Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Towards Universitas Indonesia
Next Generation Firewall Service
Tonny Adhi Sabastian, M. Kom
(tonny.adhi@ui.ac.id)
Gnome As...
Introduction
Research & Development Team
● Gladhi Guarddin , M. Kom (adin@ui.ac.id)
■ Researcher - Lecturer, Pervasive Com...
Introduction
Research & Development Team
● Alfan Presekal (alfanpresekal@gmail.com)
■ Student, Faculty of Engineering
● Ha...
Presentation Overview
❏ Introduction to Our Research Lab
❏ Next Generation Firewall (NGFW) Concept
❏ Experiments on NGFW a...
Pervasive Computing Research Lab. : What we do ?
Smart Space Research
Outcome 2013 - 2014
2013
Location Extractor
Outcome 2013 - 2014
2014
Zigbee REST Gateway
API
Zigbee Lighting using ZLL
Next Generation Firewall Concept
“Next Generation Firewalls are Deep Packet Inspection
Firewalls that move beyond port / p...
Next Generation Firewall Concept
A Legacy Firewall
Next Generation Firewall Concept
Current Internet Condition
Next Generation Firewall Concept
Deep Packet Inspection
Next Generation Firewall Concept
Deep Packet Inspection
Next Generation Firewall Concept
What NGFW can do ?
Next Generation Firewall Concept
Challenges on NGFW :
● Performance on DPI Techniques
○ Regular Expression and String Matc...
Next Generation Firewall Experiments on UI
● Started on 2012
● Using Free/Open Source Software Stock
○ Debian GNU/Linux 7
...
Next Generation Firewall Experiments on UI
Production Environment
● Using Linux Kernel 2.6.32.x, unsupported for
kernel 3....
Next Generation Firewall Experiments on UI
Prototyping Environment
● Using Linux Kernel 3.2.x
● Active development state
●...
Next Generation Firewall Experiments on UI
Buggy Netfilter Patch
Next Generation Firewall Experiments on UI
Typical Deployment Architecture
Next Generation Firewall Experiments on UI
Rules Example
#iptables -A INSPEKSI -m ndpi --twitter -j ACCEPT
#iptables -A IN...
Next Generation Firewall Experiments on UI
Authorization Portal*
Next Generation Firewall Experiments on UI
SSO Portal
Deployment Result
Legacy implementation, we don’t know if
somebody tunneled Bittorrent packets
DPI implementation is able ...
Next Plan
● Traffic Classifier (using machine learning)
● DPI Technique (also using machine learning)
● Automatic provisio...
References
Acharya, H. B., Joshi, A., & Gouda, M. G. (2010). Firewall Modules and Modular Firewalls. 2010 18th IEEE
Intern...
References
Harish Muhammad Nazief, Tonny Adhi Sabastian, Alfan Presekal, Gladhi Guarddin (2014). Development of
University...
Q & A
Thank You
Upcoming SlideShare
Loading in …5
×

Towards Universitas Indonesia Next Generation Firewall Service - Tonny | GNOME.Asia

624 views

Published on

University of Indonesia is one of the largest state owned University in Indonesia with more than 40.000 students. As one of the university which support Free/Open Source movements (especially providing F/OSS content mirror), we also adopt F/OSS in our infrastructure development. Most of our own information systems are build using F/OSS stack by our in house developer team. In 2012, we were starting to experiment with next generation firewall to support our staff and students internet access. Current firewall cannot longer support dynamic nature of nowadays internet apps because its only filter based on port, ip addresses and communication protocol state. Meanwhile on today internet apps, we can access variety of apps using just only HTTP protocol for example. A next generation firewall is able to detect and filter by using L7 protocol pattern, means its done on application layer.During the presentation, I will share our experience on developing and integrating Next Generation Firewall using F/OSS stack. I will also share about open opportunities on further research and development in this topics.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Towards Universitas Indonesia Next Generation Firewall Service - Tonny | GNOME.Asia

  1. 1. Towards Universitas Indonesia Next Generation Firewall Service Tonny Adhi Sabastian, M. Kom (tonny.adhi@ui.ac.id) Gnome Asia Summit 2015 - Universitas Indonesia 7th - 9th May 2015
  2. 2. Introduction Research & Development Team ● Gladhi Guarddin , M. Kom (adin@ui.ac.id) ■ Researcher - Lecturer, Pervasive Computing Lab, Faculty of Computer Science ■ Division Head of Information System Development, Office of Information System Development and Services ● Tonny Adhi Sabastian, M. Kom (tonny.adhi@ui.ac.id) ■ Research Assistant - Lecturer, Pervasive Computing Lab, Faculty of Computer Science ■ ICT Network Coordinator,
  3. 3. Introduction Research & Development Team ● Alfan Presekal (alfanpresekal@gmail.com) ■ Student, Faculty of Engineering ● Harrish M. Nazief (harishmuhammadnazief44@gmail.com) ■ Student, Faculty of Computer Science ● Raden Rheza (rheza.raden@ui.ac.id) ■ Staff, Network Infrastructure Service, Office of Information System Development and Services
  4. 4. Presentation Overview ❏ Introduction to Our Research Lab ❏ Next Generation Firewall (NGFW) Concept ❏ Experiments on NGFW at Universitas Indonesia ❏ NGFW Prototype at Universitas Indonesia
  5. 5. Pervasive Computing Research Lab. : What we do ? Smart Space Research
  6. 6. Outcome 2013 - 2014 2013 Location Extractor
  7. 7. Outcome 2013 - 2014 2014 Zigbee REST Gateway API Zigbee Lighting using ZLL
  8. 8. Next Generation Firewall Concept “Next Generation Firewalls are Deep Packet Inspection Firewalls that move beyond port / protocol inspection and blocking to add application level inspection, intrusion prevention, and bringing intelligence from outside the firewall” Ali Kapucu, Kent State University “Making a Firewall to become Content Aware and Context Aware”
  9. 9. Next Generation Firewall Concept A Legacy Firewall
  10. 10. Next Generation Firewall Concept Current Internet Condition
  11. 11. Next Generation Firewall Concept Deep Packet Inspection
  12. 12. Next Generation Firewall Concept Deep Packet Inspection
  13. 13. Next Generation Firewall Concept What NGFW can do ?
  14. 14. Next Generation Firewall Concept Challenges on NGFW : ● Performance on DPI Techniques ○ Regular Expression and String Matching (Aho- Corasick Algorithm) ○ Machine Learning ● User Privacy
  15. 15. Next Generation Firewall Experiments on UI ● Started on 2012 ● Using Free/Open Source Software Stock ○ Debian GNU/Linux 7 ○ IPTables & IPSet ○ JASIG CAS (Common Authentication System) for Single Sign On Authentication [http://jasig.github. io/cas/4.0.0/index.html] ○ One Production Environment and One Prototyping Environment
  16. 16. Next Generation Firewall Experiments on UI Production Environment ● Using Linux Kernel 2.6.32.x, unsupported for kernel 3.x ● IPSet for list of authenticated IP from UI SSO ● IPtables L7-Netfilter [http://l7-filter. clearfoundation.com/] ○ L7-Netfilter is not developed since 2013 ○ Static regex pattern per protocol ○ In kernel regex library
  17. 17. Next Generation Firewall Experiments on UI Prototyping Environment ● Using Linux Kernel 3.2.x ● Active development state ● IPSet for list of authenticated IP from UI SSO ● IPtables nDPI-Netfilter [http://www.ntop. org/products/ndpi/] [https://github.com/ewildgoose/ndpi-netfilter/] ○ Per protocol pattern search - Aho-Corasick algorithm ○ Buggy netfilter conntrack ● Published at International Conference on Advance Computer Science & Information System, 2014
  18. 18. Next Generation Firewall Experiments on UI Buggy Netfilter Patch
  19. 19. Next Generation Firewall Experiments on UI Typical Deployment Architecture
  20. 20. Next Generation Firewall Experiments on UI Rules Example #iptables -A INSPEKSI -m ndpi --twitter -j ACCEPT #iptables -A INSPEKSI -m ndpi --yahoo -j STD_PROTO #iptables -A INSPEKSI -m ndpi --steam -j REJECTED_PROTO #iptables -A INSPEKSI -m ndpi --dropbox -j STD_PROTO #iptables -A INSPEKSI -m ndpi --h323 -j STD_PROTO
  21. 21. Next Generation Firewall Experiments on UI Authorization Portal*
  22. 22. Next Generation Firewall Experiments on UI SSO Portal
  23. 23. Deployment Result Legacy implementation, we don’t know if somebody tunneled Bittorrent packets DPI implementation is able to capture and filtered a target protocol
  24. 24. Next Plan ● Traffic Classifier (using machine learning) ● DPI Technique (also using machine learning) ● Automatic provisioning on Firewall and Bandwidth Management
  25. 25. References Acharya, H. B., Joshi, A., & Gouda, M. G. (2010). Firewall Modules and Modular Firewalls. 2010 18th IEEE International Conference on Network Protocols (pp. 174-182). Kyoto: IEEE. Alcock, S., & Nelson, R. (2013). Measuring the Accuracy of Open-Source Payload-Based Traffic Classifiers Using Popular Internet Applications. IEEE Workshop on Network Measurements (pp. 956-963). Sydney: IEEE. Allot Communications. (2007). Digging Deeper into DPI. Allot Communications. Al-Shaer, E. S., & Hamed, H. H. (2002). Design and Implementation of Firewall Advisor Tools. Chicago: DePaul University. Ou, G. (2009, October 27). Understanding Deep Packet Inspection (DPI) Technology. Retrieved from Digital Society: http://www.digitalsociety.org/2009/10/understanding-deep-packet-inspection-technology/ Papatheodoulou, N., & Sklavos, N. (2009). Architecture & System Design Authentication, Authorization, & Accounting Services. IEEE, 1831-1837. Parsons, C. (2008). Deep Packet Inspection in Perspective: Tracing its lineage and surveilance potentials. The New Transparency Surveilance and Social Sorting, 1-16.
  26. 26. References Harish Muhammad Nazief, Tonny Adhi Sabastian, Alfan Presekal, Gladhi Guarddin (2014). Development of University of Indonesia Next Generation Firewall Prototype and Access Control With Deep Packet Inspection. 2014 IEEE International Conference on Advance Computer Science and Information System. Jakarta: IEEE. Thomason, S. (2012). Improving Network Security: Next Generation Firewallas and Advanced Packet Inspection Devices. Global Journal of Computer Science and Technology Network, Web & Security, 47-49. Wang, C. (2009, June 4). Forrester: Deep Packet Inspection as an Enabling Technology. Retrieved from CSO Online: http://www.csoonline.com/article/2124061/network-security/forrester--deep-packet-inspection-as-an-enabling- technology.html
  27. 27. Q & A
  28. 28. Thank You

×