Firewalls are devices used to implement a security policy between two or more networks or hosts. A firewall acts as a security barrier that controls traffic and manages connections between both internal and external network hosts. Connections and service requests are either accepted or rejected based on a set of rules defined by the network administration security policy. Firewalls are mechanisms used to enforce network policies. They are best suited to network policies that involve defining access privileges between networks or hosts. These access privileges typically involve network, protocol, session, and host restrictions. Firewalls enforce these policies by intercepting the communication of hosts in different networks. On receiving a packet, a firewall checks the packet's header against a set of rules defined by the user and either forwards or drops the packet if it is acceptable or unacceptable. By inspecting and filtering packets, firewalls can block suspicious packets and prevent them from passing through. A firewall can enforce a complete network-wide access policy if all incoming/outgoing packets are configured to pass through the firewall. Although packet inspection and filtering help improve network security, it is important to ensure that they do not slow down the availability and utility of the entire system. A firewall cannot forward a packet until complete inspection is done; this therefore adds extra processing time to packets. With limited buffer space, prolonged packet inspection time may also cause the firewall to drop packets randomly which cannot be accepted for certain types of packets such as video or voice. The performance of a firewall should not be reduced when under attack; otherwise it would not serve its purpose. This can to some extend be counter-acted with the rapid development of advanced and more powerful hardware; however it is not always feasible to have regular hardware upgrades. Firewall security and performance thus remains a challenging subject. A key element of the firewall configuration is the access control list (ACL). An ACL consists of an ordered list of rules that describes which packets are matched by this rule and the action to be taken on matched packets, i.e., either to permit or deny certain traffics.
Firewalls provide several actions: a packet can be dropped, accepted, cleaned, transformed, logged or a combination of actions can take place. A rule-based firewall maps the logic specified in the ACL to a list data structure. A packet is compared with each rule successively in the sequence until the first matching rule is found, and the action for this rule is taken on the packet. Many firewall implementations have slightly different semantics, such as last matching, last with first matching, and conditional subsequences. However, all these variations are equivalent to the first matching rule semantics, as can be shown through straightforward rule transformations. Rule-based firewalls, with popular models such as Cisco System's PIX firewall [6], Linux's Netfilter [15], and the BSD Packet Filter [14], are widely used in production networks. Checking a packet against rules takes processing time, and thus to minimize firewall load and latency one can reduce the number of checks required for packet processing. Previous research has proposed a number of techniques to reorder the rules for better firewall performance [1, 7, 8, 12]. These
Aims and Objectives
This thesis aims at:
Researching on firewalls policies for traffic management in networks from a Quality of Service point of view.
Proposing a right balance between firewall security level and Quality of service to the end user.
The objectives of this thesis are:
Identify requirements that need to be considered when implementing firewall policies.
Review different aspects of security while supporting firewall performance
Propose an improvement of firewall performance to enhance network traffic
Analyse, design and implement the new solution
Evaluation of performance of new and existing firewall policies
Report structure
The report will continue as follows: Chapter two gives general information about firewall policies, the effect of using ternary content-addressable on frame filtering and a state of the art review to researches previously done is also covered.
Chapter 3
Chapter 2: Background
Related work
There is quite a lot of research work that has been done on different aspects of Firewall security and network traffic management; however, less research was found on evaluation of firewall policies.
Lyu et al. (2000, p116) pointed that firewall configured at different security levels showed that performance varied when using different policies at different levels. It was also argued that the relationship between security and performance is not always inversely proportional. A proposal to evaluate the effectiveness of different security policy levels and their impact on the overall network performance was made. The proof obtained, however, only includes processing time and task-completion metrics at slow network speeds. Moreover, the focus appeared to be mostly on the evaluation of software security tools.
Abedin et al. (2006, p49) have presented a mathematical framework to compute a policy security score to evaluate and re-evaluate security policies. This framework bases itself on the changes in requirements, the vulnerability history; which was determined by calculating the probability of an event occurring, and volume of network traffic that is handled to determine vulnerability scores. As the high vulnerability score are obtained for some security policies, those could then be re-assessed to ensure that firewall policies are up to date. This research however, does not provide for a mining of the results obtained and thus meant that each time a new vulnerability score has to be calculated to re-evaluate security policies. Al-Shaer et al. (2004, p2) have defined a formal model to analyse and verify the accuracy of written legacy firewall rules. The model devised consisted of anomaly discovery algorithm that reports anomalies that exist in filtering rule in order to ensure accuracy and effectiveness of firewall security in managing the network traffic. The model was designed by establishing the relationship between firewall rules; that is, if any policies are completely matching, partly matching, inclusively matching (if a firewall is the subset of another) or completely disjoint. By working out all possible combinations, a policy tree was used to represent firewall policies. This representation made the discovery of anomalies very easy in firewall policies.
Chapter 3 Implementation and Analysis
The purpose of this chapter is to evaluate firewalls from different aspects, that is, does implementing a firewall means security at the cost of quality and performance of the network? Networks were modelled with and without any firewall implemented to test the performance of the network. OpNET was used as the simulation tool throughout the different experiments carried out.
A relatively simple university network was used to evaluate network performance with and without firewall as shown in figure 1.Users use different types of online applications which include web browsing, email and file transfers. There is currently an abuse of the network by students who use it for video data transfer for example watching online movies at the university or listening to music. Such use affects the response time for important applications such as students using the labs to work or students browsing university databases for online resources. Thus, it is important to filter the type of traffic in the network.
A very simple way to block unwanted traffic would have been to implement access lists. However, even standard access list do require a considerable processing time at the entry point depending on the length of the list as queries are executed sequentially. Extended access lists provide a better control over traffic management, but then they do require a lot of processing power which would slow down the network performance thus affecting the availability of the network.
Another way of filtering traffic is the implementation of a firewall in the network. A firewall can be configured to filter traffic based on either port configuration or sender's IP address. It is generally assumed that the relationship between security and performance is inversely proportional. This assumption will be analysed during the different experiments carried out.
Figure 1 Network layout with the firewall
For the university's network, a firewall was placed to filter the network traffic. The scenarios assumed around 150 users on various subnets, database, ftp and web servers. It was assumed that there was heavy traffic loads for web browsing and database. In the first scenario, the firewall was present in the network without any configuration done. In the second scenario, the firewall was configured to block voice traffic which was identified to be slowing the network performance. Figure 2 shows how the configuration was done.
Figure 2 Configuring the firewall
By stating that the voice application was not deployed on the proxy server, any packets belonging to voice application would be dropped when it reached the firewall.
The next chapter will interpret the results obtained for the scenarios mentioned in this chapter.
Chapter 4 Results and Discussion
This chapter discusses the different results obtained when the different simulations for the different scenarios were run.
The database query response time, the http page response time and the point to point link utilizations are the three components that are measured and compared during the simulations. Figure 3 shows the response time without any traffic filtering. It can be observed from the figure that due to the heavy load of web browsing and database, the response time is quite high.
Figure 3 Database response time without firewall
The next step was the implementation of the firewall in order to block unnecessary traffic such as voice or video. The results for the response time obtained were then compared to the traffic when there was no firewall. The results are shown in figure 4.
Figure 4: Mean database response time
From the above, it could be clearly seen that once the firewall was configured to block voice traffic, the response time dropped considerably. Thus it can be said that the inversely proportional relationship between network performance and security does not always hold true. The results obtained showed that when firewall implementation was done, along with security, there was a significant improvement in the network performance as well.
Figure 5 shows http response with and without firewall implementation. Again it can be seen that there was a slight progress in the response time, even if it is not as with the database response.
Chapter 5 Future work
Chapter 6 Conclusion
