Distributed firewall

A distributed firewall is a security application on a host machine of a network that protects the servers and user machines of its enterprise's networks against unwanted intrusion. A firewall is a system or group of systems (router, proxy, or gateway) that implements a set of security rules to enforce access control between two networks to protect the "inside" network from the "outside" network. They filter all traffic regardless of its origin—the Internet or the internal network. Usually deployed behind the traditional firewall, they provide a second layer of defense. The advantages of the distributed firewall allow security rules (policies) to be defined and pushed out on an enterprise-wide basis, which is necessary for larger enterprises.

Distributed firewalls are often kernel-mode applications that sit at the bottom of the OSI stack in the operating system. They filter all traffic regardless of its origin—the Internet or the internal network. They treat both the Internet and the internal network as "unfriendly". They guard the individual machine in the same way that the perimeter firewall guards the overall network. Distributed firewall function rest on three notions:

• A policy language that states what sort of connections are permitted or prohibited,
• Any of a number of system management tools, such as Microsoft's SMS or ASD, and
• IPSEC, the network-level encryption mechanism for Internet Protocol (TCP, UDP, etc.)

The basic idea is simple. A compiler translates the policy language into some internal format. The system management software distributes this policy file to all hosts that are protected by the firewall. And incoming packets are accepted or rejected by each "inside" host, according to both the policy and the cryptographically-verified identity of each sender.

• A central management system for designing the policies,
• A transmission system to transmit these policies, and
• Implementation of the designed policies at the client end.

The security policy of distributed firewalls are defined centrally, and the enforcement of the policy takes place at each endpoint (hosts, routers, etc.) Centralized management is the ability to populate servers and end-users machines, to configure and "push out" consistent security policies, which helps to maximize limited resources. The ability to gather reports and maintain updates centrally makes distributed security practical. This feature of distributed firewalls helps in two ways. Firstly, remote end-user machines can be secured. Secondly, they secure critical servers on the network preventing intrusion by malicious code and "jailing" other such code by not letting the protected server be used as a launchpad for expanded attacks.

The distribution of the policy, or security rules, can be different and varies with the implementation. It can be either directly pushed to end systems, or pulled when necessary.

In the pull technique, the hosts, while booting up, notify the central management server to check whether the central management server is up and active. It registers with the central management server and requests the policies it should implement. The central management server then provides the host with its security policies.

The push technique is used when the policies are updated on the central-management side by the network administrator, and the hosts have to be updated immediately. This push technology ensures that the hosts always have the updated policies at any time. The policy language defines which inbound and outbound connections on any component of the network policy domain are allowed, and can affect policy decisions on any layer of the network, whether they are rejecting or passing certain packets or enforcing policies at the Application Layer of the OSI stack.

Conventional firewalls rely on controlling entry points to function, or more precisely, rely on the assumption that everyone on one side of the entry point—the firewall—is to be trusted, and that anyone on the other side is, at least potentially, an enemy. Distributed firewalls work by enabling only essential traffic into the machine they protect, prohibiting other types of traffic to prevent unwanted intrusions. The security policies transmitted from the central management server also have to be implemented by the host. The host-end part of the distributed firewall does not provide any administrative control for the network administrator to control the implementation of policies. The host allows traffic based on the security rules it has implemented.

End-to-end encryption is a threat to conventional firewalls, since the firewall generally does not have the necessary keys to peek through the encryption. Distributed firewalls use the implementation technique end-to-end IPSEC ^[1]. IPSEC is a protocol suite, recently standardized by the IETF, which provides network-layer security services such as packet confidentiality, authentication, data integrity, replay protection, and automated key management. This is an artifact of firewall deployment: internal traffic that is not seen by the firewall cannot be filtered; as a result, internal users can mount attacks on other users and networks without the firewall being able to intervene. Large networks today tend to have a large number of entry points. Furthermore, many sites employ internal firewalls to provide some form of compartmentalization. This makes administration particularly difficult, both from a practical point of view and with regard to policy consistency, since no unified and comprehensive management mechanism exists. In end-to-end IPSEC, each incoming packet is associated with a certificate; the access granted to that packet is determined by the rights granted to that certificate ^[1]. If the certificate name is different, or if there is no IPSEC protection, the packet will be dropped as unauthorized. Given that access rights in a strong distributed firewall are tied to certificates, access rights can be limited by changing the set of certificates accepted. Only hosts with newer certificates are then considered to be “inside”; if the change is not installed, the machine will have fewer privileges ^[1].

Distributed firewalls can protect hosts that are not within a topological boundary. System management packages are used to administer individual machines, so security administrators define security policy in terms of host identifiers and policy can be enforced by each individual host. Conventional firewall can only enforce a policy on traffic that traverses it, so traffic exchanged among nodes in the protected network cannot be controlled, which gives an attacker that is already an insider or can somehow bypass the firewall and establish a new, unauthorized entry point to the network without the administrator's knowledge and consent. For conventional firewalls, protocols such as RealAudio are difficult to process, because conventional firewalls lacks certain knowledge that is readily available at the endpoints ^[1]. Due to the increasing line speeds and the more computation-intensive protocols that a firewall must support, traditional firewalls tend to become congestion points. This gap between processing and networking speeds is likely to increase, because as computers (and hence firewalls) are getting faster, the combination of more complex protocols and the tremendous increase in the amount of data that must be passed through the firewall has been and likely will continue to outpace Moore's law.

Distributed firewalls have both strengths and weaknesses when compared to conventional firewalls. By far the biggest difference, of course, is their reliance on topology. If the network topology does not permit reliance on traditional firewall techniques, there is little choice. A more interesting question is how the two types compare in a closed, single-entry network. That is, if either will work, is there a reason to choose one over the other?

Both types of firewalls are excellent at rejecting connection requests for inappropriate services. Conventional firewalls drop the requests at the border; distributed firewalls do so at the host. A more interesting question is what is noticed by the host attempting to connect. Today, such packets are typically discarded, with no notification. A distributed firewall may choose to discard the packet, under the assumption that its legal peers know to use IPSEC; alternatively, it may instead send back a response requesting that the connection be authenticated, which in turn gives notice of the existence of the host. Firewalls built on pure packet filters cannot reject some "stealth scans" very well. One technique, for example, uses fragmented packets that can pass through unexamined because the port numbers aren't present in the first fragment. A distributed firewall will reassemble the packet and then reject it. On balance, against this sort of threat the two firewall types are at least comparable.

On network, addresses are not a favored concept. Using cryptographic mechanisms most likely prevents attacks based on forged source addresses, under the assumption that the trusted repository containing all necessary credentials has not been subject to compromise in itself. These problems can be solved by conventional firewalls with corresponding rules for discarding packets at the network perimeter but will not prevent such attacks originating from inside the network policy domain.

With the spread use of distributed object-oriented systems like CORBA, client-side use of Java, and weaknesses in mail readers, and the like, there is a wide variety of threats residing in the application and intermediate level of communication traffic. Firewall mechanisms at the perimeter can come useful by inspecting incoming e-mails for known malicious code fingerprints, but can be confronted with complex, thus resource-consuming situations when making decisions on other code, like Java. Using the framework of a distributed firewall and especially considering a policy language which allows for a policy decision on the application level can circumvent some of these problems, under the condition that contents of such communication packets can be interpreted semantically by the policy verifying mechanisms. Stateful inspection of packets shows up to be easily adapted to these requirements and allows for finer granularity in decision making. Furthermore, malicious code contents may be completely disguised to the screening unit at the network perimeter, given the use of virtual private networks, and enciphered communication traffic in general and can completely disable such policy enforcement on conventional firewalls.

Many firewalls detect attempted intrusions. If that functionality is to be provided by a distributed firewall, each individual host has to notice probes and forward them to some central location for processing and correlation. The former problem is not hard; many hosts already log such attempts. One can make a good case that such detection should be done in any event. The collection is more problematic, especially at times of poor connectivity to the central site. There is also the risk of coordinated attacks in effect, causing a denial-of-service attack against the central machine.

Given the natural view of a conventional firewall on the network topology as consisting of an inside and outside, problems can arise, once one or more members of the policy network domain have been compromised. Perimeter firewalls can only enforce policies between distinct networks and show no option to circumvent problems which arise in the situation discussed above. Given a distributed firewalls independence on topological constraints supports the enforcement of policies whether hosts are members or outsiders of the overall policy domain and base their decisions on authenticating mechanisms which are not inherent characteristics of the networks layout. Moreover, compromise of an endpoint either by a legitimate user or intruder will not weaken the overall network in a way that leads directly to compromise of other machines, given the fact that the deployment of virtual private networks prevents sniffing of communication traffic in which the attacked machine is not involved. On the other side, on the end-point itself nearly the same problems arise as in conventional firewalls: Assuming that a machine has been taken over by an adversary must lead to the conclusion that the policy enforcement mechanisms themself may be broken. The installation of backdoors on this machine can be done quite easily once the security mechanisms are flawed and in the lack of a perimeter firewall, there is no trusted entity anymore which might prevent arbitrary traffic entering or leaving the compromised host. Additionally use of tools like SSH and the like allow tunneling of other applications communication and can not be prevented without proper knowledge of the decrypting credentials, moreover given the fact that in case an attack has shown up successfully the verifying mechanisms in themself may not be trusted anymore. At first glance, the biggest weakness of distributed firewalls is their greater susceptibility to lack of cooperation by users. What happens if someone changes the policy files on their own? Distributed firewalls can reduce the threat of actual attacks by insiders, simply by making it easier to set up smaller groups of users. Thus, one can restrict access to a file server to only those users who need it, rather than letting anyone inside the company pound on it. It is also worth expending some effort to prevent casual subversion of policies. If policies are stored in a simple ASCII file, a user wishing to, for example, play a game could easily turn off protection. Requiring the would-be uncooperative user to go to more trouble is probably worthwhile, even if the mechanism is theoretically insufficient. For example, policies could be digitally signed, and verified by a frequently-changing key in an awkward-to-replace location. For more stringent protections, the policy enforcement can be incorporated into a tamper-resistant network card.

1. Sonnenreich, Wes, and Tom Yates, Building Linux and OpenBSD Firewalls, Singapore: Addison Wiley
2. Zwicky, D. Elizabeth, Simon Cooper, Brent D. Chapman, Building Internet Firewalls O'Reilly Publications
3. Strebe, Firewalls 24 Seven, BPB Publishers

1. Bellovin, M. Steven “Distributed Firewalls", login, November 1999, pp. 39–47 http://www.usenix.org/publications/login/1999-11/features/firewalls.html
2. Dr. Hancock, Bill "Host-Resident Firewalls: Defending Windows NT/2000 Servers and Desktops from Network Attacks"
3. Bellovin, S.M. and W.R. Cheswick, "Firewalls and Internet Security: Repelling the Wily Hacker", Addison-Wesley, 1994.
4. Ioannidis, S. and Keromytis, A.D., and Bellovin, S.M. and J.M. Smith, "Implementing a Distributed Firewall", Proceedings of Computer and Communications Security (CCS), pp. 190–199, November 2000, Athens, Greece.