LATTICE-BASED FIREWALL FOR SAFETY INTERNET ACCESS



Similar documents
A Secure Password-Authenticated Key Agreement Using Smart Cards

The Development of Web Log Mining Based on Improve-K-Means Clustering Analysis

A Dynamic Load Balancing for Massive Multiplayer Online Game Server

APPLICATION OF PROBE DATA COLLECTED VIA INFRARED BEACONS TO TRAFFIC MANEGEMENT

A Design Method of High-availability and Low-optical-loss Optical Aggregation Network Architecture

A Dynamic Energy-Efficiency Mechanism for Data Center Networks

Load Balancing By Max-Min Algorithm in Private Cloud Environment

A Replication-Based and Fault Tolerant Allocation Algorithm for Cloud Computing

A Programming Model for the Cloud Platform

On-Line Fault Detection in Wind Turbine Transmission System using Adaptive Filter and Robust Statistical Features

A Parallel Architecture for Stateful Intrusion Detection in High Traffic Networks

P2P/ Grid-based Overlay Architecture to Support VoIP Services in Large Scale IP Networks

Comparison of Control Strategies for Shunt Active Power Filter under Different Load Conditions

Multiple-Period Attribution: Residuals and Compounding

Traffic State Estimation in the Traffic Management Center of Berlin

Project Networks With Mixed-Time Constraints

Selecting Best Employee of the Year Using Analytical Hierarchy Process

Multi-sensor Data Fusion for Cyber Security Situation Awareness

Network Security Situation Evaluation Method for Distributed Denial of Service

Effective Network Defense Strategies against Malicious Attacks with Various Defense Mechanisms under Quality of Service Constraints

Conferencing protocols and Petri net analysis

A heuristic task deployment approach for load balancing

An Enhanced Super-Resolution System with Improved Image Registration, Automatic Image Selection, and Image Enhancement

PAS: A Packet Accounting System to Limit the Effects of DoS & DDoS. Debish Fesehaye & Klara Naherstedt University of Illinois-Urbana Champaign

IWFMS: An Internal Workflow Management System/Optimizer for Hadoop

Answer: A). There is a flatter IS curve in the high MPC economy. Original LM LM after increase in M. IS curve for low MPC economy

Research Article QoS and Energy Aware Cooperative Routing Protocol for Wildfire Monitoring Wireless Sensor Networks

An Interest-Oriented Network Evolution Mechanism for Online Communities

Reinforcement Learning for Quality of Service in Mobile Ad Hoc Network (MANET)

ANALYZING THE RELATIONSHIPS BETWEEN QUALITY, TIME, AND COST IN PROJECT MANAGEMENT DECISION MAKING

DBA-VM: Dynamic Bandwidth Allocator for Virtual Machines

DEFINING %COMPLETE IN MICROSOFT PROJECT

Testing and Debugging Resource Allocation for Fault Detection and Removal Process

RequIn, a tool for fast web traffic inference

Data Broadcast on a Multi-System Heterogeneous Overlayed Wireless Network *

On the Optimal Control of a Cascade of Hydro-Electric Power Stations

INVESTIGATION OF VEHICULAR USERS FAIRNESS IN CDMA-HDR NETWORKS

Fair Virtual Bandwidth Allocation Model in Virtual Data Centers

Managing Resource and Servent Reputation in P2P Networks

A Passive Network Measurement-based Traffic Control Algorithm in Gateway of. P2P Systems

Design and Development of a Security Evaluation Platform Based on International Standards

A GENERIC HANDOVER DECISION MANAGEMENT FRAMEWORK FOR NEXT GENERATION NETWORKS

Data Mining from the Information Systems: Performance Indicators at Masaryk University in Brno

Methodology to Determine Relationships between Performance Factors in Hadoop Cloud Computing Applications

A role based access in a hierarchical sensor network architecture to provide multilevel security

Frequency Selective IQ Phase and IQ Amplitude Imbalance Adjustments for OFDM Direct Conversion Transmitters

A Fast Incremental Spectral Clustering for Large Data Sets

Performance Analysis and Comparison of QoS Provisioning Mechanisms for CBR Traffic in Noisy IEEE e WLANs Environments

Capacity-building and training

Genetic Algorithm Based Optimization Model for Reliable Data Storage in Cloud Environment

Stochastic Protocol Modeling for Anomaly Based Network Intrusion Detection

Activity Scheduling for Cost-Time Investment Optimization in Project Management

On File Delay Minimization for Content Uploading to Media Cloud via Collaborative Wireless Network

A hybrid global optimization algorithm based on parallel chaos optimization and outlook algorithm

Vision Mouse. Saurabh Sarkar a* University of Cincinnati, Cincinnati, USA ABSTRACT 1. INTRODUCTION

Canon NTSC Help Desk Documentation

How To Detect An Traffc From A Network With A Network Onlne Onlnet

Research of Network System Reconfigurable Model Based on the Finite State Automation

A Potent Model for Unwanted Traffic Detection in QoS Network Domain

How To Classfy Onlne Mesh Network Traffc Classfcaton And Onlna Wreless Mesh Network Traffic Onlnge Network

A Simple Approach to Clustering in Excel

Forecasting the Direction and Strength of Stock Market Movement

SMART: Scalable, Bandwidth-Aware Monitoring of Continuous Aggregation Queries

Overview of monitoring and evaluation

A High-confidence Cyber-Physical Alarm System: Design and Implementation

Module 2 LOSSLESS IMAGE COMPRESSION SYSTEMS. Version 2 ECE IIT, Kharagpur

M-applications Development using High Performance Project Management Techniques

A Hierarchical Anomaly Network Intrusion Detection System using Neural Network Classification

METHODOLOGY TO DETERMINE RELATIONSHIPS BETWEEN PERFORMANCE FACTORS IN HADOOP CLOUD COMPUTING APPLICATIONS

Optimization Model of Reliable Data Storage in Cloud Environment Using Genetic Algorithm

Open Access A Load Balancing Strategy with Bandwidth Constraint in Cloud Computing. Jing Deng 1,*, Ping Guo 2, Qi Li 3, Haizhu Chen 1

A Multi-Camera System on PC-Cluster for Real-time 3-D Tracking

Calculation of Sampling Weights

A New Task Scheduling Algorithm Based on Improved Genetic Algorithm

benefit is 2, paid if the policyholder dies within the year, and probability of death within the year is ).

Efficient Bandwidth Management in Broadband Wireless Access Systems Using CAC-based Dynamic Pricing

An RFID Distance Bounding Protocol


A Novel Adaptive Load Balancing Routing Algorithm in Ad hoc Networks

An agent architecture for network support of distributed simulation systems

A DATA MINING APPLICATION IN A STUDENT DATABASE

Hollinger Canadian Publishing Holdings Co. ( HCPH ) proceeding under the Companies Creditors Arrangement Act ( CCAA )

Figure 1. Time-based operation of AIDP.

IMPACT ANALYSIS OF A CELLULAR PHONE

Transcription:

Proceedngs of the Postgraduate Annual Research Semnar 2005 238 LATTICE-BASED FIREWALL FOR SAFETY INTERNET ACCESS Cahyo Crysdan and Abdul Hanan Abdullah The Faculty of Computer Scence and Informaton System Unverst Teknolog Malaysa Skuda 81310 Johor Darul Ta zm Malaysa Tel: 607-5532000 Fax: 607-5565044 crysdan@lycos.com, hanan@fsksm.utm.my Abstract: Ths paper deals wth an effort to provde safety Internet access by mnmzng the condtons causng threats. A model vsualzng the nteracton between network users and Internet objects was developed to dsclose the sources of Internet threats. Strategy for securng Internet access was drawn from ths approach. Implementaton to brng ths strategy nto real-lfe Internet protecton was conducted by developng a network frewall employng lattce-based method to organze the nteracton between the protected nternal users and Internet objects. Experments to check the constructed frewall proved that the developed strategy s effectve n restrctng the access of unprotected users to un-trusted Internet objects. Keywords Frewall, Lattce-Based, Internet Securty, Network, Threat Model 1. INTRODUCTION Nowadays Internet becomes more and more mportant to many organzaton nformaton systems. In facts, many actvtes requre the exstence of Internet connecton. They span from smple Internet access such as updatng ant vrus tools or readng newspaper artcles to a complex and crtcal task such as conductng e-commerce transacton or holdng onlne surveys by many publc meda. Snce Internet has also been known become the sources of many securty ncdents, protectons for the users accessng Internet are requred. Popular method for provdng users protecton appled by many organzatons s to put frewall between nternal network and the Internet. However some reports [1][2][3] dsclose unsatsfed frewall performance due to vary Internet contents and rapd changng of Internet technology besdes changng on the methods of launchng attacks. A number of research efforts such as [4][5][6][7] have been attemptng to deal wth ths condton by mprovng frewall mechansm. Mostly they afford to create a mechansm capable to response automatcally on the changng attack. The term dynamc, adaptve and actve securtes were born from these research communtes. These efforts besdes offerng some degree of flexblty also create other problems such as the ncrease of algorthm complexty [6] and the possblty of DOS attack [8]. Therefore the outcomes of the enhancement of frewall technology are ndfferent to the tradtonal frewall. Ths paper addresses ths ssue and affords to redefne a soluton to mprove the performance of frewall to provde protecton for organzaton network and nternal users accessng Internet. 2. INTERNET THREAT Internet has been known as the sources of many securty ncdents. Threats of Internet can be classfed nto two groups.e. human acton and malcous code. The frst group ncludes the acton of hackng, spoofng, snffng and eavesdroppng, whle the second group ncludes vrus, worm, Trojan horse, trapdoor. Buffer overflow and nformaton theft commtted by a malcous program can be classfed nto the second group as well. Whle frewalls are very effectve to deter the frst group of attack, they lack performance to stop the acton of malcous code [1][2][9]. The reasons of ths condton are twofold. Frst, current frewall technology have no capablty to sense the envronment where they have to guard. The way frewall work s to flter and nspect the traffc flowng through t. Second, malcous code behaves as normal traffc content when t s travellng through the frewall. Therefore malcous code capable to reach the protected nternal network undetected. Survey of Whtman [10] found that the attack of malcous code become the top threat endangerng many organzaton nformaton systems. Ths condton s worsen by the wdely use of web scrpt njecton to explot the vulnerablty of Internet connecton as reported by Huang et al. [9].

Proceedngs of the Postgraduate Annual Research Semnar 2005 239 3. MODEL DEVELOPMENT Developng a model to fgure out the nteracton between nternal network users and Internet objects, n whch set theory s employed, s an effectve approach to provde a protecton strategy for organzaton nternal network. Three condtons are rased from ths model.e. safe, controlled and threat. Descrpton of the model follows. Let U becomes a doman of nternal network users that conssts of two safety regons.e. protected p and unprotected up, then each user u U can be defned as a tuple < p, up > wth p and up pont to the area allocated for each user n the protected and unprotected regon respectvely. Illustraton of ths model s depcted n Fgure 1. Assumng that a user s an entty, therefore p + up = 1 must be fulflled for each u =< p, up >. Total users exst n the network can be computed by the followng equaton u = p + (1) Equaton 1 can also be used to compute the protected value up u network. Full-protected p u T and unprotected value that represent the safety factor of a Protected users (p) User 1 p = 1 up = 0 User 2 p = 0.75 up = 0.25 User 3 p = 0.5 up = 0.5 Unprotected users (up) User 4 p = 0.25 up = 0.75 Half-protected User 5 p = 0 up = 1 ( up ) u Un-protected Fgure 1. Model of nternal network users Model of Internet objects s smlarly defned as network users. A doman of Internet objects O s dvded nto two safety regons.e. trusted t and un-trusted ut. An object o O s defned as a tuple < t, ut > n whch for each u o =< t, ut > the followng equaton must be fulflled t + ut = 1 (2) consderng that an object s also an entty. Illustraton of Internet object model s depcted n Fgure 2. Full-Trusted Trusted objects (t) Object 1 t = 1 ut = 0 Object 2 t = 0.75 ut = 0.25 Object 3 t = 0.5 ut = 0.5 Un-trusted objects (ut) Object 4 t = 0.25 ut = 0.75 Half-Trusted Object 5 t = 0 ut = 1 Un-Trusted Fgure 2. Model of Internet objects Model of Internet access s bult by ntersectng the defned model of network users and Internet objects. Integraton of both models produces a new Internet access model as llustrated n Fgure 3. Ths model creates some ntersected regons as the product of nteracton between protected and unprotected users wth trusted and un-trusted Internet objects. Those regons correspond to several safety condtons as lsted below: Safe Up Ot (protected users and trusted Internet objects) Controlled1 Up Out (protected users and un-trusted Internet objects) Controlled2 Uup Ot (unprotected users and trusted Internet objects) Threat Uup Out (unprotected users and un-trusted Internet objects)

Proceedngs of the Postgraduate Annual Research Semnar 2005 240 Network Users Unprotected users (U up ) Protected users (U p ) Controlled Threat (U up O ut ) Safe (U p O t ) Internet Objects Un-trusted objects (O ut ) Controlled Trusted objects (O t ) Fgure 3. Model of Internet access Referrng to the model of Internet access as shown n Fgure 3, t s clear that the condton causng threats s produced by the nteracton between unprotected users and un-trusted objects. Therefore mnmzng the regon of nteracton between unprotected users and untrusted object s requred. From ths pont, ths regon s always referred to threat regon. 4. MINIMIZING THREAT Effort to mnmze threat regon s requred to have secure Internet access. Based on the result of Internet access model developed n the last secton, three strateges can be executed to reduce threat regon as follows: To mnmze (unprotected user U up regon) Ths strategy s held by nstallng more protecton tools such as ant vrus, personal frewall and ntruson detecton n users machne. However too many protecton tools nstalled n the user machne can reduce the performance of the machne. To mnmze (un-trusted object O ut regon) It s done by flterng Internet traffc n the frewall to prevent malcous content from enterng nternal network. Ths strategy however leads to reduce network flexblty, as all network traffc wll be scrutnzed. To mnmze U (threat regon) up O ut Applyng securty prorty to control the nteracton between unprotected users and un-trusted objects can be held to restrct the access to threat regon. Compared to other strateges, ths approach delvers several added advantages such as havng better mechansm to mantan network flexblty, and t does not reduce the performance of user machne as well. Therefore ths strategy s carred on the mplementaton as dscussed more detal n next secton. 5. LATTICE-BASED NETWORK FIREWALL A network frewall s developed to mplement the strategy for mnmzng threat condton as explaned n the prevous secton. A strategy for mnmzng U s carred up O ut out due to ts drect mpact to reduce threat regon. To carry on ths approach, lattce-based method as proposed by Dennng [11] and represented by Sandhu [12] s used as the foundaton for developng frewall mechansm. Implementaton s explaned as follow. Let u m U becomes an m th user wth protecton level of an nternal network, and let o j n O becomes an n th Internet object wth predetermned safety level j. Access request of u m j o n user to object s granted by the frewall f only f j. Ths polcy can be represented by the followng equaton: Access: j u o j (3) Equaton 3 states that protecton level of a network user must be greater or at least equal to safety level of an Internet object for the requrement of frewall for grantng access of a user to an Internet object. It becomes the basc mechansm of the developed lattce-based frewall. Implementaton s held by desgnng three protecton levels of users.e. protected, half-protected and unprotected, and three safety level of Internet objects.e. trusted, half-trusted and un-trusted. Interactons of each protecton level of users and safety level of objects are presented n Fgure 4. m n

Proceedngs of the Postgraduate Annual Research Semnar 2005 241 Network Users Protected users (+1) Frewall Internet Objects Un-trusted objects (j=+1) the developed algorthm apply whch s not stated s prohbted approach to guarantee the deployment of securty polcy by lattce-based frewall. Half-protected users () Unprotected users (-1) Half-trusted objects (j=) Trusted objects (j=-1) Fgure 4. Mechansm of lattce-based frewall Assumng protected users are guarded by ant vrus, personal frewall and spy-sweeper, the developed protecton levels hold the followng crtera: Protecton level 1 (unprotected) s owned by a group of machnes havng IP address 24.4.76.0/24. No securty tool s nstalled n user machne. Protecton level 2 (half-protected) s owned by a group of machnes havng IP address 24.4.75.0/24. Only ant vrus s nstalled n user machne. Protecton level 3 (protected) s owned by a group of machnes havng IP address 24.4.74.0/24. All avalable securty tools are nstalled n user machne. Whle crtera for the developed trusted levels are lsted as follows: Trusted level 1 (trusted) s gven to a group of Internet objects havng characters as educaton-orented, popular and become the standard qualty for scentfc publcaton purposes. IEEE, ACM and Elsever are the members of ths group. Trusted level 2 (half-trusted) s for Internet objects havng characters as publc news orented and popular. Readers Dgest, CNN and Kompas are the members of ths group. Trusted level 3 (untrusted) s for Internet objects havng functon as search engne such as Google, Altavsta and Infoseek. 6. EXPERIMENT Lattce-based frewall that was developed usng Redhat Lnux 7.3 on Intel Pentum IV 1.8GHz machne wth 128 Kbytes RAM and 40 GB local dsk, was tested on a networkng envronment as depcted n Fgure 5. 24.4.74.0/24 Elsever, ACM, IEEE Readers Dgest, CNN, Kompas Google, Altavsta, Infoseek Internal Network 24.4.74.1 24.4.75.0/24 24.4.76.0/24 Fgure 5. Expermental set up Internet 172.16.0.66 Lattce-based frewall Three user machnes holdng IP addresses 24.4.76.25, 24.4.75.20 and 24.4.74.15 are used to represent protecton levels 1, 2 and 3 respectvely. Meanwhle nne Internet objects are classfed and represent three trusted-levels as follows. Elsever, ACM and IEEE represent trusted level 1. Readers Dgest, CNN and Kompas represent trusted level 2, and Google, Altavsta and Infoseek represent trusted level 3. Experment was conducted by accessng each Internet object from each partcpated user machne. Expermental results measurng tme consumpton and the output of applyng access polcy by lattce-based frewall are recorded n Table 1. Any other types of Internet objects are not classfed n ths mplementaton due to lmted trusted level bult n the prototype. Therefore they cannot be reached by network users snce

Proceedngs of the Postgraduate Annual Research Semnar 2005 242 Table 1. Result of testng of lattce-based frewall Tme Consumpton Internet Objects Protecton Level 1 (seconds) Protecton Protecton Level 2 Level 3 (seconds) (seconds) www.elsever.com 36.8 21.0 56.9 www.acm.org 5.4 7.8 7.0 www.eee.org 13.7 10.1 13.2 www.rd.com No access 9.4 12.8 www.cnn.com No access 9.9 28.0 www.kompas.com No access 11.1 10.4 www.google.com No access No access 14.0 www.altavsta.com No access No access 0.6 www.nfoseek.comno access No access 37.4 Table 1 shows successful Internet access restrcton usng lattce-based frewall n whch relatvely small tme consumpton s obtaned from the experment. And Fgure 6 below presents the graph comparson of tme measurement of accessng Internet usng lattcebased frewall for each protecton level. Varaton of the measured tme consumpton here s due to shared network bandwdth used durng the experment. As has been known, peak network usage wll slow down the speed of Internet access. 01:00.5 00:51.8 00:43.2 00:34.6 00:25.9 00:17.3 00:08.6 00:00.0 Prot ect on Level 1 Prot ect on Level 2 Prot ect on Level 3 Fgure 6. Tme consumpton of accessng Internet from each protecton level 7. RELATED WORKS There have been some lmted works on formulatng and developng ntellgent frewall. The effort of Eschelbeck [5] and Network Assocates [4] for proposng actve securty s motvated by dssatsfacton on statc confguraton of today s frewall technology that unable to follow the pace of dynamc e- commerce transacton. Actve frewall developed by Eschelbeck and Network Assocates s able communcate to other securty components such as ant-vrus tool, PKI server, vulnerablty scanner and ntruson detecton system. However as noted by Haxn et al. [3], t can rase performance decreasng and asymmetrc routng problem snce other supportng securty components are not specfcally assgned for supportng the operaton of actve frewall. Other work held by Hunt and Verwoerd [6] wth reactve frewall, apples the approach to change frewall confguraton based on network traffc utlzaton. However the functon of frewall to govern securty aspect especally from the attack of malcous code s not evaluated n the experment. Meanwhle the desgn of actve frewall developed by Lehtonen et al. [13] for wreless applcaton does not show any deployment of securty polcy. No experment has been reported from ths effort. In [7], desgn and performance evaluaton of embedded frewall concludes that network transmsson rate and the number of securty rules nfluence the performance of frewall. 8. CONCLUSION An effort to develop strategy to provde safety Internet access requres an effectve approach to localze the sources of threats. In ths paper, a model vsualzng the nteracton of network users and Internet objects s presented. Ths model provdes three strateges for mnmzng the condton causng Internet threats.e. reducng the number of unprotected users, flterng un-trusted Internet objects, and mnmzng the nteracton between unprotected users and un-trusted Internet objects. Ths research deals wth thrd strategy by buldng a lattce-based frewall to restrct the access of unprotected users to un-trusted objects. Ths way a threat regon can drectly be mnmzed, whle access to trusted objects or access done by protected users could stll be mantaned. 9. REFERENCES [1] W. Arbaugh, Frewalls: An Outdated Defense, IEEE Computer Socety Press, Vol. 36, No. 6, pp. 112-113, 2003. [2] D.M. Kenzle and M.C. Elder, Recent Worms: A Survey and Trends. The Workshop on Rapd Malcode WORM 03, Washngton DC, USA, pp. 1-10, October 2003. [3] D. Haxn, W. Janpng, and L. Xng, Polcy-Based Access Control Framework for Large Networks. Proceedngs of IEEE Internatonal Conference on Networks ICON 2000, Sngapore, pp. 267 272, 5-8 September 2000.

Proceedngs of the Postgraduate Annual Research Semnar 2005 243 [4] Network Assocates, The Actve Frewall: The End of the Passve Frewall Era, Network Assocates Inc.: A Network Assocates Executve Whte Paper, 1999. [5] G. Eschelbeck, Actve Securty A Proactve Approach For Computer Securty System, Journal of Network and Computer Applcatons, Vol. 23, pp. 109-130, 2000. [6] Hunt, R. and Verwoerd, T. (2003), Reactve Frewall: A New Technque, Elsever Computer Communcatons Journal, Volume 26, Issue 12, 21 July 2003, pp. 1302-1317. [7] Y. Guo and R. L, Desgn and Performance of Frewall System Based on Embedded Computng, GCC 2003 Lecturer Notes on Computer Scence 3032, pp. 992-995, 2004. [8] S. Kamara, S. Fahmy, E. Schultz, F. Kerschbaum and M. Frantzen, Analyss of Vulnarbltes n Internet Frewalls, Elsever Computers and Securty Journal, Volume 22, No. 3, pp. 214-232, 2003. [9] Y.W. Huang, F. Yu, C. Hang, C.H. Tsa, D.T. Lee and S.Y. Kuo, Securng Web Applcaton Code by Statc Analyss and Runtme Protecton, The Thrteenth Internatonal World Wde Web Conference, New York, USA, pp. 40-51, May 2004. [10] M.E. Whtman, Enemy at the Gate: Threats to Informaton Securty, ACM Communcatons, Vol. 46, No. 8, pp. 91-95, August 2003. [11] D.E. Dennng, A Lattce Model of Secure Informaton Flow, Communcatons of ACM, Vol. 19, No. 5, pp. 236-243, May 1976. [12] R.S. Sandhu, Lattce-Based Access Control Models, IEEE Computer, Vol. 26, No. 11, pp. 9-19, 1993. [13] Lehtonen, S., Ahola, K., Kosknen, T. Lyjynen, M. and Pesola, J. (2003). Roamng Actve Flterng Frewall. Proceedngs of Smart Objects Conference SOC 2003, Grenoble France, May 2003.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information