Distributed Firewalls Robert Stepanek, [email protected] Abstract Distributed firewalls allow enforcement of security policies on a network with- out restricting its topology on an inside or outside point of view. Use of a policy language and centralized delegating its semantics to all members of the networks domain support application of firewall technology for organizations, which network devices communicate over insecure channels and still allow a logical separation of hosts in- and outside the trusted domain. We introduce the general concepts of such distributed firewalls, its requirements and implications and introduce its suitability to common threats on the Internet, as well as give a short discussion on contemporary implementations. 1 Introduction This paper discusses the use of distributed firewall technology, its application fields and current implementations. Firewall technology in general is of vital interest for any orga- nization which deploys one or more machines connected to a network, which is regarded "as unsafe", meaning that the existence of malicious software or adversaries must be as- sumed and aims at preventing damage by deploying a certain security policy. Conventional firewall systems fulfill these requirements by the use of a collection of components which filter network traffic between two networks, usually regarded as a trusted network and an untrusted one. The notion of these systems relies on a certain topology of these networks, in a way that a specific, physical border between the trusted and untrusted domain can be singled out and security policies are enforced at the connecting components. With the advent of the concept of distributed firewalls the topological constraints are weak- ened and a decentralized use of traffic filters as well as components facilitating security requirements as authentication and integrity is favored over one using few special nodes in the overall network. While the security policies are deployed in a decentralized way their management is not, allowing system administrators to set policies from a central host and therefore still fulfill the requirements of efficient system and network administration. 1.1 Organization of the following sections In section 2 we will introduce the terminology which enables us to discuss the concept of distributed firewalls in a general way and aims to emphasize criteria for the evaluation 1 HUTTML2001 T-110.501SeminaronNetworkSecurity of certain implementations, however note that we will introduce the concept informally. Subsequently we will lay out the basic components which compromise a firewall of such kindandintroducedifferentmodelswhichmeetouroverallrequirementsinoneortheother way. Having introduced the concept generally we will present already available products which meet our requirements and introduce their peculiarities and additions to the overall concept in section 3. In section 4 we will discuss common threats encountered on computer networks and the suitability of distributed firewalls to provide protection. Finally we will give a brief summary over the paper in section 5. 2 The distributed approach 2.1 Basic definitions and terminology Discussing distributed firewalls in the following sections we will lay our argumentation on the general requirements which compose the basic notions of firewall technology: On any communication traffic entering or leaving a network policy domain, firewall technology enforces the network domain security policy. Any instance of these mechanisms is called a firewall system, or shortly firewall [24]. Moreover we will assume that for any host inside the network policy domain we can single out one or more identifiers, which are unique to this network component. Note that with this layout we have not made any assumptions about the actual topology of the network, more explicit we will not require that any network component can be seen as a single entry and exit point of communication traffic between the network policy domain and any other untrusted network. Setting a policy on external accesses, that is any access on components inside the network policy domain will be called policy control throughout the rest of this paper, the mechanism for deciding if a given item of communication traffic is legal will be called the policy verifier. 2.2 Components of a distributed firewall A distributed firewall is a mechanism to enforce a network domain security policy through the use of a policy language, a policy distribution scheme enabling policy control from a central point and certificates, enabling the identification of any member of the network policy domain [2]. Whereas conventional firewalls usually use the network components IP address as a unique identifier and enforcing policies on it is based on the decision if the component can be identified as being inside the trusted network or outside, we will use cryptographic certificates which detach the identifying mechanism from its reliance on any physical location of the component and minimize the danger of spoofed identities (however, as will be shown in section 2.3 use of cryptographic authentication schemes is not inherent in the general definition of a distributed firewall). The policy language defines which inbound and outbound connections on any component of the network policy domain are allowed, and can affect policy decisions on any layer of the network, being it at rejecting or passing certain packets or enforcing policies at the ap- plication layer. The requirements of such a language are more specifically to allow explicit definition of security or authentication schemes, which have to be met before allowing the 2 HUTTML2001 T-110.501SeminaronNetworkSecurity communication traffic to pass the enforcing mechanisms. The policy language in itself should therefore support credentials and it is expected to be as generous as possible, al- lowing definitions for an arbitrary number of applications as well as it should not enforce implicit policies and trust relations [4]. Usually such a language is compiled to an internal format, although this is not a general requirement [3]. Using a policy distribution scheme the chosen security policy is delegated to members of the network in question, according to one or more of the following distribution schemes [12]: Policies as well as credentials can be pushed to every single end point in the policy domain. This requires every member of the domain to be available to the delegating node, a criteria which most likely will not be met by mobile workstations and the like. Policies and credentials can be pulled from a trusted repository during initialization of the policy verifier and periodically during operation. This circumvents the re- quirement of enduring availability of every member of the network domain but as in the previous solution end points may be confronted with a potentially large amount of credentials which need to be stored. Additionally the repository and the network may be subject to excessive resource consumption due to simultaneous initializing nodes. Policies are pulled during initialization of the policy verifier whereas credentials for authentication mechanisms remain on a trusted repository and are requested when- ever communication traffic is reaching a node from a yet unknown host. Although this scheme allows a more balanced distribution procedure it must be stated that re- liance on the availability of the trusted repository leads to the threat of Denial of Service Attacks, a problem which will be discussed more in detail in section 4. Using certificates enables the policy verifier making decisions without knowledge of the physical location of the node which communication requests are subject to the examina- tion. Public-key cryptography mechanisms are most often applied in contemporary imple- mentations and were deployed in the reference model in [12] through the use of IPSEC [13], [16]. In general the credentials associated with a connection requesting node have to provide unambiguous information about its identity which enables the policy verifier to give a simple yes or no answer, given the encoded security policy. Most likely an encoding of the nodes network address in any of the policies is not desirable given the distributed grade of the networks organization. Combining the policy distribution scheme and the use of credentials furthermore enables transmission of certificates over insecure channels, assuming that evidence of the repositories integrity is given [5]. 2.3 Variations of distributed firewalls In practice the criteria mentioned in section 2.2 is not always met by organizations de- ploying distributed firewalls, different layouts and variations most often combine concepts 3 HUTTML2001 T-110.501SeminaronNetworkSecurity of conventional with distributed firewall mechanisms and lead to hybrid firewalls [2]. Al- though the possible variations are large in number we will focus on the most common combinations which can be found in available products as well. 2.3.1 Host-addresses as a credential Some hybrid firewalls do not make use of cryptographic credentials and the like as dis- cussed and hence still rely on topological properties of the underlying network through inspection of the connecting nodes network address. This layout does not address spoofing attacks but is useful in combination with a router, discarding traffic from local addresses entering the network from the untrusted outside. Although policies are now enforced on the end-points of the network and allow distributed policy control the overall requirements of a distributed