Future Aspect of Firewall in Internet Security
Saba Khan1 and Rakesh Gupta2
Department of Computer Science Engineering, Department of Electrical and Electronics Engineering
Roorkee Engineering and Management Technology Institute Shamli, UP, India
1
[email protected] , [email protected]
Abstract -- A firewall is software that establishes a
security perimeter whose main task is to block or
restrict both incoming and outgoing information
over a network. These firewalls are basically not
effective
and
appropriate
for
corporate
environments to maintain security of information
while it supports the free exchange of views. In this
paper, we study network firewall that helps the
corporate environment as well as the other
networks that want to exchange information over
the network. Firewall protects the flow of traffic
over internet and is less restrictive of outward and
inward information and also provides internal user
the illusion of anonymous FTP and www
connectivity to internet. Gateways Conventional
firewalls rely on topology restrictions and
controlled network entry points to enforce traffic
filtering. Furthermore, a firewall cannot filter
traffic it does not see, so, effectively, everyone on the
protected side is trusted. While this model has
worked well for small to medium size networks,
networking trends such as increased connectivity,
higher line speeds, extranets, and telecommuting
threaten to make it obsolete. To address the
shortcomings of traditional firewalls, the concept of
a “distributed firewall” has been proposed. In this
scheme, security policy is still centrally defined, but
enforcement is left up to the individual endpoints.
IPSec may be used to distribute credentials that
express parts of the overall network policy.
Trust Management is a relatively new approach to
solving the authorization and security policy
problem, and was introduced in .Making use of
public key cryptography for authentication, trust
management dispenses with unique names as an
indirect means for performing access control.
Instead, it uses a direct binding between a public
key and a set of authorizations, as represented by a
safe programming language. This results in an
inherently decentralized authorization system with
sufficient expressibility to guarantee flexibility in
the face of novel authorization scenarios.
Keywords: Firewalls, Gateways, Packet filter, Firewall
configuration, Working of application Firewalls, IPsec,
Network security, Trust Management,
I. INTRODUCTION
COMPUTER networks are designed to connect two or
more computers located at same or different corners in
world. They are free to exchange information with any
other computer. This kind of sharing is a great
advantage for both individuals as well as for corporate
world but as we know in today’s era, most important
and confidential information is also exchanged on
internet so attacker can do easily attack and can find
out the important information and can harm the
company in any manner. Most common type of attacks
is:
 As corporation may have large amount of valuable
data, leaking of which to competitors can do a great
loss.
 There is also a danger from outside world such as
viruses and worms; they can enter into corporate
network. To prevent our data from these dangers we
must ensure some security mechanisms such that inside
information remain inside and outside information
remain outside and prevent outside attackers from
entering in corporate network.
II.
DEFENSIVE STRATEGIES
Discussions about protecting networks usually focus on
threats from the Internet, but internal users are also a
threat. Indeed, surveys indicate that most unauthorized
activities are perpetrated by internal users. In addition,
organizations that connect with business partners over
private networks create a potential avenue for attack.
Users on the business partner's network may take
advantage of the inter-company link to steal valuable
information.
Defence-in-depth is not a product, like a perimeter
firewall. Instead, it is a security architecture that calls
for the network to be aware and self-protective. In
studying the problem of adding defence-in-depth,
we’ve identified six key strategies that security
architects can use to change significantly the security
posture of enterprise wired and wireless LANs
(WLANs).
Strategy 1: Authenticate and authorize all network
users the starting point for any deployment of defencein-depth is authentication. Authentication should be
handled at the earliest point of connection of the
system to the network: at the port level, even before the
client is assigned a network address.
Associated with every positive authentication must also
be authorization: now that we know who this person is,
what does it really mean? What can they do? Where
can they go? Unless every user in the authentication
database has the same privileges and accesses,
authentication must be tightly linked to authorization
[2]. The combination of positive authentication and
user-based authorization information should form the
basis for policy enforcement. Challenges in
Authentication There are two key challenges in
implementing network user authentication: the lack of
a centralized authentication database, and the inability
of some legacy systems to support modern protocols.
The clear choice for network authentication is IEEE
802.1X, the IEEE standard for network authentication.
Strategy 2: Use VLANs for traffic separation and
coarse-grained security VLANs are, by their nature,
unrouted chunks of network traffic. In most modern
building networks, a fair amount of layer 3 IP
routing takes place between wiring closets and the
computer rooms. In a campus environment, routing
is even more common. This makes pushing large
numbers of VLANs around the infrastructure a
fairly difficult-to-manage process [3]. Although
most networks are heavily over-engineered with
Gigabit (or 10 Gigabit) trunks, carrying a large
number of VLANs around the network to represent
different security profiles can stress not only the
infrastructure, but also the management of the
network itself [4]. This difficulty is compounded as
WLANs are added to the network. To maintain
simplicity, enable inter-SSID mobility and preserve
the current IP addressing scheme, it is essential that
the WLAN architecture of choice have the ability to
enable multiple VLANs across a single SSID. This
is typically true of new generation of centralized
WLAN solutions. There are multiple ways to assign
devices to VLANs dynamically, including:
• based on 802.1X authentication information
• based on Web-based authentication information
• According to an SSID selected by the user in a
wireless network
• based on detection of some other attribute, such as
the MAC address of the device or the location of the
user
Figure 1. Based on 802.1X authentication VLANs for
traffic separation.
Strategy 3: Place encryption throughout network to
ensure privacy of data throughout the enterprise is
becoming a signify cant issue. Because the network
itself carries very sensitive data, there is a strong need
to protect that data from accidental or intentional
disclosure. The obvious case is in WLANs: no network
manager would consider deploying a wireless network
solution that does not enforce strong encryption [7].
In the wired environment, encryption can also be
appropriate. The wake-up call for most network
managers has come in the form of regulatory
requirements. For any health care provider touched by
the Health Insurance Portability and Accountability
Act (HIPAA) requirements, wide-spread encryption of
data even when inside of the corporate network may be
required by law. Regulations such as California’s
SB1386 (on publication of information when private
information is exposed) are also pushing companies to
encrypt more data to reduce the risk of disclosure of
protected information.
Strategy 4:Detect threats to the integrity of the network
and remediate them the challenge for implementing
internal IPS/AV schemes is that boxes have to be
located in every closet and even then they cannot
prevent a PC from potentially affecting its peer on the
same network. A better way to address this problem is
to encrypt traffic from each network jack and bring it
into back to a central location where all the policies are
applied. This method is no disruptive to addressing
schemes and is far better than distributing multiple
firewalls and IPS/AV systems in each wiring closet. If
there is a trinity of security concerns in access control,
privacy, and integrity, the third of these gets the least
interest. The main reason for this is simple: detecting
threats to the network can be very difficult. While
some threats to network and data integrity are easy to
identify and remediate, others can be extremely hard to
detect---and even more difficult to protect against.
While many companies focus on ‘towards the firewall’
threat management, the threats can come from
anywhere: worms and viruses, wireless, guests, and
careless or malicious insiders. It is worthwhile to
identify as many of these threats as possible and either
notify or attempt remediation. The security
community’s first attempt at threat identification came
in the form of IDS, intrusion detection systems. While
IDS have proven their worth as a tool in the arsenal of
the security analyst, most enterprises have discovered
that the information they get from their IDS is not
primarily useful in detection and remediation of
immediate threats.
Strategy 5: Include End-Point Security in Policy
Enforcement User systems may range from tightly
controlled laptops owned and managed by corporate IT
to spyware-infected, keystroke logging, Trojan-hosting
systems at public Internet kiosks. A user who
successfully identifies to the network should be given
different privileges depending on the system they are
using for access. Most network managers are already
aware of the problem of end-point security and have
tools such as anti-virus, personal firewall, and patch
management in place on many systems.
The next step is verification: enforcement of policy
regarding endpoint security by varying access based on
the security posture of the end system. This technology
and the thinking behind it is most evident in the world
of SSL VPN where vendors are vying hard to
differentiate themselves and incorporate end-point
security posture detection and enforcement into their
products. Remote access VPN tools, such as SSL VPN,
31
have a particular vulnerability in this area because they
are specifically designed to extend network.
[8] [7] One solution of this problem is the firewall. The
main task of firewall is to regulate flow of information
between computer networks. It protects network by
standing between network and the outside world. The
data transfer in any direction must pass through the
firewall.
III. APPLICATION GATEWAYS
In order to control risks when internal server allow
connections from internet we use a technique called
application gateway, also known as proxy server
because it acts like a substitute and decides about flow
of information. Working of application gateways:
(1) An internal user make connection with application
gateways i.e. HTTP, FTP.
(2) An application gateway asks the internal user with
which it wants to communicate.
(3) User then provides its id and password which is
required to access services.
(4) Now on behalf of user application gateway
accesses the remote host.
IV.
FIREWALL CONFIGURATION
A firewall is a combination of packet filters and
application gateways. Depending on this, following are
the configurations of firewalls. Firewall configurations
Screened Host Firewall, Single Homed Bastion: In this
type of configuration a firewall consists of following
parts:
(i) A packet filtering router
(ii) An application gateway
The main purpose of this type is as follows:
 Packet filter is used to ensure that incoming data is
allowed only if it is destined for application
gateway,[1] by verifying the destination address field
of incoming IP packet. It also performs the same task
on outing data by checking the source address field of
outgoing IP packet.
 Application gateway is used to perform
authentication and proxy functions.
Screened Subnet Firewall: It provides the highest
security among all firewall configurations. It is
improved version over all the available scheme of
firewall configuration. It uses two packet filters, one
between the internet and application gateway and
another between the application gateway and the
internal network.
Figure 2 . A screening router.
Figure 3. Screening Router (Packet Filters).
Screening routers can look at information related to the
hard-wired address of a computer, its IP address
(Network layer), and even the types of connections
(Transport layer) and then provide filtering based on
that information. A screening router may be a standalone routing device or a computer that contains two
network interface cards (dual-homed system). The
router connects two networks and performs packet
filtering to control traffic between the networks.
Proxy Server Gateways: Gateways work at a higher
level in the protocol stack to provide more
opportunities for monitoring and controlling access
between networks. A gateway is like a middle-man,
relaying messages from internal clients to external
services [8] [9]. The proxy service changes the IP
address of the client packets to essentially hide the
internal client to the Internet, and then it acts as a proxy
agent for the client on the Internet.
Using proxies reduces the threat from hackers who
monitor network traffic to glean information about
computers on internal networks. The proxy hides the
addresses of all internal computers. Traditionally, using
proxies has reduced performance and transparency of
access to other networks. However, current firewall
products solve some of these problems.
Figure 2 and Figure 3 illustrate the differences between
screening routers and proxy servers, both of which are
described in the next few sections.
32
system call overhead. Our current system focuses on
controlling TCP connections. We plan to expand our
implementation by adding an IP filter-like mechanism
for a more fine grained control (perhaps based on some
existing filtering package).
V.
FIREWALL POLICIES
If an intruder can find a hole in your firewall, then the
firewall has failed. There are no in-between states.
Once a hacker is in, your internal network is at her
mercy. If she hijacks an administrative account, you're
in big trouble. If she hijacks an account with lesser
privileges, all the resources available to that account
are at risk.
A New Data Center Architecture: The F5 approach to
the firewall problem—the application delivery firewall
solution converges security services into a single set of
Application Delivery Controllers (ADCs) at the edge of
the data center. F5 breaks new ground by introducing a
new firewall product as well as integrated firewall
management services into its flagship BIG-IP product
family. BIG-IP Advanced Firewall Manager (AFM) is
a high-performance, stateful, full-proxy network
firewall designed to guard data centers against
incoming threats that enter the network on the most
widely deployed protocols—including HTTP/S,
SMTP, DNS, and FTP. Organizations can combine
BIG-IP AFM with F5's other security services to build
a new security architecture based on the application
intelligence of F5's application delivery firewall
solution.
No firewall can protect against inadequate or
mismanaged policies. If a password gets out because a
user did not properly protect it, your security is at risk.
If an internal user dials out through an unauthorized
connection, an attacker could subvert your network
through this backdoor. Therefore, you must implement
a firewall policy.[10]
The F5 application delivery firewall solution provides
network-layer protection with a much higher
connection capacity than traditional firewalls this
capacity enables BIG-IP LTM to manage the volume
of a traffic onslaught while performing the port and IPbased access control services typically provided by a
stateful firewall.
Fig. 4 Attack Induced Firewall Failures
Obviously, the firewall and the firewall policy are two
distinct things that require their own planning and
implementation. A weakness in the policy or the
inability to enforce the policy will weaken any
protection provided by even the best firewalls. If
internal users find your policies too restrictive, they
may go around them by connecting to the Internet
through a personal modem. The firewall in this case is
useless. You may not even know your systems are
under attack because the firewall is guarding the wrong
entrance.
VI.
FUTURE FIREWALL
TECHNOLOGIES
There are a number of possible extensions that we plan
to work on in the process of building a more general
and complete system. As part of the STRONGMAN
project at the University of Pennsylvania, we are
examining the application of higher-level security
policy languages to large-scale network management.
Keynote is used as a common language for expressing
policies that can be distributed in different applications
and systems.
The distributed firewall is an important component in
the STRONGMAN architecture. This is a subject of
ongoing research. An alternate design would be to run
the policy daemon inside the kernel, much like
nfssvc(2). The policy daemon will then have direct
access to the policy context queue, eliminating the
Figure 5. The new paradigm replaces stateful firewall
services with BIG-IP LTM in the data center architecture.
Unified threat management: A new category of
network security products -- called unified threat
management (UTM) promises integration, convenience
and protection from pretty much every threat out there;
these are especially valuable for enterprise use.
As Mike Rothman explains, the evolution of UTM
33
technology and vendor offerings make these products
even more valuable to enterprises, Security
expert Karen Scarf one defines UTM products as
firewall appliances that not only guard against intrusion
but also perform content filtering, spam filtering,
application control, Web content filtering, intrusion
detection and antivirus duties; in other words, a UTM
device combines functions traditionally handled by
multiple systems. These devices are designed to
combat all levels of malicious activity on the computer
network.
Next Generation Firewall (NGFW): Next-generation
firewalls
integrate
three
key
assets:
enterprise firewall capabilities, an intrusion prevention
system (IPS) and application control.
Like the introduction of stateful inspection in firstgeneration firewalls, NGFWs bring additional context
to the firewall’s decision-making process by providing
it with the ability to understand the details of the Web
application traffic passing through it and taking action
to block traffic that might exploit vulnerabilities.
Next-generation firewalls combine the capabilities of
traditional firewalls -- including packet, network
address translation (NAT), URL blocking and virtual
private networks (VPNs) -- with Quality of Service
Triple Home Firewall: The third commonly used
implementation of a firewall is the triple-homed
bastion host, also called a three-homed firewall. The
triple-homed bastion host often separates the Internet,
the internal network and the DMZ. The advantage of a
triple-homed bastion host is that Internet traffic avoids
the company's internal network, which keeps the
internal computers safe from the public. A three-homed
University of Pennsylvania is aiming at simplifying
security policy management by providing an
application-independent policy specification language
that can be compiled to application-specific Keynote
credentials Policies are compiled to ACLs and
distributed to the various hosts in the secured network,
although a pull-based method can also be used.
Connections to protected ports are reported to a local
security manager which decides whether to drop,
allow, or forward them (using DCE RPC) to a remote
host, based on the ACLs. Perhaps the most relevant
work is that of [2] In our approach, we introduce a
three-layer system: a high-level policy language
(equivalent in some sense to that used in Firmato), an
intermediate level language (Keynote) used by the
mechanisms, and the actual mechanisms. This allows
us to:
firewall
is
illustrated
in
Figure
6.
Figure 6: Screened-subnet firewall
This configuration uses external and internal routers.
Each is configured so that its traffic flows only to or
from the bastion host. This arrangement prevents any
traffic from directly traversing the sub network, or
DMZ. The external router uses standard filtering to
restrict external access to the bastion host, and rejects
any traffic that does not come from the bastion host.
VII.
RELATED WORK
A lot of work has been done over the previous years in
the area of (traditional) firewalls [8, 16, and 12]. [14]
and [15] describe different approaches to host-based
enforcement of security policy. These mechanisms
depend on the IP addresses for access control, although
they could potentially be extended to support some
credential-based policy mechanism similar to what we
describe in our paper. The Napoleon system [18]
defines a layered group-based access control Scheme
that is in some ways similar to the distributed firewall
concept we have described, although it is mostly
targeted to RMI environments like CORBA. Policies
are compiled to Access Control Lists (ACLs)
appropriate for each application (in our case, that
would be each end host) and pushed out to them at
policy creation or update time. The STRONGMAN
project
at
the
 Express multi-application policies, rather than
just packet filtering rules.
 Express Mixed-layer policies (e.g., policies of
the type “email has to either be signed in the
application layer or delivered over an IPsec
SA that was authenticated with a credential
matching the user in the From field of the
email”).
 Permit delegation, which enables centralized
management (since Keynote allows building
arbitrary hierarchies of trust).
 Allows incremental and asynchronous policy
updates, since, when policy changes, only the
relevant Keynote credentials need to be
updated and distributed (e.g., only those
relevant to a specific firewall).
34
Table 1 -- Comparative data
Comparative data Table for WAF (web application firewall), UTM (Unified threat management) NGF (next generation
firewall) & THM (TRIPLE HOME FIREWALL)
Characteristics
definition
F5
It incorporates
company’s existing
application delivery
& security
problems
Weakness of simple
password, overflow
UTM
It provides more
protection than
other firewalls
NGF
It works at layer
7,and scans
classified
applications
THW
It uses single
firewall with 3
network interfaces
Intrusion by
unauthorised user,
Dangerous SQL
injections & buffer
overflow attacks
Complexity
Not very much
complex to manage
Reduces complexity
Detection
Algorithm
It understands web
application traffic
passing through
it,& taking action to
block traffic.
provides safenet
authentication
solution
Yes
Regulatory
compliance & easy
management,
content filtering
More complex to
manage, has layers
of rules and policies
Includes
capabilities of
traditional firewall
NAT,IPF
Those attacks that
Separates intranet &
DMZ network
making it difficult
to attack intranet
Gain greater
flexibility &
throughput
Additional layer
make it a good
solution for high
speed
Yes
Yes
Yes
Partially
No
No
Yes
No
No
No
Defends Against
Performs user
authentication
Protection against
DDos
May Scan SSL
VIII.
CONCLUSION
As we have discussed so far that firewall is very
important part of computer defence against viruses,
spyware, Trojans and other malwares and also between
direct malicious attacks from outside and outside of
network. A good firewall is the one that provide full
protection of network without affecting the speed of
our computer and our network access.
In order to provide security, one should keep
following things in mind:
 We should never install any software from
suspicious sources. Always download from the
respected sites available on internet.
 Use a firewall to monitor all data or information that
we want to exchange over the internet.
 On every computer a firewall software must be
installed else it will to become infected and very fast it
will effect the all computers available on that network.
IX . ACKNOWLEDGEMENT
Authors would like to express their sincere gratitude to
Dr. M.S.Rana, Director, REMTech-Shamli for his keen
interest in the progress of the work.
IX.
REFERENCES
[1] H. Abie, CORBA Firewall Security: Increasing the
Security of CORBA Applications, Telektronikk
Volume 96, No. 3-2000, pp. 53-64, January 2000.
[2]
E. Al-Shaer and H. Hamed. Management
and translation of filtering security
policies. Proc. IEEE Internation Conference
on Communications, 2003.
[3] Y. Bartal, A. Mayer, K. Ni ssim, an d A.
Wool. Firmato: A novel firewal l
anagemen tool kit. ACM T. Compu ter
Systems, N ovember 2004. An earl ier
version appeared in Proc. 20th IEEE Symp.
on Security and Privacy, 1999.
[4] S. Wooldridge. (2006, Aug. 6).
“Application Security,” Electric Energy
T&D Magazine, IEEE 802.1Q, 2005, IEEE
Standard for Local and Metropolitan Area
Networks-- Virtual Bridged Local Area
Networks.
[5] A. Hari, S. Suri, and G. M. Parulkar.
Detecting and resolving packet filter
conflicts. Proc. of IEEE INFOCOM, 2000.
[6] T. Stang, F. Pourbayat, M. Burgess, G.
Canright, K. Engo, and A. Weltzien.
Archipelago: A network security analysis
tool. In Proceedings of the 17th Large
Installation Systems Administration
35
Conference, 2003.
[7] J. Liu, Y. Xiao, S. Li, W. Liang, C. L. P.
Chen, “Cyber Security and Privacy Issues in
Smart Grids,” IEEE Commun. Surveys
Tuts., I:10.1109/SURV.2011.122111.00145,
in press.
[8] Dr. Prof. P. K. Deshmukh, Dr. Prof. A. B.
Bagwan, Ms. P. Kinage, Ms. S. A. Jadhav,
Investigation and Analysis of Efficient
Firewall Packet Filtering and Matching
Algorithms. International Journal of
Engineering Research & Technology
(IJERT) Vol. 1 Issue 8, October – 2012
ISSN: 2278-0181.
[9] IEEE. IEEE Std 802.1X-2001, Port-Based
Network Access Control, IEEE Std
802.1X- 2001 ed. IEEE, 2001.
[10] R. Smith, S. Bhattachayra. “A Protocol and
Simulation for Distributed
Communicating Firewalls.” Proc.
23rd IEEE International Computer
Software and Applications Conference
(COMSPAC’99), October 1999.[11] Feng,
T.,Bi, J.,Hu, H.Y.,Cao, H., "Networking as
a Service: A CloudBased Network
Architecture." Journal of Networks, Volume 6,
no.7, July 2011, pp. 1084–1090.
[12] M.A.F. Gutierrez and N. Ventura, "Mobile
Cloud Computing Based on ServiceOriented Architecture: Embracing
Network as a Service for Third-Party
Application Service Providers,"
Proceedings, ITU Kaleidoscope 2011.
[13] The Fully Networked Human—
Innovations for Future Networks and
Services (K-2011), pp.1–7, 12–14
December 2011.
[14] TERENA Network Architects Workshop,
Network as a Service principle virtual CPE
as a Service, NAW.pdf, November 2012.
[15] Benson, T., Shaikh, A.A.A., Sahu, S.,
"CloudNaaS: A Cloud Networking
Platform for Enterprise Applications,"
Proceedings, Second ACM Symposium on
Cloud Computing (SOCC '11),New York,
NY, 2011.
[16] Costa, P., "Bridging the Gap between
Applications and Networks in Data
Centers," ACM SIGOPS Operating
Systems Review,vol.47,no. 1, pp.3–8,
January 2013.
36