Your SlideShare is downloading. ×
Linux Firewall Management System (LFMS)
Linux Firewall Management System (LFMS)
Linux Firewall Management System (LFMS)
Linux Firewall Management System (LFMS)
Linux Firewall Management System (LFMS)
Linux Firewall Management System (LFMS)
Linux Firewall Management System (LFMS)
Linux Firewall Management System (LFMS)
Linux Firewall Management System (LFMS)
Linux Firewall Management System (LFMS)
Linux Firewall Management System (LFMS)
Linux Firewall Management System (LFMS)
Linux Firewall Management System (LFMS)
Linux Firewall Management System (LFMS)
Linux Firewall Management System (LFMS)
Linux Firewall Management System (LFMS)
Linux Firewall Management System (LFMS)
Linux Firewall Management System (LFMS)
Linux Firewall Management System (LFMS)
Linux Firewall Management System (LFMS)
Linux Firewall Management System (LFMS)
Linux Firewall Management System (LFMS)
Linux Firewall Management System (LFMS)
Linux Firewall Management System (LFMS)
Linux Firewall Management System (LFMS)
Linux Firewall Management System (LFMS)
Linux Firewall Management System (LFMS)
Linux Firewall Management System (LFMS)
Linux Firewall Management System (LFMS)
Linux Firewall Management System (LFMS)
Linux Firewall Management System (LFMS)
Linux Firewall Management System (LFMS)
Linux Firewall Management System (LFMS)
Linux Firewall Management System (LFMS)
Linux Firewall Management System (LFMS)
Linux Firewall Management System (LFMS)
Linux Firewall Management System (LFMS)
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Linux Firewall Management System (LFMS)

2,111

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,111
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
48
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Linux Firewall Management System (LFMS) By: Allen Gilliland IV Sunil Kumar Verma Vishal Gulu Gurbuxani THESIS Submitted in Partial Fulfillment of the Requirements for the Degree of Bachelor of Science in Computer Engineering in the School of Engineering of Santa Clara University, 2002 Santa Clara, California
  • 2. Table of Contents I. Abstract…….……………………………..…………………………………………………………………………………2 II. Executive Summary…….……………………………..………………………………………………………….…2 III. Introduction….……………………………..……………………………………………………………………….…4 IV. Background Information...............................................................................6 4.1) Linux ....................................................................................................6 4.2) Firewall.................................................................................................9 4.3) Iptables ..............................................................................................10 V. Preliminary Research ..................................................................................11 5.1) Kernel Module......................................................................................11 5.2) Programming Languages.......................................................................11 5.3) Iptables Communication .......................................................................12 VI. Implementation ........................................................................................14 6.1) LFMS Server/Client...............................................................................14 6.2) LFMS Admin ........................................................................................17 6.3) Middleware..........................................................................................18 6.3.1) eXtensible Markup Language – XML..................................................18 6.3.2) XML is for structuring data ..............................................................18 6.3.4) XML is modular ..............................................................................21 6.3.5) XML is license-free, platform-independent and well-supported .............22 6.3.6) Security ........................................................................................22 6.4) Testing Procedures ...............................................................................25 VII. Scenarios................................................................................................26 7.1) Global Area Network (GAN), Corporate Scenario ......................................26 7.2) Metropolitan Area Network (MAN), Internet Service Provider .....................27 7.3) Local Area Network (LAN), School Scenario .............................................29 VIII. Product Comparison ................................................................................30 8.1) Symantec Enterprise Firewall.................................................................31 IX. Contributors .............................................................................................32 9.1) Advisor ...............................................................................................32 9.2) Budget................................................................................................33 9.3) Participants .........................................................................................33 9.4) Open Source .......................................................................................33 X. Conclusion.................................................................................................33 XI. References ...............................................................................................35 XII. Appendix .............................................................................................36 11.1) LFMS-Admin...................................................................................36 11.2) LFMS-Client....................................................................................36 11.3) LFMS-Server ..................................................................................36 11.4) Middleware.....................................................................................36 Table of Figures Figure 1......................................................................................................................... 26 Figure 2......................................................................................................................... 26 Figure 3......................................................................................................................... 26 Figure 4......................................................................................................................... 26 Figure 5......................................................................................................................... 26 Figure 6......................................................................................................................... 26 1
  • 3. Linux Firewall Management System (LFMS) By: Allen Gilliland, Sunil Verma, Vishal Gurbuxani I. Abstract This document details the functionality, design, and implementation of the Linux Firewall Management System (LFMS) project. The purpose of LFMS is to provide an application capable of easily administrating any number of firewalls, and to provide this under an open source license. The LFMS project will produce two components. The first one is the core process daemon, which will run as a native Linux process and can be executed in either client or server mode. The second component is a Graphical User Interface (GUI) that will provide a simple and intuitive way to configure the firewall. The central concept of the project is to use a client/server inheritance model to make the firewall configuration process fast and simple. II. Executive Summary The goal of the Linux Firewall Management System (LFMS) is to design a system that allows its user to easily configure and manage many firewalls at the same time. The key to this system is client/server inheritance. By setting up an architecture through which a server or group of servers manages any number of clients by automatically sending new firewall configurations to each client, the system effectively eliminates the time used to configure each firewall individually. Combine the functionality of this system with a simple yet elegant GUI configuration interface and a very handy tool is at an administrators’ disposal; but this is just the tip of the iceberg. 2
  • 4. LFMS is packed full of necessary and desirable features. First and foremost is security. Security is a huge issue in computing today, and it is a huge issue with LFMS as well. The LFMS system will take advantage of every chance to make itself secure, from securely encrypted transmissions over the Internet, to secure user authentication and registration. Making the system secure is at the very forefront of ideals for the LFMS system. Another key feature of LFMS is its GUI configuration interface. We wanted to make the interface simple, powerful, flexible, and of course secure. The interface is written in Java, which allows a great deal of flexibility. Java offers the ability to take the configuration interface to any platform without worrying about obtaining a different copy or having it work slightly different. The configuration interface is also designed to work securely over the Internet, thus allowing the administrator to configure firewalls in New York, while at a conference in Prague. The logging capabilities of LFMS are designed to provide as much information as possible to the administrator. To best understand the uses of LFMS we provide this simple scenario. A boss goes to his network administrator and details how the company is planning to expand and they need higher network security and more firewalls. The administrator grimaces for a second and then remembers that the LFMS software he uses is great for adding and configuring firewalls. To add new firewalls, all that needs to be done is to install the LFMS application on a new computer, start it running in client mode, tell it what server to use, and now 3
  • 5. he has another firewall up and running. Then, the administrator decides to tighten security by removing some allowances in the firewall. So, he or she fires up the LFMS GUI interface, logs into the LFMS server, a few clicks later the changes have been made, and then, almost magically, all the client firewalls are updated automatically as well. Job completed, time for lunch. The purpose of computing is to make our lives at least a little bit easier, and LFMS does just that. It takes a job that would normally be long and tedious, and organizes it through a simple yet powerful system. With its powerful features, great security, and elegant GUI interface, it can save hours of work and hundreds of headaches. III. Introduction With all eyes on security these days, cyber safety is among the top priorities on the list. The purpose of this project is to produce a dynamic firewall that will be easier, effective, and more powerful than any other open source firewall available today. The purpose of a firewall is to block unwanted users from entering a computer, while at the same time allowing people to surf their internal network or the Internet. A key advantage of having a firewall setup is that an administrator can configure the traffic that passes through systems’ gateways. The advantages of using our firewall over conventional hardware implementations or other software is that our dynamic nature allows the administrator to create one set of rules for the network, and then for the end 4
  • 6. users to adapt those rules by inheriting them from the key server. This feature allows each individual user to have its own firewall lessening up the load on the main server. This saves time and the hassles of trouble shooting each and every individual computer thus saving huge amounts of effort on the administrator’s part and unmentionable amounts of money. The scope of this project is to create the basic software needed to implement the firewall on a PC using Linux. The software will include the firewall algorithms used to check the packets validity and access, a GUI for users to easily configure the firewall to their specifications, and logging features that will allow the admin to know what is going on. Future enhancements are still in the process of being determined. A later section in this paper called Scenarios, covers some of the real world issues that will show how LFMS works. The main network topologies that are covered here are the WAN [wide area network], GAN/ISP [global area network / internet service provider], and the LAN [local area network]. Each of these networks has applications that make LFMS a key solution in protecting the network. 5
  • 7. IV. Background Information 4.1) Linux Linux, like Windows NT and Mac OS, is an operating system, or OS for short. The OS is the application that the computer runs when it is first turned on, and every computer has to have one or it won't be able to function. The OS coordinates all of the computer's components into a single, integrated unit. Many companies have proprietary operating systems, such as Microsoft's Windows NT and Apple's Mac OS. Linux, however, is different. Most of it is copyrighted by Linus Torvalds under a rather unusual copyright which states that individuals must give acknowledgement to people whose code they have used. The open source movement, which has taken the programming community by storm, is aimed to develop software incrementally and by anyone who is interested. Thousands of developers from around the world are volunteering their free time to improve the Linux OS. Why Use Linux: Cost The Linux OS is entirely cost and license free. The only expenses involved are those of hardware and maintenance. OS Stability Linux almost never freezes under normal use. Linux has been known to run some applications for months and years at a time; these same applications normally cause Windows to freeze. 6
  • 8. Support Support for the Linux OS is entirely free. There are local Linux users' groups (LUGs) one can contact for support. There are chat channels on the Internet Relay Chat Network (IRC), which provide live Linux support. Thousands of websites can be found to help Linux users from novice to expert. Portability Linux was first developed for 386/486-based PCs. These days it also runs on ARMs, DEC Alphas, SUN Sparcs, M68000 machines (like Atari and Amiga), MIPS and PowerPCs, and others. So no matter what the computer is, Linux will work on the hardware. Power and Customization Linux makes full use of the computer. Linux can be tailored to a specific hardware and software configuration. It has the ability to connect several different types of machines together; for example, Linux can run both the Samba protocol (which Windows understands), and AppleTalk (for Mac users), so it can act as a Windows/Mac bridge, even though it is running on SPARC hardware. 7
  • 9. Disadvantages of Using Linux: Interface Windows and Mac OS use a native Graphical User Interface (GUI). Traditionally, Linux (and other UNIXes) have used a Command Line Interface (CLI), similar to DOS. Developers are slowly changing this by making a GUI interface which will run on Linux. Interface Stability Linux changes daily to reflect growing interest in new hardware and software capabilities. However, it is up to the user to upgrade to the latest OS. Support Since there are many Linux distributions running the same Linux kernel, support is not centralized to one company. Several companies are adding support sites to their distribution, but it costs a lot of money at this time. Maintenance Some of the Linux’s programs are not well documented. It takes an administrator’s patience and technical intuitiveness to understand some Linux installations. 8
  • 10. Technical Nature Linux is not for everyone. It has many tools that require time to learn. Of course, so does any other OS. Familiarity and curiosity with the software development process are pluses. Accountability Use of Linux is entirely at one’s own risk. Businesses primarily remained out of the Linux space because of this fact. However in today’s economy, companies are realizing that Linux is actually one of the best operating systems out there due to its stability and cost. 4.2) Firewall Figure 1 Essentially, a firewall operates between the OS and the network card. It analyzes each network packet, by comparing it to a set of rules, which tell the program if the packet is acceptable by the OS or not. Figure 1 shows a network packet contents. The firewall goes through the five fields: Ethernet header, IP header, ICMP header, user data, and Ethernet crc, checking on a rule that has a ban specified. A firewall rule specifies the criteria for a packet 9
  • 11. and a target. If the packet does not match, the next rule in the chain is then examined; if it does match, then the next rule is specified by the value of the target which can be the name of a user-defined chain, or one of the special values ACCEPT, DROP, QUEUE, or RETURN. ACCEPT means to let the packet through; DROP means to drop the packet; QUEUE means to pass the packet to user space; RETURN means stop traversing this chain and resume at the next rule in the previous (calling) chain. If the end of a built-in chain is reached, or a rule in a built-in chain with target RETURN is matched, the target specified by the chain policy determines the fate of the packet. 4.3) Iptables Iptables is a firewall program which comes standard on most popular Linux distributions and is the firewall of choice by most Linux administrators. It is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. There are several different tables which may be defined, and each table contains a number of built-in chains and may contain user-defined chains. Each chain is a list of rules which can match a set of packets. Each rule specifies what to do with a packet which matches. This is called a `target', which may be a jump to a user-defined chain in the same table. The program is open source, and is always being updated. We are using Iptables as our firewall primarily because it comes with most Linux distributions and is currently the firewall of choice by most Linux administrators. 10
  • 12. V. Preliminary Research 5.1) Kernel Module The first thought that came to our team's mind was to make the LFMS a loadable kernel module that could easily communicate with aspects of the kernel as well as communicate with our firewall. We researched the Internet and found some great documents on how to write kernel modules and the purpose of writing programs to run inside the kernel. To our surprise we realized that the only reason we needed our program to run as a module was in order to communicate with the firewall software, which is also a kernel module. After more research, we found that there was really no need for us to write our program as a kernel module because there was already an API available for talking to the firewall software, and we didn't need to access the hardware directly or make use of any other features of kernel code. At this point, we decided to abandon writing our system as a kernel module and instead decided to just write it as a process application. 5.2) Programming Languages We weren't too sure what programming languages we wanted to use to create our system. We knew that there were many possibilities and each had its own advantages and disadvantages. At first, we were looking at writing 3 programs: the application process, the interface, and the traffic generator for testing. The application process is the core of the system and it runs on each firewall in one of two modes-- client or server. We decided to keep the client and server applications together in one application to provide the most 11
  • 13. flexibility possible. We thought about using C for everything at first, but many challenges quickly arose. We wanted to write the process in C, but it seemed that the interface and traffic generator would be much more cumbersome to write in C. At this point, we turned to Java, which had many benefits to offer. While we liked the idea of using Java for everything, again we met some strong disadvantages to that approach as well. Eventually we decided to use C to write our process application. This decision came because C is a more native language to Linux. It offers better performance than Java, and most importantly was the fact that the Iptables firewall interface API was already written in C. We then considered using Tcl/Tk to write our interface because we read that C and Tcl/Tk work well together. However, in the end we decided to use Java for the interface. Java offered more advantages than Tcl/Tk and C for the interface: first, it is portable, so the interface could run on any platform; second, all of our team members are proficient Java programmers, not true with C and Tcl/Tk; third, it provides a nicer set of built in GUI options to make our interface look nicer. We then decided to make the traffic generator in Java as well because it didn't really matter what language that was in, but making it in Java would be the easiest. So, we have an application process written in C, a GUI interface written in Java, and a traffic generator also written in Java. 5.3) Iptables Communication One of the key challenges in our project is to find an adequate way for our process to communicate with the firewall. In the Linux case, the firewall is 12
  • 14. Iptables. At first, we thought this communication would have to come through the use of a Linux kernel module, but some research quickly proved us wrong. What we discovered instead was that the Iptables writer had also written an Iptables API that would allow other processes to communicate with Iptables and pass information. This library is written in C and is called libiptc. It was the key research element of our project. It provides key functionality to our process and is the backbone of our system. Using this API, we wrote our process so that it knows how to query Iptables for its configuration, and is able to update Iptables with configuration changes. 13
  • 15. VI. Implementation Figure 2 – A typical view of the LFMS System 6.1) LFMS Server/Client The server application is the component that delivers what this project proposes. This component will be a single application capable of running in one of two possible modes: client or server. In server mode the application becomes responsible for delivering firewall configurations to any client that request a configuration. While running in client mode the process will periodically check its designated server for a possible configuration change, and if a change has occurred then the new configuration is retrieved. The interval is set during LFMS-Client installation. The LFMS Server process has a great deal of features to make it robust, secure, and useful. The most important feature is security. LFMS is a network 14
  • 16. based application, and therefore security is a very important issue. All connections made by the process will be done using secure protocols. The process will also support well documented logging features to help aid system administrators. Although a firewall is only capable of having a single configuration at any given time, LFMS will provide a feature that allows the storing of multiple configurations on any server. This will allow a single server to host a wide range of different firewalls, which can all have their own unique configuration. This component will be running native to Linux and is implemented using the C programming language. The LFMS Server receives an XML configuration file from the LFMS GUI component, after a successful authentication has been achieved (via SSL). The LFMS Server parses through the XML file and insures that the XML file is valid and authentic. The LFMS Server is now ready to receive connections from any allowed LFMS Client. The LFMS Client connects to the LFMS Server at a set interval determined during installation. The Client connects to the Server via SSL and IP address. After the LFMS Server has authenticated the Client’s IP address and SSL key, the Server checks to see if the firewall configuration on the Client is up to date. If the configuration is old, the Server logs it appropriately and sends the Client the new rules. If the configuration is up to date, the Server sends a no_update command, which signals a disconnection. 15
  • 17. The iptables API, libiptc, was created as a conduit to directly interact with the firewall structures contained in iptables. The LFMS Client process interacts directly with these functions as a way to configure the firewall policies. After the LFMS Client receives the XML file from the Server, it goes on to initiate a local firewall configuration using the libiptc API. This in turn configures the firewall for the LFMS Client. Put in another way, the LFMS-Server component is the center piece of the LFMS system. It acts as both server and client in the LFMS system hierarchy and provides the system's core functionality. 16
  • 18. 6.2) LFMS Admin Figure 3 In order to provide flexibility, the LFMS system to provide an easy way to configure a firewall. The process handles the exchanging of firewall configurations once a configuration has been created, but it doesn't provide an easy way to create a configuration. That job is meant for the second major component of the LFMS system; the GUI Configuration Tool. We want to make it clear that the process application works without the need of the GUI Configuration Tool. This tool is developed simply to add more ease of use to the LFMS system. 17
  • 19. This tool is developed in Java in order to make it as portable as possible. An example firewall interface screenshot can be seen in Figure 2. It is capable of being run over the internet and connecting to any LFMS process running in either client or server mode. As mentioned before, this connection will be made using only secure protocols and encrypted transmissions. Once connected to an LFMS process application the GUI Configuration Tool will be capable of controlling any aspect of the application. It also provides a nice interface to allow its user to add, remove, and modify the rules of the firewall being configured. Simply put, the GUI Configuration Tool is just icing on the cake. 6.3) Middleware The middleware is essentially the glue that connects the client and server parts of our project. The middleware helps to transport data between components in a way that is understandable by all the parts of the project. LFMS used XML to get the information across in an unambiguous way so that information that the server needed was readily available. 6.3.1) eXtensible Markup Language – XML XML has many advantages over other middleware, many of which will be explained below. 6.3.2) XML is for structuring data Structured data includes things like spreadsheets, address books, configuration parameters, financial transactions, and technical drawings. XML is a set of rules (you may also think of them as guidelines or conventions) for 18
  • 20. designing text formats that let you structure your data. XML is not a programming language, and you don't have to be a programmer to use it or learn it. XML makes it easy for a computer to generate data, read data, and ensure that the data structure is unambiguous. XML avoids common pitfalls in language design: it is extensible, platform-independent, and it supports internationalization and localization. 6.3.3) DTDs and XML Schemas Document Type Definitions and XML Schemas both provide descriptions of document structures. The emphasis is on making those descriptions readable to automated processors such as parsers, editors, and other XML-based tools. They can also carry information for human consumption, describing what different elements should contain, how they should be used, and what interactions may take place between parts of a document. Although they use very different syntax to achieve this task, they both create documentation. Perhaps the most important thing DTDs and XML Schemas do is set expectations, using a formal vocabulary and other information to lay ground rules for document structures. Two parsers, given a document and a DTD, should have the same opinion about whether that document is valid, and different schema processors should similarly agree on whether or not a document conforms to the rules in a given schema. XML editing applications can use DTDs and schemas as frameworks, letting users create documents that meet these expectations. Similarly, developers can use DTDs and XML 19
  • 21. Schemas as a foundation on which to plan transformations from one format to another. Having DTDs and XML Schemas brings another aspect of security to our project. We have something to check against when our server receives the XML file from our admin. We have included a sample DTD, XML Schema, and simple XML file that we used for the project. The DTD: <!DOCTYPE firewall [ <!ELEMENT firewall (policy+,rule+,table+,chain+,target*)> <!ELEMENT policy (#PCDATA)> <!ELEMENT rule (#PCDATA)> <!ELEMENT table (#PCDATA)> <!ELEMENT chain (#PCDATA)> <!ELEMENT target (#PCDATA)> ]> The XML Schema: <xs:schema xmlns:xs="http://www.w3.org/2000/10/XMLSchema"> <xs:annotation> <xs:documentation> A sample XML schema based on your input. </xs:documentation> </xs:annotation> <xs:element name="firewall" type="firewallType"/> <xs:complexType name="firewallType"> <xs:sequence> <xs:element name="policy" type="xs:string" minOccurs="1" maxOccurs="unbounded" /> <xs:element name="rule" type="xs:string" minOccurs="1" maxOccurs="unbounded" /> <xs:element name="table" type="xs:string" minOccurs="1" maxOccurs="unbounded" /> <xs:element name="chain" type="xs:string" minOccurs="1" maxOccurs="unbounded" /> <xs:element name="target" type="xs:string" minOccurs="0" maxOccurs="unbounded" /> </xs:sequence> </xs:complexType> </xs:schema> 20
  • 22. The XML file that uses both of the above validating methods to transfer data: <firewall> <policy>…</policy> <rule>…</rule> <table>…</table> <chain>…</chain> <target>…</target> </firewall> The user input is represented by the dotted lines. This is where our GUI would input the information that would represent each one of those categories. Having many channels for checking the source and destination helps in keeping LFMS secure. 6.3.4) XML is modular XML allows you to define a new document format by combining and reusing other formats. Since two formats developed independently may have elements or attributes with the same name, care must be taken when combining those formats (does "<p>" mean "paragraph" from this format or "person" from that one?). To eliminate name confusion when combining formats, XML provides a namespace mechanism. XSL and RDF are good examples of XML-based formats that use namespaces. XML Schema is designed to mirror this support for modularity at the level of defining XML document structures, by making it easy to combine two schemas to produce a third which covers a merged document structure. Figure 4 21
  • 23. 6.3.5) XML is license-free, platform-independent and well-supported By choosing XML as the basis for a project, you gain access to a large and growing community of tools (one of which may already do what you need!) and engineers experienced in the technology. Opting for XML is a bit like choosing SQL for databases: you still have to build your own database and your own programs and procedures that manipulate it, and there are many tools available and many people who can help you. And since XML is license- free, you can build your own software around it without paying anybody anything. Now that we know how XML is better than other technologies, how did we intergrate it into our project. Lets start with the GUI. The GUI uses XML parsers to model our data in a readable format that is well understood and easy to manipulate. The GUI would sends the XML to the LFMS server. The server’s responsibilites would be to Parse the XML file and send the necessary changes to the client when requested. 6.3.6) Security The transference of information back and forth from the client to server needs to be secure from any malicious people sniffing the packets and using the data for their own information. Preventing anyone from using our client and server links as a means of hacking our system was a main concern. The solution that we used is SSL. Secure Socket Layers helped to keep information encrypted through out the whole data transfer process. SSL, Secure Sockets Layer, is protocol developed by Netscape for transmitting private documents via the Internet. SSL works by using a public key to encrypt data that is transferred over the SSL connection. Both Netscape Navigator and Internet Explorer support SSL, and many Web sites 22
  • 24. use the protocol to obtain confidential user information, such as credit card numbers. We used SSL so that we can transfer XML document back and forth without compromising the information stored in the document. The following capabilities address fundamental concerns about communication over the Internet and other TCP/IP networks: • LFMS SSL server authentication: The LFMS server will allow the client to confirm a server's identity. SSL-enabled client software can use standard techniques of public-key cryptography to check that a server's certificate and public ID are valid and have been issued by a certificate authority (CA) listed in the client's list of trusted CAs. This confirmation is important in making sure the XML files are not compromised during transmission. • SSL client authentication: Allows the LFMS server to confirm a user's identity. Using the same techniques as those used for server authentication, SSL-enabled server software can check that a client's certificate and public ID are valid and have been issued by a certificate authority (CA) listed in the server's list of trusted CAs. This confirmation is an important step so that the server does not receive malicious commands from a foreign source. • An encrypted SSL connection requires all information sent between a client and a server to be encrypted by the sending software and decrypted by the receiving software, thus providing a high degree of confidentiality. Confidentiality is important for both parties to any private transaction. In addition, all data sent over an encrypted SSL 23
  • 25. connection is protected with a mechanism for detecting tampering-- that is, for automatically determining whether the data has been altered in transit. • Confidentiality: The SSL protocol includes two sub-protocols: the SSL record protocol and the SSL handshake protocol. The SSL record protocol defines the format used to transmit data. The SSL handshake protocol involves using the SSL record protocol to exchange a series of messages between an SSL-enabled server and an SSL-enabled client when they first establish an SSL connection. This exchange of messages is designed to facilitate the following actions: o Authenticate the server to the client. o Allow the client and server to select the cryptographic algorithms, or ciphers, that they both support. o Optionally authenticate the client to the server. o Use public-key encryption techniques to generate shared secrets. o Establish an encrypted SSL connection. Securities for all parts of the project were taken into account and middleware was of no exception. With validation for the XML and SSL protection for the transit of all the data we are able to ensure that the data is valid and productive for all parties. 24
  • 26. 6.4) Testing Procedures Testing LFMS is one of our main priorities. We will be creating a traffic generator in Java, which will create data packets units (DPU) for us from the firewall and back. This DPU has certain components that we want to mangle and reconfigure; having a packet generator allows us to test the stability and integrity of the firewall. We will test LFMS by attacking it in many of the ways hackers do attack: using DOS attacks, email, and spamming attacks. This will be a great way to see if the firewall holds up to these basic modes of daily wear. Seeing the way the firewall reacts to different kinds of DPUs is the best way to know if the firewall is working. Configuring the firewall to allow certain DPUs and not others, then generating traffic that tests this out, helps us verify if the firewall has achieved our goals. 25
  • 27. VII. Scenarios Figure 5 7.1) Global Area Network (GAN), Corporate Scenario The best way to understand the LFMS system is to understand its’functionality in an appropriate scenario. For example, our company will have offices all over the globe and thousands of computers that need to communicate with each other over a GAN. This company will need to have literally hundreds of firewalls to protect each cluster of computers they have throughout the world, and naturally many of these firewalls will be configured the same way. Deny x, allow y, period. Now just think of the headache involved in maintaining hundreds of firewalls at the same time. WOW, what a nightmare ... maybe. Any time an administrator has to do anything involving firewalls on the network, he or she has to go to that computer and configure it by hand, what a pain!! Well, LFMS can help. LFMS allows an administrator to change a rule on a server class firewall and have all clients of that server automatically be updated with that change. It is incredibly simple to add firewalls to the network now. Simply turn on the machine, load up LFMS, tell 26
  • 28. the client which server to use, and the job is done. LFMS also has awareness, so that if something goes wrong with a firewall people can be alerted, logs can be written, and the firewall can even revert back to a previous working configuration automatically. Then, add in the super powered GUI configuration interface that works securely over the Internet. Now, not only is the firewall network auto-configurable, but it can be configured from anywhere on the planet!! Figure 6 7.2) Metropolitan Area Network (MAN), Internet Service Provider Our next scenario, deals with the bigger Internet Service Providers (ISP). Think for a moment of a person in charge of security over all the users of a huge ISP. The standard way to ensure that users are enjoying a safe online experience is to lay out firewalls. Unfortunately, the person in charge has 27
  • 29. come to the conclusion that he or she can either spend a premium and buy an Enterprise Firewall package or can waste a lot of time and configure and maintain each firewall separately. The boss wants the administrator to be aware of the economy and choose the approach that is the most effective and least expensive. There is another solution here, and that is using LFMS. Now, we come to a Metropolitan Area Network. ISP’s uses this type of network to bring the Internet to the average home user. For example, the ISP AOL has a computer that acts as Domain Name Server (DNS), Gateway, and Dynamic Host Configuration Protocol (DHCP) server at every city, to which AOL users have access. Using the LFMS tool, an Administrator can easily link up all the boxes, configure the network, and setup and maintain firewalls. The AOL administrator can create Firewall policies for the home user and for the gateways. This allows AOL to run timely security services to ensure its users have a safe and fun Internet experience. The LFMS tool is remarkable in its framework, ease of use, and scalability. Anyone can use the LFMS-GUI, which is the LFMS visually stunning configuration tool. The tool is available for any OS. That supports Java. Now, the headache of either buying a very expensive Enterprise Firewall service is over. ISP’s can install the freely distributed Linux and put our LFMS tool on top of the Linux configuration. This allows a cost effective solution to maintain a safe network. 28
  • 30. 7.3) Local Area Network (LAN), School Scenario Local Area Networks have a huge need for firewalls. The example of the school network is the best suited for this. Schools have the need to allow all access to the network for their students and faculty and, at the same time, must prevent any unwanted users trying to attack the key portions that keep the school network running. One of the key features that make a LAN is that people are sharing certain components such as a printer, email servers, or file servers. A huge problem that is encountered is that certain students do not really need to have access to certain components, for example a student in Graham does not need to print in Sanfillippo because he already has his own printer. Now, to setup a firewall for each of these rules or to maintain these rules becomes a huge hassle, and at the same time the administrator must maintain the integrity of the schools’ network against attacks from outside hackers. A dynamic firewall would be useful by allowing the administrator to configure certain rules and regulations for different machines and then let the machine in question download the configuration and then configure its firewall itself. This saves time, the administrator no longer needs to physically login to the box to reset certain rules, and avoids the headache of worrying about which configuration is on which box. A typical school administrator would put a certain configuration in a certain area, say we have a firewall setup in Kenna; the administrator would pull up the LFMS-GUI and see what configuration it is running. After viewing the running configuration the administrator would change what is needed and save it to the Kenna-config folder. A few clock cycles later the Kenna firewall would have been updated. No hassle for the administrator to physically go 29
  • 31. out to Kenna to physically configure the main box. This allows users to have access to what they need and prevents them from getting into what they are not supposed to. VIII. Product Comparison In order to understand how important and beneficial LFMS is to the Internet community, one must compare its features to products that already exist in the market. LFMS Specs Version 1.0 Compatibility Linux for Server/Client – Interface in any JRE OS Minimum RAM Required 64-256 MB Cost $0, Open Source Retail Information Distribution medium Internet Features Manage local and remote firewalls with LFMS GUI Java Interface Enables firewall to block websites that the administrator sets Offers a selection of user authentication alternatives Extends enterprise networks and encryption and authentication Security policy management allows administrators to create rules in any order 30
  • 32. 8.1) Symantec Enterprise Firewall Version 6.5 Compatibility NT; Solaris 2.6; HP-UX UNIX; Tru64 UNIX Minimum RAM Required 64-256 MB Cost $40,000 Retail Information Distribution medium CD-ROM Features Manage local and remote firewalls with Raptor Management Console Enables firewall-integrated content to block administrator selected websites Offers a selection of user authentication alternatives Extends enterprise networks and encryption and authentication Security policy management allows administrators to create rules in any order User Reviews (Courtesy of CNet.com): "Ok product - as long as it needs no support" ”Deployed easily, crashes frequently, poor technical support failing to respond to even the simplest request in a timely manner. VPN tunnels crashing on their own. No real protection for OS behind it. I am in the process of replacing this product and going to a hardware solution. – Ben Aree 31
  • 33. "Worst Firewall Ever" ”I have had this installed at work and it works fine for internet and instant messaging. The thing is, that is all it works for. It is close to impossible to open ports even if you set the rules. The ports randomly close on it and to resolve it you just reset the server. This is such a ridiculous peeve of software. I do not recommend it to anyone, unless you want to throw away money. The technical support people are completely incompetent they have no idea what they are doing. If you can not...” –Ted Coeal Result: The LFMS Product can easily be seen to be the preferred choice among administrators. It is much more efficient in its management capabilities and it costs nothing to use. The LFMS tool is fast and simple. LFMS is created to run on a free operating system: Linux. LFMS allows any number of clients to join the network at any time; this is what makes it dynamic. LFMS uses the free and efficient firewall of choice, iptables, and a very intuitive GUI interface. The current state of the economy requires that all companies use products that work well and are cost-effective. LFMS easily beats the competition. IX. Contributors 9.1) Advisor Dr. Silvia Figueira 32
  • 34. Computer Engineering Professor PhD from University of California San Diego 9.2) Budget We are very happy to report that because we support the open source software movement, we really don’t incur any costs. The only two feasible costs of our project are our time and the cost of two Linux computers. 9.3) Participants Allen Gilliland IV – Agilliland@scu.edu Senior Computer Engineer ‘02 Sunil Kumar Verma – Skverma@scu.edu Senior Computer Engineer ‘02 Vishal Gulu Gurbuxani – Vgurbuxani@scu.edu Senior Computer Engineer ‘02 9.4) Open Source We would like to thank the thousands of developers who have given up some of their free time towards creating open source software on a global scale. X. Conclusion We live in a time in which network security is critical in a home and in a corporation. As corporate assets and critical business processes move online, risks for security incidents increase. Valuable resources are moved online so 33
  • 35. that customers, partners, prospects, and remote employees have easy access. But, if not properly secured, these resources might also be exposed to individuals with less-than-honorable intentions, leading to the possibility of security incidents. Security incidents can disrupt operations, damage brand and reputation, and result in the theft or loss of critical customer data and intellectual property. Today, security is no longer just a technology problem; it is also a business problem. Due to the growing importance of security, information services (IS) departments today must provide improved network accessibility and security. However, they are also pressured to keep staffing and spending low. How can industry leaders respond to these pressures? By using a cost effective solution, which is dynamic, scalable, and easy to use: the Linux Firewall Management System. 34
  • 36. XI. References Deua, B. (August 2001). Understanding Linux firewalls. Retrieved October 20th 2001 from the World Wide Web: http://www.linuxhelp.org/tutorials/firewall.html Gillaea, A. (November 1999). Linux Netfilter. Retrieved October 22nd 2001 from the World Wide Web: http://www.newbie.org/how-tos/netfilter.html Grennan, M. (February 2000). Firewall and proxy how-to. Retrieved October 22nd 2001 from the World Wide Web: http://www.linuxdoc.org/HOWTO/Firewall-HOWTO.html Hung, W. (July 2001). Linux firewall and security site. Retrieved October 22nd 2001 from the World Wide Web: http://www.linux-firewall-tools.com/linux/ Russel, R. (July 2000). Linux ip-chains how-to. Retrieved October 22nd 2001 from the World Wide Web: http://netfilter.samba.org/ipchains/HOWTO.html 35
  • 37. XII. Appendix Attached to this document are the following source code documents. 11.1) LFMS-Admin 11.1.1 Javadoc 11.1.2 Source Code 11.2) LFMS-Client 11.2.1 Source Code 11.3) LFMS-Server 11.3.1 Source Code 11.4) Middleware 11.4.1 SSL Source Code JAVA 11.4.2 SSL Source Code C 36

×