06-04-2013, 04:37 PM
DATA SECURITY IN LOCAL NETWORK USING DISTRIBUTED FIREWALL
A SEMINAR REPORT
DATA SECURITY IN LOCAL.pdf (Size: 367.78 KB / Downloads: 94)
ABSTRACT
Today, computer and networking are inseparable. A number of confidential
transactions occur every second and today computers are used mostly for transmission
rather than processing of data. So Network Security is needed to prevent hacking of data
and to provide authenticated data transfer. Network Security can be achieved by Firewall.
Conventional firewalls rely on the notions of restricted topology and controlled entry
points to function. Restricting the network topology, difficulty in filtering of certain
protocols, End-to-End encryption problems and few more problems lead to the evolution
of Distributed Firewalls.
Distributed firewalls secure the network by protecting critical network
endpoints, exactly where hackers want to penetrate. It filters traffic from both the Internet
and the internal network because the most destructive and costly hacking attacks still
originate from within the organization. They provide virtually unlimited scalability. In
addition, they overcome the single point-of-failure problem presented by the perimeter
firewall.
Introduction
Conventional firewalls rely on the notions of restricted topology and control
entry points to function. More precisely, they rely on the assumption that everyone on
one side of the entry point--the firewall--is to be trusted, and that anyone on the other side
is, at least potentially, an enemy. The vastly expanded Internet connectivity in recent
years has called that assumption into question. So-called "extranets" can allow outsiders
to reach the "inside" of the firewall; on the other hand, telecommuters' machines that use
the Internet for connectivity need protection when encrypted tunnels are not in place.
Policies and Identifiers
Many possible policy languages can be used, including file-oriented schemes
similar to Firmato, the GUIs that are found on most modern commercial firewalls, and
general policy languages such as KeyNote. The exact nature is not crucial, though clearly
the language must be powerful enough to express the desired policy. A sample is shown
in Figure.
Distributed Firewalls
In a typical organizational environment, individuals are not necessarily the
administrators of the computers they use. Instead, to simplify system administration and
to permit some level of central control, a system management package is used to
administer individual machines. Patches can be installed, new software distributed, etc.
We use the same mechanisms, which are likely present in any event, to control a
distributed firewall.
KEYNOTE
Trust Management is a relatively new approach to solving the authorization and
security policy problem. Making use of public key cryptography for authentication, trust
management dispenses with unique names as an indirect means for performing access
control. Instead, it uses a direct binding between a public key and a set of authorizations,
as represented by a safe programming language. This results in an inherently
decentralized authorization system with sufficient impressibility to guarantee flexibility
in the face of novel authorization scenarios
WORK IN DEVELOPMENT
There are a number of possible extensions that we plan to work on in the process
of building a more general and complete system.
As part of the STRONGMAN project at the University of Pennsylvania, we are
examining the application of higher-level security policy languages to large-scale
network management. KeyNote is used as a common language for expressing policies
that can be distributed in different applications and systems. The distributed firewall is an
important component in the STRONGMAN architecture. This is a subject of ongoing
research.
As we described in Section 4.3, the policy daemon runs as a user level process
that communicates with the kernel via a device driver. This design maximizes the
flexibility of our system and allows for easy experimentation. Unfortunately, it adds the
overhead of cross domain calls between user space and kernel.
CONCLUSION
We have discussed the concept of a distributed firewall. Under this scheme, network
security policy specification remains under the control of the network administrator. Its
enforcement, however, is left up to the hosts in the protected network. Security policy is
specified using KeyNote policies and credentials, and is distributed (through IPsec, a web
server, a directory-like mechanism, or some other protocol) to the users and hosts in the
network. Since enforcement occurs at the endpoints.