Table Of ContentThe Multilayer Firewall
Dan Nessett
3Com Corporation, Technology Development Center
5400 Bayfront Plaza
Santa Clara, CA. 95052
(408) 326-1169
[email protected]
Polar Humenn
BlackWatch Technologies, Inc.
2-212 CASE Center - Syracuse University
Syracuse, NY. 13244
(315) 443-3171
[email protected]
Abstract circumstances force different tradeoffs, implying that no
technology is optimal for solving all security problems.
We present a new security technology called the Working under this premise, we present a new
Multilayer Firewall. We argue that it is useful in some technique for securing networks, called the multilayer
situations for which other approaches, such as firewall, which is useful in many circumstances. This
cryptographically protected communications, present approach extends the concept of a firewall as a device or
operational or economic difficulties. In other devices that secure the border of a network to include
circumstances a Multilayer Firewall can compliment the coordinated and selective restriction of traffic within
such security technology by providing additional a network, thereby protecting internal network
protection against intruder attacks. We first present the resources. One of the innovations of our work is the use
operational theory behind the Multilayer Firewall and of a combination of high-level policy statements,
then describe a prototype that we designed and network topology and a description of which devices are
implemented. capable of enforcing security policy to automatically
calculate the filter sets for each enforcing device. Since
these sets are in general different, this relieves the
1. Introduction
system administrator from the arduous task of creating
The economic case for designing, implementing and and downloading them to each enforcing device, the
deploying network and distributed system security number of which may be large.
mechanisms is now well established. Recent estimates of Another innovation is the potential to utilize network
worldwide annual financial losses during 1995-1996 devices at both layer 2 and layer 3 to implement the
due to improperly protected information assets range firewall filtering activity. Traditional security filtering
from the hundreds of millions of dollars [1] to as high normally takes place in packet filtering routers or
as 30+ billion dollars [2]. While actual losses may be application level proxy gateways. However, to
less than the higher figure, losses in the billions of accommodate the performance requirements of internal
dollars annually are likely. network traffic, a multilayer firewall can use filtering
Even though there is general agreement that security functionality in layer two devices, such as 802.x and
mechanisms are necessary to protect information assets, ATM switches, in order to achieve acceptable
there is less agreement on the specific technology to use. performance objectives for internal network traffic.
It is a thesis of this paper, justified in the next section, This paper is organized as follows. In the next
that many factors, including economic, legal and social section, we present an analysis of several network
constraints, affect whether a particular technology security technologies and suggest situations in which
should be employed in a given situation. Different their use is unattractive. This motivates the presentation
of the multilayer firewall, which is given in section 3. In
1 of 15
Form SF298 Citation Data
Report Date
Report Type Dates Covered (from... to)
("DD MON YYYY")
N/A ("DD MON YYYY")
00000000
Title and Subtitle Contract or Grant Number
The Multilayer Firewall
Program Element Number
Authors Project Number
Task Number
Work Unit Number
Performing Organization Name(s) and Address(es) Performing Organization
3Com Corporation Technology Development Center 5400 Number(s)
Bayfront Plaza Santa Clara, CA. 95052
Sponsoring/Monitoring Agency Name(s) and Address(es) Monitoring Agency Acronym
Monitoring Agency Report
Number(s)
Distribution/Availability Statement
Approved for public release, distribution unlimited
Supplementary Notes
Abstract
Subject Terms
Document Classification Classification of SF298
unclassified unclassified
Classification of Abstract Limitation of Abstract
unclassified unlimited
Number of Pages
16
Form Approved
REPORT DOCUMENTATION PAGE
OMB No. 074-0188
Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and
maintaining the data needed, and completing and reviewing this collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information,
including suggestions for reducing this burden to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA
22202-4302, and to the Office of Management and Budget, Paperwork Reduction Project (0704-0188), Washington, DC 20503
1. AGENCY USE ONLY (Leave blank) 2. REPORT DATE 3. REPORT TYPE AND DATES COVERED
1/1/98 Report
4. TITLE AND SUBTITLE 5. FUNDING NUMBERS
The Multilayer Firewall
6. AUTHOR(S)
Polar Humenn and Dan Nessett
7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 8. PERFORMING ORGANIZATION
REPORT NUMBER
IATAC
Information Assurance Technology Analysis
Center
3190 Fairview Park Drive
Falls Church VA 22042
9. SPONSORING / MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSORING / MONITORING
AGENCY REPORT NUMBER
Defense Technical Information Center
DTIC-IA
8725 John J. Kingman Rd, Suite 944
Ft. Belvoir, VA 22060
11. SUPPLEMENTARY NOTES
12a. DISTRIBUTION / AVAILABILITY STATEMENT 12b. DISTRIBUTION CODE
A
13. ABSTRACT (Maximum 200 Words)
In this document, Mr. Dan Nessett of 3Com Corporation Presents the "The Multilayer
Firewall. "We present a new security technology called the Multilayer Firewall. We argue
that it is useful in some situations for which other approaches, such as cryptographically
protected communications, present operational or economic difficulties. In other
circumstances a Multilayer Firewall can compliment such security technology by providing
additional protection against intruder attacks. We first present the operational theory
behind the Multilayer Firewall and then describe a prototype that we designed and
implemented.
14. SUBJECT TERMS 15. NUMBER OF PAGES
Firewalls, Information Security
16. PRICE CODE
17. SECURITY CLASSIFICATION 18. SECURITY CLASSIFICATION 19. SECURITY CLASSIFICATION 20. LIMITATION OF ABSTRACT
OF REPORT OF THIS PAGE OF ABSTRACT
Unclassified UNCLASSIFIED UNCLASSIFIED None
section 4 we describe a prototype that we designed and requirements of some common deployment situations.
implemented to test the multilayer firewall concept. These requirements are as follows.
Section 5 presents performance data that demonstrates
2.1 Performance
the utility of using a combination of layer 3 and layer 2
devices for security filter enforcement. In section 6 we Both IPSEC and the common application based
survey related work. Finally, in section 7 we present our security solutions use cryptography to protect
conclusions from this research. communications. While this provides significant
protection, there is a performance penalty to pay. The use
2. Motivation
of cryptography for message integrity and authentication
Network security researchers and implementors have does not severely degrade communication and processor
focused a great deal on how to protect networks from performance in most cases. However, its use for message
external attack. Traditional firewalls [3, 4] are designed confidentiality, when implemented in software, can
to protect the borders of a network, preventing significantly degrade CPU intensive application
unauthorized access to internal resources by outside performance.
agents. Secure virtual private networks (VPNs) [5] have The attendant loss of performance becomes more
been used mainly to protect communications between serious as longer key lengths and stronger algorithms are
private networks communicating over a public facility, required to meet the continuing decrease in the ratio of
such as the internet, or between a remote client and a cost to computing performance. Thus, while DES was
border device positioned at a private network. In many once considered sufficient for protecting high asset value
cases VPNs are implemented using a tunneling protocol, unclassified data, this is no longer true. Most high asset
such as PPTP [6], operating over a lower layer security value applications, for example, those in the financial
protocol, such as IPSEC [7, 8, 9]. sector, now require the use of triple-DES. However,
There has been some work to protect the internal existing desktop systems and those projected for the next
communications of network management and control few years have inadequate performance to support
software, but it either has been inadequate, such as the communications using triple-DES in software over
use of SNMP community strings for protecting SNMP common and emerging fabrics (e.g., 10 and 100 Mbps
requests, is still being developed, such as SNMPv3, or is ethernet). For example, Bart Preneel of the Catholic
still in the research stage, such as mechanisms to protect University Leuven in Belgium reports that an optimized
routing protocols [10, 11, 12]. The use of encryption at triple-DES implementation running on a 90 Mhz
the network layer and below to protect communications Pentium achieves 6.2 Mbps [20]. This result was
in non-classified networks until recently has been limited computed when no other computation was running on
to the banking and financial industries. Work within the the test system. Projecting, a 200 Mhz Pentium running
IEEE to standardize encryption for 802 based layer 2 nothing but triple-DES software should achieve
communications has not seen significant implementation approximately 13.8 Mbps. Systems running applications
and deployment. While implementations of IPSEC and that use even a moderate percentage of CPU cycles (i.e.,
IPSEC-based [13] protocols are making significant in excess of 30%) could not sustain a rate of 10 Mbps
progress, prior implementations of standardizing without users noticing a slow down. Applications
network layer encryption protocols [14, 15] were not requiring much higher bandwidth (e.g., those running
deployed widely, at least in the commercial market. over 100 Mbps ethernet, such as medical imaging
The greatest success in protecting communications applications) will not be able to use software based triple-
within the interior of a network uses application based DES in the foreseeable future. Consequently, hardware
security. Kerberos [16], DCE [17], and security accelerators are probably necessary for systems running
mechanisms for the world wide web [18] have seen these applications. Such hardware introduces cost and
significant deployment. Security mechanisms for legacy support issues that are discussed below.
distributed object systems [19] utilize these and similar Even for applications that access moderately valuable
technologies for access control and protected assets, for which single DES may be appropriate,
communications. confidentiality protection can be a problem. Preneel
So, the two best candidates for protecting resources reports that an optimized single DES implementation
internal to a network are IPSEC or application based can achieve 16.9 Mbps on a 90 Mhz Pentium [20].
security mechanisms. Yet, there are reasons why using Projecting, a 200 Mhz Pentium running only single DES
either of these is sometimes inappropriate. This follows software should achieve approximately 37.5 Mbps. Thus,
from certain characteristics that do not match the the performance of single DES in software is acceptable
for communications at 10 Mbps only for desktop systems
2 of 15
deployed in the past several years. Many legacy desktop system must conform to a centrally administered policy.
systems cannot support this rate. Furthermore, even the Examples include restrictions on the use of non-mission-
best desktop systems available cannot support 100Mbps critical applications during normal business hours in a
communications with software based single DES. financial institution, and restrictions on the information
The conclusion is cryptographic approaches for that a particular individual or organization may
confidentiality will be useful only for a subset of legitimately access, such as company financial or product
applications, e.g., those valuable enough to justify the planning data. The enforcement of such policy may occur
acquisition of new high performance end systems or proactively by preventing unauthorized communications,
hardware acceleration for existing systems, or those or retroactively by monitoring communications in order
applications with low bandwidth requirements. Since to detect policy violations.
some applications, such as medical imaging to the When message traffic is confidentiality protected, the
practitioner’s desktop and a large number of CAD enforcement or monitoring activity must take place while
applications, do not fall into these categories, a non- the monitored data is in the clear. For application based
cryptographic approach to protected communications is security services, this requires the policy enforcement
justified in those situations. logic to reside between the application and the security
service libraries. Since commonly deployed application-
2.2 Cost
based security systems do not have such policy
Since cryptographic services may require hardware enforcement capabilities, this functionality must be
acceleration or desktop upgrade in order to achieve retrofitted to the applications either by creating a "glue"
acceptable performance, its use introduces cost factors layer library implementing policy, or by retrofitting the
that may be unacceptable in certain circumstances. applications themselves with policy management
Generally, the acquisition of capital equipment is support. In either case, the expense is potentially high
budgeted several years in advance and may replace only due to engineering, manufacturing and redeployment
a portion of deployed computer systems. There is still a costs. Furthermore, those administering central policy
large number of relatively old systems in use today in may not trust end systems to carry out policy
many environments. Replacing all of these systems with enforcement unless there are hardware guarantees that
newer ones is generally infeasible. Even when this is such enforcement cannot be tampered with by the end
possible, replacement systems may not provide the user. Currently, there is no commonly deployed hardware
highest available performance. A similar situation exists with this capability.
for hardware acceleration of cryptography. There are more options for policy enforcement when
An important consideration in regards to cost is the a network layer security protocol, such as IPSEC, is used.
computing capacity available to an adversary in relation If IPSEC is implemented in a network device, such as a
to the computing capacity available on an average router, which is used as one end of a confidentiality
desktop. After new desktops have replaced old ones over protected association, policy enforcement can be
several years, the computing power available to an implemented in the network by observing the traffic
adversary will have increased. So, when systems either before it is encrypted or after it is decrypted. This
considered state-of-the-art today are commonly available configuration requires other security technology to
on the desktop, they will not be state-of-the-art in regards implement the policy enforcement function.
to their encryption support capabilities. Bandwidth If IPSEC is implemented at both ends of an
capacity will have increased; computing capacity association within the end systems, policy enforcement
available to an adversary will be greater; and must occur in the end systems themselves. This may
applications will arise requiring higher bandwidths. require the use of a policy "shim" inserted into the end
The conclusion is there will never be a point when system's protocol stack, a "glue" layer library located
cryptographic solutions will be sufficient to address all between the application and the protocol stack interface,
application security requirements. Desktop computing or modified applications that are retrofitted with policy
capacity will always lag the cryptographic requirements management software. As with application based security
of some applications. Consequently, non-cryptographic services, administrators may not find end system policy
approaches to protecting network communications will enforcement acceptable without guarantees that are
always be useful. difficult to achieve with existing end system hardware.
2.3 Policy Enforcement Thus, policy enforcement in a network protected by
cryptography may require other security functionality,
There are numerous situations for which
which examines cleartext data. This functionality would
communication between components in a distributed
enhance the services provided by cryptography.
3 of 15
2.4 Legacy Support and exterior routers, a DMZ, and one or more bastion
hosts located within the DMZ. However, less
Protecting communications with cryptographic
complicated configurations also qualify as firewalls, such
services requires the use of software or hardware capable
as a single packet filtering router.
of using and providing cryptography. There are many
Administrators rely on the physical security of
deployed applications that are not designed to use
firewall equipment in order to prevent the movement of
cryptographic services nor could they be easily retrofitted
unauthorized traffic through it. They also depend on the
to do so. There also are fielded computer systems
integrity of message data, in particular source addresses
running legacy operating systems or based on legacy
and for IP based firewalls, source ports, for correct
hardware that cannot economically be retrofitted with the
firewall operation. In situations where these assumptions
necessary cryptographic features.
are too risky, the use of firewalls is unwise. However,
To address these situations, the designers of IPSEC
there are environments, such as certain corporate or
have included a tunneling mode, which provides
institutional networks, some classified networks, and
protection for legacy system communications between
some carrier networks where these assumptions are
tunneling endpoints. However, IPSEC tunneling only
reasonable. In such cases, the use of firewalls may
protects data while it is in the protected tunnel. At either
provide an acceptable alternative to or enhancement of
end of the tunnel, the data is unprotected and susceptible
cryptographic based approaches.
to intruder attack. Other security measures may be
Normally, firewalls are placed at the borders of a
necessary to protect this data as it moves in the clear over
network in order to protect it against attack by external
unprotected sections of a network.
intruders. The positioning of current generation firewalls
2.5 Legal Issues within a network to control internal traffic has the
disadvantage of significantly reducing overall
The use of cryptographic services is complicated by
communications performance. Consequently, when
legal constraints. The world-wide promulgation of
deployed in this manner, firewalls are generally placed
cryptographic functionality is currently constrained by
only at a very small number of points within the network
export control restrictions and in some countries by
where the traffic density is low.
import and usage restrictions. This has impeded the
deployment of cryptographic solutions. 3.2 Packet Filtering Firewalls
While there is evidence that certain countries are
A simple class of firewall utilizes packet filtering to
relaxing restrictions on cryptographic technology, it is
control the traffic allowed to pass between different
unlikely that all legal restrictions will be removed in the
networks. Virtually all of these firewalls use packet
near future. Thus, other approaches to network and
filtering routers or packet filtering engines that run in the
communication security will remain valuable simply
kernel of an operating system.
because they are more easily deployed.
Packet filtering devices, when properly configured,
2.6 Summary can prevent data from flowing through inappropriate
portions of a network. This provides a limited form of
The use of application or network based
confidentiality and integrity protection, since data is kept
cryptographic services to protect distributed resources is
out of the reach of unauthorized individuals who might
useful in many important situations. However, there are
modify or view it. The strength of protection is not as
other circumstances in which these approaches do not
great as that provided by cryptography, but it can
meet other system goals. Performance requirements, cost
increase the level of effort required by an intruder to
constraints, policy management considerations, legacy
access information.
systems and legal issues may either render cryptographic
The general architecture of a packet filtering firewall
solutions undesirable or limit their applicability, creating
consists of the following components : 1) a user interface
the opportunity to utilize other security technology.
for specifying packet filtering rules, 2) persistent storage
3. The Multilayer Firewall for retaining the current configuration of filtering rules,
3) a filter compiler that accepts a high-level description
3.1 Background
of filter rules (policy statements) and produces low-level
commands or configuration data for the enforcement
Using firewalls to protect networks from external
engine, and 4) an enforcement engine that implements
attack is a mature and widely deployed technique. The
the filtering mechanisms. In addition to these
term "firewall" identifies a number of different
components there may be other optional components,
equipment configurations. The most elaborate of these is
such as audit trail functionality, which records
constructed from several systems [3, 4], such as interior
4 of 15
anomalous events, or testing functionality, which allows specified either by commands or by configuration
an administrator to test the filter rules with traffic data.
generated within the firewall. • An MLF policy compiler, which accepts policy
Packet filtering firewalls require the retention of state expressed in the high-level language and produces
in order to handle certain protocols. For example, FTP low-level data for the enforcement devices (see
uses both a control and a data association. The control below). The compiler should be able to transform
association carries the information specifying which port high-level policy statements into commands or
to use for data transmission. In order to allow the data configuration data for a number of different devices.
association traffic to pass, a packet filtering firewall must To ensure extensibility, the compiler architecture
snoop on the FTP control traffic, looking for the should allow device translators to be plugged in,
appropriate command containing the data association allowing the addition of new enforcement device
port. It then establishes a temporary filter rule, or its types to the MLF.
equivalent, which allows the FTP data to pass. • Persistent storage, which stores both the high-level
3.3 Multilayer Firewall Architecture policy and the low-level device data. The MLF
architecture allows this persistent storage to be
Traditional firewalls normally protect a network distributed. Such storage includes persistent storage
against external attack. An extension of this idea places subsystems, such as directory services and
firewall functionality within a network to protect it distributed database systems, as well as persistent
against internal attack. As mentioned above, this strategy storage on suitably equipped enforcement devices.
is presently limited, since systems used to implement • Enforcement data transport, which is used to move
firewalls are generally slow. Placing them in the interior the low-level device data from the MLF
of a network dramatically degrades performance. management system to the enforcement devices.
However, filtering is used for many purposes. Layer 2 • A description of network topology, which includes
devices, such as 802.x and ATM switches, filter traffic to
information about the interconnection of nodes (i.e.,
enhance network performance by containing broadcasts.
network devices and end systems (hosts)) and
The implementation of filtering in these devices is highly
which specifies the devices capable of and trusted to
optimized, providing significantly better communications
enforce MLF security policy. A more detailed
performance than that available in routers.
explanation of the network topology information
It is possible to use layer 2 filtering to implement
and how it is used by the MLF is given below.
firewall functionality in addition to broadcast
3.4 Multilayer Firewall Operation
containment. This leads to the idea of a multilayer
firewall, i.e., a firewall that uses filtering functionality at Traditional firewalls are normally configured by a
layer 3 and layer 2 to implement security policy. firewall administrator entering filtering rules for a
A multilayer firewall (MLF) is constructed from the particular enforcement engine. Some firewalls [21] allow
following elements : the administrator to configure multiple engines from a
• An MLF management system, consisting of one or single user interface. The administrator specifies in each
more stations from which the MLF is controlled. rule the set of enforcement engines that the rule affects.
This system provides an appropriate user interface Since the MLF may potentially control a large
for entering MLF security policy. Depending on its number of enforcement engines and since the filter sets
implementation, MLF policy could be expressed as for these engines (to ensure the highest possible
a table of policy statements, as predicates specifying efficiency) are normally different, relying on the
enforcement conditions on firewall traffic, or in administrator to decide which high-level policy
some other way. The security policy language statements affect which enforcement devices could lead
should be designed for clear and concise to misconfigurations. Therefore, the MLF determines
specification of desired network behavior. The which devices are the target of a policy statement. The
language should be human-oriented rather than administrator does not identify these devices.
machine-oriented. Devices are selected in the following manner. The
• A set of enforcement devices, which may be layer 3 high-level policy statements specify which hosts are
routers, layer 2 switches or any other device that allowed to inter-communicate using a specified set of
supports packet filtering or application proxying. application protocols. For example, the high-level
An enforcement device is located within the interior language of the prototype (described below) allows the
of the network and connected to other devices firewall administrator to collect hosts into host groups
through layer 2 links. Its filtering activity is and then specify policy statements using these or an
5 of 15
individual host tag as identifiers. A statement consists of Consequently, an MLF may utilize heuristics to compute
a source host or host group, a destination host or host a cut vertex set that is not guaranteed to be minimal, but
group, a protocol (e.g., FTP, Telnet), an action (i.e., which is likely to be in many cases. For example, our
allow or disallow) and an enforcement point (source, prototype utilizes the last field of the policy rule
destination or both; this is explained below). For each (enforcement point) to quickly compute a cut vertex set
statement in the high-level policy specification, the MLF associated either with the source, the destination or the
: 1) determines the set of enforcement devices that must union of these two sets (when "both" is specified) to
implement the statement, 2) compiles the statement into accommodate cases for which double enforcement is
low-level commands or configuration data for each type desirable.
of device (there may be more than one device type Distribution of the low-level device information is
represented in the set), and 3) accumulates the low-level achieved in one of two ways. If the device is not capable
data for later delivery to the device. of persistently storing its filtering data, the MLF
The MLF decides which devices are affected by a management station stores it in the persistent store, then
particular statement by consulting the topology signals the device to update its enforcement data. The
information, represented as follows. Each enforcement device then retrieves the data from the persistent store.
device is an "active" node. All hosts that do not enforce If the device is capable of persistently storing its
policy are "passive" nodes. The physical topology of the filtering data, the MLF management station contacts it
network is used to determine the passive nodes and moves the data to it directly. The MLF could use
"associated" with an active node. A passive node is SNMP, a combination of Telnet and FTP (or TFTP),
associated with an active node if traffic from the passive when the device supports these protocols, or some other
node may reach the active node without passing through configuration data transport mechanism. Use of these
another active node. Note that passive nodes may be protocols for management requires initial device filter
associated with more than one active node. Finally, all configuration data that permits traffic of this type to
active nodes are considered to be associated with reach it.
themselves (this is important only if the active node can Some enforcement devices, such as remote access
be the destination of network traffic, rather than always concentrators, are able to establish filtering data based on
acting as a transit point). a user identity. For example, some support user
When the MLF processes a high-level policy authentication and authorization through a server such as
statement, it first determines whether there is a path RADIUS. As part of the authorization step, filters
between any host in the source set and any host in the associated with that user are loaded into the concentrator
destination set that does not pass through an active node. and then used to enforce security policy for the user's
If so, the statement is flagged as unenforceable, and the connection. For these devices, low-level enforcement
administrator notified. data may be retrieved without prompting by the MLF
If the rule is enforceable, the MLF examines the management station.
source and destination hosts or host groups and
3.5 MLF Partitioning
determines a cut vertex set in the network topology graph
that separates the source from the destination. Only Many organizations are divided into separate
active nodes may be members of the set. For each device divisions, departments or business units that control their
type represented in the cut vertex set, the MLF translates own computing and networking assets. In addition, some
the high-level policy statement into low-level data for networks may be too large to manage as a single MLF.
that type and stores it in a file for the appropriate Finally, some networks are naturally partitioned into
devices. When all statements are processed, the MLF independent units based on classification level, physical
transports each file to its associated devices. security, or other characteristics. To accommodate such
Using a cut-vertex set of active nodes allows the MLF cases it is necessary to create MLF partitions that consist
to operate in a heterogeneous environment. That is, only of a subset of the nodes in a network and manage each
the active nodes must be capable of communicating with partition as a single MLF. In order for the hosts in these
the management station and enforcing policy. Legacy MLFs to communicate with one another, an MLF must
devices and those without MLF functionality require no support the specification of "external nodes," which
modifications to work in an MLF environment. represent other MLFs. The identifiers for these external
The best possible efficiency is obtained if the MLF nodes should be allowed to appear in high-level policy
computes a minimum cut vertex set for each high-level statements wherever hosts or host groups appear.
policy statement. However, computing cut vertex sets for MLF partitioning introduces several management
large graphs can be computationally intensive. issues. First, connections between MLF partitions may
6 of 15
only occur at active nodes, otherwise, unauthorized 4. A Prototype
traffic from one MLF partition could enter another.
To test the concepts described above, we designed
Secondly, policies specified in both MLF partitions
and implemented an MLF prototype. It has the ability to
controls the communications between them. Since each
manage, analyze, and distribute high level firewall
MLF management station only displays its own policy,
filtering policy in a network.
an administrator cannot determine from either MLF
console how inter-MLF partition traffic is controlled 4.1 General Architecture
(unless some auxiliary protocol is defined for the
The MLF concept is implemented by using a network
exchange of policy data between directly connected
traffic analyzer and monitoring tool called Traffix along
MLFs). Finally, since MLF partitions can be
with Tartan, the MLF policy management tool. Tartan
interconnected in a general graph, it may be difficult to
consists of a graphical user interface to create and edit
determine what actual policy is enforced within the
policy and a policy engine that compiles the high level
federated MLF partitioned network. This difficulty arises
MLF policy, generates configuration information for the
from transitivity considerations that cannot be analyzed
active nodes in the physical topology, and performs the
from the data of a single MLF policy database.
configuration on the active nodes in the network.
3.6 MLF Applications
4.2 Theory of Operation
An MLF is useful in a number of different situations.
A network administrator, Bob, uses Traffix to divide
We present two examples.
hosts on his network into logical groups. These groups
A significant security problem for many corporations
can be semantic in nature, such as hosts grouped by the
is allowing business partners access to the corporation’s
Marketing Department, the Engineering Department,
internal network in order to share information vital to the
and so forth. Using Traffix as an initial front end to set
partnership. This must be done in a way that doesn’t give
up the logical groups, the administrator can then invoke
the partner access to information unrelated to the
Tartan from a button on the Traffix console. He then is
relationship [22]. Protecting communications between
able to create and enforce MLF policy based on the
the partners’ networks using protocols such as IPSEC
logical group topology he created with Traffix. Through
does not achieve this objective, since once connected to
Tartan’s graphical user interface, the administrator can
an end system, an individual can use it to connect to
add, delete, and change firewall policy between groups of
other systems in the network through protocols such as
hosts. Tartan’s policy engine performs enforceability
telnet or rlogin.
analysis and then distributes the policy throughout the
One way to limit such access is to create an MLF
network by reconfiguring the active nodes.
partition consisting of the systems that contain the data
to be shared. Policy can then be established within this
partition that allows telnet, rlogin and other remote PersistentStore
terminal session protocols to enter the partition, but
prevents their use from systems within the partition to
Tartan
those outside it. Establishing this kind of directionality
for other protocols, such as http, ftp, nfs, and so forth, Policy
can further tighten the protection provided. GUI Engine
Another situation in which an MLF is useful occurs Network
when a large organization formed from smaller
departments requires protection against an insider threat.
If the volume of traffic within departments is
significantly greater than that between them, host groups
comprised of departmental systems may be used to
Traffix
specify inter-departmental security policy. Such policy
can limit the kind of traffic moving between
departments, thus, providing limited protection against
insider initiated intrusions. Other security functionality,
Figure 1. General Architecture of Prototype
such as auditing and intrusion detection, would further
increase the network’s ability to thwart insider attacks.
7 of 15
4.3 Physical Network Topology Port 1 Z1
Passive D
An MLF not only needs information on logical
Passive E
topology, it also needs information on the physical layout
Port 2 Z2
of the network topology. Tartan views the network
Passive F
hardware topology as a collection of active nodes and
Passive G
passive interfaces. Active nodes are filter enforcing and
remotely configurable devices, such as routers. Passive
The topology file contains the necessary information
interfaces are network interfaces that are not on policy
for Tartan to determine the lower level policy directives
enforcing devices, such as workstations.
that must go to each active node within the physical
Figure 2 shows a sample physical network layout.
topology. The keywords are: Topology,
The boxes labeled X and Z represent active nodes each
ManagementStation, Active, Port, and Passive. The
with two ports that are labeled 1 and 2, e.g., ethernet
first line in the file labels the topology with some
interface cards. The circles labeled A, B, C, D, E, F,
identifying information. The second line labels the IP
and G are workstations. The larger ellipses labeled Net1,
address(es) of the management station(s). The
Net2, and Net3 represent actual local area networks.
subsequent lines layout the physical topology.
The physical topology specification is structured
D
E primarily by active node. Active node lines contain a type
identifier and authentication information for configuring
Net2
the active node. For the prototype, the authentication
1Z2 information consists of a user name and password. Use of
X 2 Net3 a more secure authentication technique would be
1
F G preferable for an MLF implementation intended for
deployment.
Passive interfaces are considered to be “behind” a
A Net1
particular active node’s port and are organized by port
C
under each active node. For instance, in the above
B
network, the passive interfaces, A, B, C are considered to
be behind X’s port 1 (represented by the symbol) because
Figure 2. Physical Network Topology
they are directly connected to that port via an ethernet
cable. Likewise, passive interfaces D and E are
A specification of the physical topology of the
considered to be behind X’s port 2 and Z’s port 1.
network that Tartan can work with should be provided
Similarly, the passive interfaces F and G are considered
automatically by some network administration tool.
to be behind Z’s port 2.
However, Traffix does not presently supply this
NB: The topology file actually must contain only IP
information. Finding and integrating a suitable tool was
addresses to label the different active nodes and passive
beyond the realizable scope of the prototype. Therefore,
interfaces. However, for purposes of explaining this
network topology is presently specified in a configuration
example in an understandable manner, please read the
file by an administrator (see section 4.6.7 for further
labels A, B, C, D, E, F, G, X1, X2, Z1, Z2 as visual
discussion of this problem).
replacements for unique IP addresses.
The topology file representing the above figure is as
follows: 4.4 Creating an MLF Policy
Topology “BlackWatch Technology 13 June 1997”
The administrator Bob uses Traffix to group the hosts
128.230.32.11 128.230.59.12
in a semantic manner disregarding physical network
Active NetBuilderII X1 “userid” “pw1234”
boundaries. For example, Bob organizes the hosts A
Port 1 X1
through G by department, such as Sales, Engineering,
Passive A
and Management. Bob organizes the groups such that
Passive B
hosts A and D belong to Management; hosts B, C, and E
Passive C
belong to Sales; and hosts F and G belong to
Port 2 X2
Engineering.
Passive D
Once Bob specifies the topology and groups the hosts,
Passive E
he can use Tartan to create an MLF policy. An MLF
Active NetBuilderII Z1 “userid” “pw1234”
policy is an ordered list of policy statements. Policy
8 of 15
