Your SlideShare is downloading. ×
Design and Optimize Firewall for Mobile Networks
Design and Optimize Firewall for Mobile Networks
Design and Optimize Firewall for Mobile Networks
Design and Optimize Firewall for Mobile Networks
Design and Optimize Firewall for Mobile Networks
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Design and Optimize Firewall for Mobile Networks


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Design and Optimize Firewall for Mobile Networks Ying QIU, Jianying ZHOU, Feng BAO Institute for Infocomm Research (I2R) 21 Heng Mui Keng Terrace Singapore 119613 {qiuying, jyzhou, baofeng} Abstract — More and more activities (such as e-commerce, e- - The mobile node is an internal node; and learning, e-chat, etc.) rely on mobile devices. It becomes an im- - The mobile node is an external node of a firewall. portant issue on how to protect mobile users engaged in mobile services. Firewall is one of the security solutions. Unfortunately, In our paper, we focus on how to protect mobile nodes. the conventional firewalls are inappropriate for mobile networks Hence we pay more attention on the scenario where the mobile because of the limited computing and communication capabilities node is an internal node of a firewall. Figure 1 depicts the sce- of mobile devices. In this paper, we introduce the issues to be nario, and the following issues are stated in the draft: considered in designing a mobile firewall and compare two exist- 1) Issues with change of firewall: When a mobile node ing mobile firewall solutions. Then we evaluate the performance of a mobile firewall, and finally propose an optimized mobile roams to other domain served by a different firewall, firewall scheme. the mobile node might not be able to receive the in- coming packets since the new firewall does not have Keywords – Firewall, Mobile Network, MIPv6, M-Commerce, any states about the ongoing communication. Security. 2) Issues with triangular routing: When a mobile node roams within a network protected by a firewall, the I. INTRODUCTION packets forwarded from its home agent to the mobile More and more activities (such as e-commerce, e-learning, node’s CoA may be dropped since it does not match e-chat, etc.) rely on mobile devices. It becomes an important any existing entries in the firewall. issue on how to protect mobile users engaged in mobile ser- 3) Issues with change of care-of-address: When a mobile vices. Firewall is one of the security solutions. Unfortunately, node updates its CoA, it sends a binding update mes- the conventional firewalls are inappropriate for mobile net- sage (BU) to its home agent. The binding acknowledge works because in most case the mobile devices have limited message (BA) replied by the home agent can pass the bandwidth and CPU capability. firewall due to a state created previously in the fire- In this paper, we focus on the general gateway firewalls and wall. The problem is that the firewall however does not ignore the onboard firewalls. The latter is a slim version of have any state for the new incoming data packets, be- conventional firewalls and must be installed in the individual cause such packets are addressed to the new CoA, mobile devices. In addition, due to the involvement of Care-of- whereas the firewall state was created based on the old Address (CoA), Home-of-Address (HoA) and Home Agent CoA. The incoming packets are therefore dropped by (HA) in mobile IPv6 network, the current onboard firewalls the firewall. also face the challenges described in this paper. The rest of the paper is organized as follows. In Section II, we introduce the issues to be considered in designing a mobile Home Agent firewall, and compare two existing mobile firewall solutions. In Public Section III, we evaluate the performance of a mobile firewall, Mobile Node Firewall Network and propose an optimized mobile firewall scheme. Protected Network Correspondent Node II. PREVIOUSE WORK AND COMPARISION Some proposals on mobile firewall exist, such as the IETF Figure 1. The mobile node is an internal node of a firewall draft of “Mobile IPv6 and Firewalls Problem Statement” [1], The draft only described some concerns in designing a mo- which is called Le’s Suggestion, and “Roaming Active Filter- bile firewall, but it did not provide any detailed solution. ing Firewall” [2], which is called RAFF solution. B. RAFF Solution A. Le’s Suggestion RAFF is an ongoing project in Finland [2]. It is composed The draft [1] analyzed two scenarios of mobile node loca- of five agent services and three firewall components as showed tions: in Figure 2. 0-7803-8521-7/04/$20.00 (C) 2004 IEEE
  • 2. These five agent services are Home Agent (HA), Foreign 1) Authentication and authorization: This part focuses on Agent (FA), Extended Home Agent (EHA), Beachhead Agent how to authenticate between the HA and the MAP as (BA), and Correspondent Agent (CA). They are the exact well as between the MN and the MAP. The HA will points that all the MN’s traffics are routed. authorize the MAP as the security proxy when the MN roams into the MAP domain. These three firewall components are Home Active Filtering Firewall (HAFF), Beachhead Active Filtering Firewall 2) Control and monitor: This part focuses on how the (BAFF), and Correspondent Active Filtering Firewall (CAFF). guardian of the MN can control and monitor the MN’s activities. If the MAP is a trusted router, the HA will transfer to the MAP the defined security rules that will be applied on the communication to the MN (via the CA MAP) and then the firewall will be activated on the CN CAFF MAP. The MAP could send the MN’s traffic log to the EHA HA, and the administrator could monitor the mobile HAFF user’s activities by retrieving the MN’s traffic log via BA the HA. The administrator could also remotely control BAFF the mobile user’s activities by dynamically updating Home the security rules of the mobile user. Public Network MN Network HA 3) Management: This part focuses on how to effectively Foreign manage the security stuff, such as security keys, secu- FA Network rity associations, security rules, etc. in order to mini- mize the overheads on mobile devices and provide Figure 2. Roaming Active Filtering Firewall Concept strong security. The basic idea is that the firewall actions are distributed HA among these components. Home Active Firewall located in the same Active Server as EHA will always be the first to get all packets directed to Mobile Node. Thus, this particular Active Public CN Server is a perfect place for rules that restrict the whole IP ad- Network dresses and the entire IP spaces. The restriction is taken care of by the HAFF. User may, at any given time, dynamically con- figure the firewall tree. The traffic filtered according to pure IP addresses will be MAP RCoA routed to an Active Server running the BA. BAFF has more detailed filtering rules than HAFF. BAFF will filter out un- wanted traffic based on protocol and port number information. The BA is the logical place to do this because some of the LCoA1 AR1 AR2 LCoA2 routes might be optimized to go directly from CA to BA (and not via EHA). movement MN CAFF may or may not participate in traffic filtering. In a situation where a particular Correspondent Node and a Mobile Node have a lot of traffic in between the filtering rules can be MAP Domain transferred to CAFF, thus load balancing the network and re- ducing obsolete (unwanted traffic will be discarded at BAFF anyway) traffic between CAFF and BAFF. Figure 3. HMIPv6 Framework C. CBU Solution After receiving the security rules and the MN’s binding up- Our CBU Solution [6] is based on the Certificate-based date message, the MAP creates an entry for the MN which in- Binding Update [3] and the HMIPv6 [4]. Figure 3 shows the cludes its home address (HoA) as index, Regional Care-of- framework of HMIPv6. Address (RCoA), On-Link Care-of-Address (LCoA), security keys and the security rules, and adds the entry to the MAP’s In our scheme, the Home Agent (HA) authorizes the Mo- access control cache. When the MN leaves the MAP, the MAP bile Anchor Point (MAP) as the security proxy on behalf of the can delete this entry from the access control cache. HA when the Mobile Node (MN) visits the MAP subnet. When the HA negotiates with the Correspondent Node (CN) about When a packet routes through the MAP to the MN, the Security Association (SA) and shared keys, it also negotiates MAP will retrieve the MN’s entry and decide whether to for- with the MAP about security key and transfers to the MAP the ward or to drop the packet. defined security rules for the MN. Meanwhile, the MAP can send the MN’s traffic log to the There are three main parts in our scheme: HA at specified intervals. The parents or guardians can monitor 0-7803-8521-7/04/$20.00 (C) 2004 IEEE
  • 3. the MN’s (the child) activities by reviewing the MN’s traffic 378 bytes, respectively. If every mobile node is assigned about log from a remote machine. If necessary, the parents can mod- 10 rules, it means that every mobile node will occupy about ify the security policy stored in the HA for the MN, then the 900 bytes. HA sends the updated security rules to the MAP. Normally, the MAP is a router that provides services for The operation is transparent to the MN. The MN will be campus or communities and serves thousands of mobile nodes. served in a way specified by his administrator no matter where Therefore the total overheads on memory are less than 10M he roams. bytes for 10,000 users. Today, consuming 10M-byte memory is not a big deal for most routers. Furthermore, before the MN could finally register with the MAP, the MAP should be authenticated by the HA. If the MAP is a denied router on the HA’s access control list, the HA could B. Overheads of Computing inform the MN to choose another nearby MAP. Before the MAP plays the role of firewall for a mobile node, there is a process of authentication and authorization D. Comparison between the HA and the MAP. The process is in IKE style. Many software solutions could easily support tens of IKE Our CBU solution satisfies the requirements stated in Sec- handshakes per second. In hardware catalog, Motorola tion II-A. MPC190 supports 520 IKE handshakes per second. Suppose For the issues with change of firewall, before a mobile node that a user exchanges the master key at every 10 minutes (in finally registers with a MAP, it must get the approval from its practice, a master key lifetime is much longer than that), Mo- home agent. After authenticating and trusting the MAP, the HA torola MPC190 has the capability of serving 312,000 users at will issue the security rules of the MN to the MAP and author- the same time. It is far beyond the MAP requirement. There- ize the MAP as a security proxy for the MN. Hence a virtual fore, the process of authentication and authorization in our pro- firewall will be set up at the MAP based the MN’s security posal would not break the traffic significantly. rules. C. Overheads of Communication For the second issue of triangular routing, it is not a prob- lem any more in the CBU solution. Since the MAP handles all Normally, the enterprise firewalls are only installed with security rules of the MN, the MAP can manage all the commu- hundreds of rules. However, since our proposal focuses on in- nications between the CN and the MN as a normal firewall. dividual mobile node that may be bundled tens of rules each, the total rules in our mobile firewall may be more than The purpose of introducing MAP in mobile network is to 100,000. It could be a nightmare for a router. provide the localized mobility management for the visiting mobile nodes. When a mobile node roams within the domain of In order to evaluate the performance of a firewall with huge a MAP, its Regional Care-of-Address (RCoA) is not changed amount of rules, we set up a simulation testbed as below (Fig- although its On-Link Care-of-Address (LCoA) might be al- ure 4) – a router connects two PCs: ways changing. Therefore, the CBU solution can avoid the trouble of shifting from an old CoA to a new CoA – the third issue stated in Section II-A. Let’s compare between RAFF and CBU solutions. Both of them use a router in the foreign network as a virtual firewall. But the RAFF solution does not provide a mechanism to au- thenticate and encrypt the messages between the HA and the PC1 Router PC2 foreign firewall. Moreover, the RAFF solution employs three with firewall virtual firewalls for a mobile node that are located at the home agent, the foreign agent and the correspondence node. Com- Figure 4. Testbed pared with the CBU solution that only needs one virtual fire- wall at the MAP, the RAFF solution seems too complicated. The router is configured with P4-2.4GHz processor, 100Mbps network card, 512M memory and Linux Kernel III. PERFORMANCE CONSINDERATION & OPTIMIZATION 2.4.18-4. We install various amounts of firewall rules on the router. Testing program TTCP is used to test the performance. In this section, we evaluate the overheads of the CBU solu- We test the throughput between two PCs. tion in term of memory, computing and communication at a router (MAP). Meanwhile, we also simulate the mobile firewall Figure 5 shows the throughput performance affected by the performances with huge amount of rules. amount of rules. The performance is not affected seriously if the number of rules is less than 2500. However, if the number A. Overheads of Memory is more than 5000, the effect is significant. In our proposal, the MAP holds two caches: the security Figure 6 shows the UDP connection performance affected rule cache (ref. table 2 in [6]), and the security association by the amount of rules. The connecting rate is kept at same cache (ref. table 4 in [6]). Suppose that the universal time and level if the number of rule is less than 2500. Even if the num- 3DES keys are used, the sizes of each entry in the security rule ber is 5000, the connecting rate is 70% connections when the cache and in the security association cache are 51 bytes and firewall is disabled. 0-7803-8521-7/04/$20.00 (C) 2004 IEEE
  • 4. Rules & Performance Performance Comparision 10000 10000 8000 8000 performance (KB/s) performance (KB/s) 6000 6000 4000 4000 2000 2000 0 0 0 1000 2000 3000 4000 5000 6000 0 1000 2000 3000 4000 5000 6000 number of rules number of rules data: 2GB data: 8GB data: 64GB P4-2.4GHz 512M P3-700MHz 256M Figure 5. Throughput Performance Figure 8. Performance Comparision between P4 and P3 UDP Connection rules are installed, the more powerful router P4 performs 70% original throughput while the P3 router only provides less than 1600 50% performance. connecting rate (calls/sec) 1400 1200 D. Optimization 1000 800 According to the above simulation results, the performance 600 drops significantly when the number of installed rules is in- 400 creased. In order not to cut the performance of the edge router, 200 we propose a new MAP architecture in Figure 9. 0 0 2000 4000 6000 8000 10000 12000 14000 Internet number of rules packet size: 8192 bytes; repeat: 2048 Figure 6. UDP Connection Performance Router Figure 7 shows the performance affected by the number of data bytes in each packet. As the traffic size between mobile nodes is usually small (such as SMS), we pay more attention on the packets with small size. The performance is worse if the SMAP1 SMAP2 SMAPn-1 SMAPn packet size is smaller than MTU (usually 1500 bytes). When the packet size is larger than MTU, the curves are smooth. mobile mobile mobile mobile Packet Size & Performance group 1 group 2 group n-1 group n 10000 normal 8000 performance (KB/s) network 6000 4000 Figure 9. New MAP Architecture 2000 In this new architecture, the edge router forces all requests 0 from/to the mobile nodes to go to a set of specific servers, e.g. 0 500 1000 1500 2000 2500 3000 3500 4000 4500 SMAP1, SMAP2, …, SMAPn-1 and SMAPn. The specific server number of data bytes in each packet SMAP1 does the access control proxy for mobile group 1, firewall disable 250 rules 1000 rules 5000 rules SMAP2 does that for mobile group 2, and so on. Each group holds a smaller amount of mobile nodes. The edge router will forward the packets to the specific server instead of directly Figure 7. Packet Size and Performance forwarding to the mobile node. As the edge router is only re- We also compared the performances at two routers with quired to forward packets, its performance would not drop. different configurations. One is configured with Intel Pentium On the other hand, all of the specific servers are fixed ma- 4-2.4GHz, 512M memory and Linux Kernel 2.4.18; the other is chines and are connected to a wired network. The band-width configured with Pentium 3-700MHz, 256M memory and Linux in wired networks (10Gbps) is much faster than that in mobile Kernel 2.4.18. Figure 8 shows the comparison. When 2500 networks (100Mbps in the fourth generation mobile network) 0-7803-8521-7/04/$20.00 (C) 2004 IEEE
  • 5. and network is more stable than the mobile network. Moreover, REFERENCES the fixed machines are much more powerful than mobile de- [1] F. Le, S. Faccin, and B. Patil, “Mobile IPv6 and Firewalls Problem vices. Therefore, the mobile nodes would not feel any traffic Statement”, IETF INTERNET-DRAFT, February 2004. jams. [2] S. Lehtonen, K. Ahola, T. Koskinen, M. Lyijynen, and J. Pesola, “Roaming Active Filtering Firewall”, SOC 2003. IV. CONCLUSION [3] R. H. Deng, J. Zhou, and F. Bao, “Defending Against Redirect Attacks In this paper, we first introduced the issues to be considered in Mobile IP”, 9th ACM Conference on Computer and Communications in designing a mobile firewall, and compared the CBU solu- Security, pages 59--67, Washington, DC, November 2002, ACM Press. tions with the RAFF solution. As a result, we concluded the [4] H. Soliman and K. El-Malki, “Hierarchical MIPv6 Mobility CBU solution is more practical and efficient, satisfying those Management (HMIPv6)”, IETF INTERNET-DRAFT. specific requirements of mobile firewall. We also evaluated the [5] D. B. Johson and C. Perkins, “Mobility Support in IPv6”, IETF performance of a mobile firewall, and finally proposed an op- INTERNET-DRAFT. timized scheme thus its performance does not drop signifi- [6] Y. Qiu, J. Zhou, and F. Bao, “Mobile Personal Firewall”, IEEE cantly even if a large number of rules are installed on such a International Symposium on Personal, Indoor and Mobile Radio firewall. Communications, Spain, September 2004. 0-7803-8521-7/04/$20.00 (C) 2004 IEEE