease the administration overhead. The the security mechanisms for security gateways in a software architecture makes use of the threats to the systematic manner. Network gateways, one of the popular gateways and the occurrence relation between the IT products, are designed to bridge network traffic between threats to configure the security software components on the Internet and private networks. The major responsibility the gateways. With the software architecture, the of the gateways is to protect private networks from being end-users can focus on determining the desired security accessed without appropriate permission. Although there do features rather than the software configuration. exist numerous security mechanisms, there is no universal Moreover, the architecture allows the product designers standard for configuring security mechanisms on gateways. or security service to incrementally revise the software A gateway that is set up as a network router for an configuration when new threats appear. enterprise private network often requires strict security Index Terms⎯Common criteria, gateway, operation policies. However, a gateway for home usage might not system, security, threat. have proper security measures. In addition, the majority of the security mechanisms are computationally intensive. Enforcing unnecessary security mechanisms may 1. Introduction compromise the system performance and network Cloud computing is a combination of various throughput. The challenge is how to configure a network computing entities, globally separated, but electronically gateway so that its security features are met without connected. As the geography of computation is moving compromising its performance. towards corporate server rooms, it brings more issues In the current gateway architecture, individual security including security, such as the transmission security. There software components are designed to provide particular is a survey regarding the use of cloud services made by security mechanisms. Designing each software component to provide particular security mechanisms has its own Manuscript received February 9, 2013; revised March 23, 2013. This merits. However, it leads to additional administration work was supported by National Science Council under Grant No. NSC overhead and it may also cause misconfiguration 101-2218-E-025-001, NSC 100-2221-E-390-012, and NSC 101-2221- vulnerability. E-390-007. Instead of proposing new security features, this paper C.-F. Kuo is with the Department of Computer Science and Information Engineering, National University of Kaohsiung, Kaohsiung focuses on the providing of a threat-based security (Corresponding author e-mail: [email protected]) configuration architecture for gateways to ease the Y.-F. Lu is with the Department of Computer Science and Information administration overhead and reduce the chance of Engineering, National Taichung University of Science and Technology, misconfiguration vulnerability. Fig. 1 illustrates the Taichung (e-mail: [email protected]). threat-based security configuration architecture for the C.-Y. Chen is with the Department of System Research, Trend Micro, Taipei. gateways. The novel architecture serves two purposes: 1) Digital Object Identifier: 10.3969/j.issn.1674-862X.2013.02.005 reducing the software integration and configuration KUO et al.: Security-State Adjustable Gateway with Threat-Based Configuration 141 overhead for product designers during the design phase and integrate several open source security components on a 2) providing an intuitive configuration interface for the Linux platform. However, the designed architecture is not end-users. From product designers’ perspective, the limited to the software components used in this paper. architecture provides a systematic manner to integrate the Other (open source or commercial) software can also be software components to overcome the threats and to integrated on such an architecture. A series of experiments properly configure the software components. The are conducted to evaluate the capability of the proposed threat-based configuration architecture shown in the dashed methodology. box in Fig. 1 separates the software configuration into four The rest of this paper is organized as follows. Section 2 parts: the common criteria document, threat dependency describes the proposed security gateway based on common graph, state transition graph, and software configuration. criteria. Section 3 describes the design of the gateway and The common criteria document defines the threats that the discusses the implementation issues of the security gateway. gateway should overcome. Section 4 evaluates the performance of the system and Given the threats defined by the common criteria demonstrates the effectiveness of the proposed architecture. document, we propose a threat dependency graph to model Our work is summarized and the future work is discussed in the occurrence relation among the threats. The threat Section 5. dependency graph helps the designers identify the set of threats to be overcome in order to provide certain security 2. Security Gateway Based on features and reduce the chance of misconfiguration vulnerability. We also define the system security states, Common Criteria each of which defines the set of the threats that the system Gateways in the paper are referred to the devices can overcome. The change of the security states during the defined by RFC1009[5], in which a gateway is an IP-level run-time are modelled by the state transition digraph. Given router to connect two or more networks. In June 1993, the the common criteria document and security states, the United States, the United Kingdom, Germany, France, designers can find the software components to overcome Canada, and Netherlands started to develop an evaluation the threats with minimal efforts. The four parts of the standard for a multi-national marketplace. This standard is threat-based security configuration are determined during known as the “Common Criteria for Information the design phase and are constructed by domain experts. Technology Security Evaluation” (CCITSE), and it is From end-users’ perspective, the architecture allows the usually referred to as the “Common Criteria” (CC). end-users to configure the gateways by selecting the desired In CC, a product which is subjected to evaluation is security features, as shown on the left-hand side of Fig. 1. called a target of evaluation (TOE). As shown in Fig. 2, After the desired security features are selected, the software there is a process for the evaluation of CC. Our TOE is a components on the gateways are configured according to gateway that is designed to protect the private networks the flow shown in the dashed box in Fig. 1 to provide the against security threats from the external network. For the selected features. There is no need for the end-users to sake of presentation, we will use terms “TOE” and configure the individual software components on the “gateway” interchangeably in the paper. The security gateways. When the new threats are discovered, the measures of a TOE are defined by two documents: the designer shall revise the threat dependency graph, state protection profile (PP) and security target (ST). PP allows transition diagraph, and software configuration. The the consumers and developers to compile standardized sets end-users shall download the revised threat and state of security requirements to meet their needs. On the other information to reconfigure their own gateways. By this hand, ST specifies the functional requirements and manner, the change of misconfiguration vulnerability can assurance security for the product developers. The be reduced. evaluators use ST as the basis for evaluation. There are The idea of threat dependency graph is related to the many research have adopted CC to help them verify their attack tree approach developed by Schneier[4]. The attack security requirements. Details of CC usages