Securing Networks Using Situation Based Firewalls Policies Computations Vijender Kumar Solanki1, Kumar Pal Singh2, M Venkatesan3, Sudhanshu Raghuwanshi4 1
Research Scholar, Anna University, Chennai, TN
[email protected] 2 Faculty, ITS, Ghaziabad, UP,
[email protected] 3 Principal, KSRIET, Nammakal, TN
[email protected] 4 Faculty, NGFCET, Palwal, HR
[email protected]
Abstract. In the last decade the numbers of users connecting with web have increased by multiple folds. As the numbers of users are increasing, naturally the network’s computability load will also increase which create the challenges to network in terms of security threats and attacks. At this juncture the network security plays its key-role by using the firewall which is considered as one of most immediate requirement assuring the users about the network security. With the expansion of the size of network, it is also required to improve the security road map implementation otherwise it would be tough for users to rely on network based services. In this article a novel idea has been proposed to cater the avoidance of threats and attack in organization’s network by expanding the scope of firewall policies. The article shows the importance of network design and firewall rules compatibility to make network free from threats and attacks. Keywords: Firewalls Policies, Network Security, Network Design, Network Configuration Management
1
Introduction
The Information Technology revenue from the last decade has jumped from more than the expectation as declared by CII but ironically the appreciation of new products and complaints of old products remain a evergreen issue in IT markets. In the domain of IT our work is based on the firewall, a perfect network security product which gives a wonderful security support to network. Today’s information communication technology (ICT) is increasing its presence to every corner of users irrespective of age, education and profession. The firewall concepts seem to be reflected approximately two decades ago [1, 4]. There are varieties of firewalls (Hardware & Software based) available in market, fulfilling the objective of small scale network to large scale network in various organizations. The System administrator after studying the
organization’s network topology, sensitive data protection mechanism exercised by past workers and internal user’s technical ability configures the policies to protect network from the unauthoriesed access internally as well externally. In this paper we are doing the expansion of our previously proposed framework to improve the efficiency of firewall in the network. The Paper is divided into six sections starting with basic introduction of firewalls and the previous work done by us. The second section elaborates the inclusion of proposed framework with justification. Section three analyses the result taken from network sites after changed parameters. Section four is about the conclusion by stating the importance of future work; finally fifth and sixth sections cover the acknowledgement and reference respectively. In the previous paper [11, 12, 13] we surveyed about the different network layouts and their firewalls choices, configuration strategies and the system administrator’s technical consciousness towards firewalls and network security. In this paper [14] an effort has also been made towards improvement in firewall efficiency by regularly editing the policy on fixed interval for better result in networks. The objective is to make iteration of policies based on divide and conquer method to ensure that maximum output could be achieved from firewalls and prove fewer attacks to network in comparison to past threats and attack records. The firewalls at large are responsible to stop or allow the traffic, generate log, alert towards threats and attacks etc. It is seen that in small scale network, firewalls play good role as there is no major problem encountered but as the size of network grows the real time challenges to firewalls grow broadly. It’s really funny to see that if any anything wrong happens (In case attacks or threats) in the network, the different domain system engineers get ready to blame on each other instead of finding the main problem and causes. The deployment and installation of firewall rules in network is quite dilemmatic as it requires consideration of both features and cost effectiveness from organization point of view [5]. How to configure the rules in firewall so that no problem arises in network from security point of view is still a not well addressed type of question and there are some answers expressed by various experts as per their experience [7]. We see that the firewalls are viewed as two ways externally as well internally. If we see it externally the hardware comprises of minor and major different components clubbed to make single firewall equipment. If we see as internally then a low level language environment which is capable to read and execute the rule as configured by the administrator. The main challenge for the present system administrator is the selection of appropriate solution from various firewall solutions to cater network security issues. The common query before the management and technical professionals is to select the best firewall solution among the various solutions keeping in view cost effectiveness as well as optimal solution to organization.
2
Enhanced Design for Firewalls Policies
Various approaches have been proposed which makes firewalls more effective, generate useful reports of network and help in improving network system status. In this direction we have considered few references [2, 3, 4] which have been published earlier to motivate us to contribute some idea as a new finding in the present scenario towards improving network security. In the network it has been seen at large that during initial stage all the components and policy works effectively but as the network grows by time it requires some changes in policies as well as in network e.g., clientserver design issues. The problem becomes big obstacle to technical people due to the change of network, its services and frequent demand to configure rules in firewall. We have seen that the most affected one always is the end users and their data due to failure of network services or failure of firewall rules. The unauthorized user gets entry in the network due to incompetent network design, poor firewall rules configuration or conflictions. Towards improvement in firewalls [2, 3] work has been referred and in our previous paper we have proposed three stage model to enhance the firewalls efficiency. In brief, the first stage is considered as the firewall rules starting stage and in the second stage, we are using iteration approach implementing divideand-conquer method [14] to sort the rules which are useful or not useful to network and finally we edit the rules to protect network with threats and attacks. With the periodical interval the same excersie is carried out and effective result have been seen as well.
Firewalls Initialization
Firewall Ageing Firewall Updation Fig. 1. Three stages firewall policy enhancement approach The six months analysis from August 2012-Decmnebr 2012 is provided in the paper [14] and proved that the constantly editing the policy improves the performance of firewalls. The above model is under testing phase. The further effort to improve the network security is to work on the 12 rules [4] to improve the firewall efficiency. It’s necessary to study about the network in detail, about the local area design to find the better option for firewalls policies. It’s important because the network contain the Internet Protocol address, the IP design which play important role in successful execution of firewalls. While on other side firewall policies are configured keeping the view of allow or deny as per the networks requirement also. We consider the network is divided into the number of zones and the sub-zones which are restricted by the various services through administrator. The efficiency of firewalls is direct related to
successful execution of network services as implemented by the administrator else it will be considered that the policies are not effective to the networks hence network fails to stop unauthorized access. In paper [10] very interesting approach using the Psystem is explained where the use of P-system is used to possibly check the packets. We further propose a step ahead to our previously three stage designed model. The initialization phase compares the size of network and capacity of firewalls because the success of firewalls must comply with the size of networks to play important role in network. Firewalls initialization
Server
Firewall Rules Library
Firewall Ageing
Internet Server
Firewall Rules
Firewall Updation
Clients
Expansion
Eliminated Rules
Fig. 2. Comparison of Networks with firewalls
Small description of each module is described below for the convenience for understanding diagram. Server: A computer or device on a network that responds to the client and also manages network resources. Internet Server: A high configuration machine having operating system exclusively responsible to receive internet traffic from outside as well to send traffic outside through gateways, Ethernets, ports and communications [10]. Clients: Typically a client is an application that runs on a workstation and requests server to perform some operations. Firewall Rules Library: The Number of all possible rules to make available in a repository (Lists). Firewall Rules: The Numbers of policies configured at present in firewall to secure network. Eliminated Rules: The rules which were part of firewalls but now they are not in use but they are kept safe in a file so called as eliminated rules. In Fig.2 we have shown the redesign in our previous work where we have add the firewalls library, which is containing the almost multiple number of rules as its available in the firewalls, the purpose of library is to find the rules which can be further geared in network to provide better security or it could be utilized by the situation based policies demand. The library is associated with the main firewalls rules and a separate list of eliminated policies is also maintained to ensure that in case by mistake
or by incident based review we eliminate some rules, which can be recovered best to firewalls as the scenario requires securing network. In linear array, as we have shown the flow is bidirectional, so firewall can accept and reject the packets so using PPR (partial permutation routing) case we are considering where at a time we can send or receive more than one packet. The benefits of using PPR is to avoid any long queue in the firewall buffer as well as conveniently the grid style rule can be matched easily to firewall rules for taking decision to accept and reject the packets. The packets will be assumes as FIFO (First in First Out) to avoid any priority packets and to get any confusion and also avoid the ties arbitrarily among the two or more than two packets. It’s also required that the packets takes shortest path to reach at rules base or get exit is one or important consideration.
3
Result Discussion
In this article we have shown the change state of first stage framework containing the extension work. We have shown two more finding in this paper which makes firewall effective in network in comparison of previous work [13, 14] Total No of Policies in Library
Total Number of Firewalls Policies Configured
Number of Policies Added
Number of Policies Eliminated
100 100 200 300 300
Aug 2012 -68 Sept 2012 - 85 Oct 2012 – 97 Nov 2012 –97 Dec 2012 – 74
17 12 12 -
23
Table 1. Phase I Firewalls Library Cum rules Summary
In the table 1 addition of library has been done which now support as add-ons to firewall rule configuration. The rules are kept in a ready list and continuous examining these rule will help in overcome the situation during editing stage as if the no of rules are available the decision of best rules can be achieved easily. Total No of Servers
Total Number Internet Server
4
2
4
3
3
2
Total No of firewalls
3 Stage - 1 3 Stage - 2 3
Total No of Clients
Total No of Threat/Attacks
360
126
320
85
369
74
Table 2. Phase II Network and Firewalls Suitability Summary
In the table 2 a realization of less number of attacks has been achieved by redesigning the server, by reducing and refining the service two folds one from the server side and others from the server. Source F1 D1 D2
Destination Any D2 192.168.3.3
Service SSH DNS ICMP
Interface out any loop
Direction inbound both both
Action Deny Accept Accept
Table 3. Phase I Firewalls Library cum Rules Summary
In table 3 we have shown our approach of firewalls that during the rules configuration these are the few important tuples, we have to keep in mind while configuring so it shows clearly that the design of network is closely correlate with firewalls configuration for successful achievement else it’s tough for system administrator to find the avoidance of attacks and configuration for successful achievement else it’s tough for system administrator to find the avoidance of attacks and threats from outsiders. Even with the help of firewall system library it’s easy for us to define the incorrect rules in time bound interval. Network Design Issues Server Clients Policies are towards clients centric
Server restrict for unidentified access
Firewall Issues Types of firewalls Policies are network centric but during implementation conflicts and failures are major issues.
It is seen widely that the policy configured in firewall proves unreliable to network if the correct study about network design is not done and vice-versa.
Table 4. Phase II Network and Firewalls Reports
In the table 4. The network design issues and firewall issues are emphasized individually to focus improvement towards better network security which is an important part of this paper.
4
Conclusion & future work
In order to improve our proposed design [14] we have made some necessary expansion at first stage which could help us to implement proposed design framework in a large scale network. The inclusion of checking suitability of network design and firewall library installation will improve the network performance. In this article two important issues, network compatibility and firewall library rules are discussed. The paper also introduces the packet travelling algorithm using PPR and FIFO approach.
Now the concern for implementing the three stage framework in big network and understanding the complexity of rules are real challenges that are in front of us which we would be addressing in our next paper.
5
Acknowledgment
We are thankful to Prof A.V.Vijayshankar for providing quality input in this paper. We give our thanks to system administrator and team for co-operating with us during many odd hours. We further extend our sincere thanks to the ICACNI-13 Conference organizer for permitting us to share our research idea before the researchers, academicians and corporate persons.
6
References
1. Hongxin Hu, Gailjoon-Ahn, Ketan Kulkarni, “Detecting and Resolving firewall policy anomalies”, IEEE Transaction on Dependabale and Secure Computing, Vol 08, No 3, May/June 2012 2. Nenad Stojanovski, Marjan Gusev, “Architecture of a Identity Based Firewalls System”, International Journal of Network Security & Its Applications, Vol 3, No 4, July 2011. 3. Alex X Lieu, Change-Impact Analysis of firewall policies, ESORICS 2007, LNCA 4734, pp 155-170, Springer-Verlag Berlin Heidlberg 2007. 4. Avishai Wool, “A Quantitative Study of Firewall Configuration Errors”,Published by IEEE Society, June 2004. 5. Pfleegar C.P, Pfleegar S.L., “Security in Computing”, Fourth Edition, Pearson Prentice Hall, Third Edition 2007. 6. Jan L. Harrington, Network Security, A Practical Approach, Elsevier, Edition 2011 7. Eric Seagren, Wesley J. Noonan, Secure Your Network For Free, Elsevier Professional and Trade Series Edition, 2007 8. Michael E Whitman and Herbert J Mattord, “Principles of Information Security”, Vikas Publishing House, New Delhi, 2004. 9. Ellis Horowitz, Sartaj Sahni, Sanguthevar Rajasekharan, Computer Algorithm/ C++ , 2 nd Edition , Universities Press. 10. Vijender Kumar Solanki, Dr.M.Venkatesan, “An Evolution and Revolution of Network Security”,ICACT’2012 held in JKK Nattaraja College of Engineering and Technology,Nammakal,TN,on 9th-10th March 2012. 11. Vijender Kumar Solanki, K.P.Singh, Dr M.Venkatesan,“Firewalls Best Practices in the Organization”,In CTNGC-2012 held in Institute of Technology and Science, Ghaziabad, UP, Proc. CTNGC/Number 3 (ISBN: 973-93-80870-14-1) in International Journal of Computer Application, NY, USA and ACM-NCR Chapter , on 20th October 2012 12. Vijender Kumar Solanki, K.P.Singh, Dr.M.Venkatesan, S.Tamilselvan,“A Holistic Approach to secure network using firewalls”, FACT’12, Vol-1, pp-48-56 in National Institute of Technology, Tiruchirrappali, TN, on 6th -7th Dec, 2012. 13. Vijender Kumar Solanki, K.P.Singh, Dr.M.Venkatesan, Sudhanshu Raghuwanshi, “Firewall Policies Enhancement Strategies Towards Securing Networks”, IEEE Conference technically co-sponsored by IEEE Kerala Section & IEEE India Council, Information Communication Technologies (ICT-13) , Pg No. 07-11, ISBN 978-1-4673-5757-9, on 11th12th April 2013 Organized by Noorul Islam University, Kanyakumari, Tamilnadu
