Context%20Aware%20Firewall%20Policies - PowerPoint PPT Presentation

About This Presentation
Title:

Context%20Aware%20Firewall%20Policies

Description:

Defense in depth against software flaws (software complexity increasing) ... Initial prototype shows minimal delay from user POV. 15. Communications Technology ... – PowerPoint PPT presentation

Number of Views:97
Avg rating:3.0/5.0
Slides: 16
Provided by: ravis6
Category:

less

Transcript and Presenter's Notes

Title: Context%20Aware%20Firewall%20Policies


1
Context Aware Firewall Policies
  • Ravi Sahita
  • Priya Rajagopal, Pankaj Parmar
  • Intel Corp.
  • June 8th 2004
  • IEEE Policy (Security)

2
Overview
  • Background
  • Motivation
  • Policy goals (example)
  • Intrusion detection-gtHostlt-firewalling
  • Management
  • SAFire
  • Milestone conclusions

3
Background
  • Why firewall?
  • Defense in depth against software flaws (software
    complexity increasing)
  • Control over services accessed/exposed
  • Control over information flow across boundaries
    (platform or network)
  • Needed Increased proactive response instead of
    reactive

4
Policy goals (example)
  • Track flow only if the session is initiated by
    client
  • By default, restrict all traffic other than
    allowed services control traffic
  • Create transient filters for the negotiated data
    flows
  • On the negotiated port, restrict access to
    specific allowed commands/capabilities for that
    service
  • When transferring data, block/flag suspicious
    content (so that it is checked) before it reaches
    apps
  • All traffic that causes invalid protocol state
    transitions must be blocked proactively

5
Advantages of host based FWs
  • Visibility into internal traffic Can protect
    against internal attacks
  • Smaller number of flows, More state per flow
    Decreased load on aggregation points
  • Enable finer access control in a mobile
    environment Carry your security
  • Can use end-to-end protocol properties
  • Allow true end-to-end encryption of traffic which
    would otherwise be proxied by the network devices

6
IDS -gt Host lt- FW
7
Complex management
  • Infrastructure firewalls are needed
  • Host FWsgtnumber explosion, but valuable
  • Make security policies easier to map without
    sacrificing functionality
  • Make components tend towards autonomous behavior
  • Make it easier to correlate events across hosts
    and infrastructure

8
Why SAFire?
  • What are the sub-elements of such packet analysis
  • Allow building finer grain network access control
    policies
  • Rich enough to keep up with new network
    services/changes
  • Local remediation
  • Abstraction of FW / IDS rules for a host

9
Capabilities identified
---------HOST CONTEXT--------
  • Packet data extraction and filtering
  • Flow state table management
  • Application layer rules
  • Pattern manipulation
  • Outsourcing policy decisions
  • Reuse of definitions
  • Dynamic rule management

10
Sequence of steps
  • Express application protocol in a DFA
  • Map protocol states to the Generic PSM
  • Extract transition rules from the normalized PSM
    naming ltsrc, event, dst, actiongt
  • Map to SAFire primitives (using tools)

11
Generic Protocol States
Mapped to protocol specifics
12
Rule processing
13
Implementation
14
Conclusions
  • United model can comprehend HIPSFWs
  • Language extensibility parallel progress
  • Model allows security policy verification across
    implementations
  • Minimal tradeoff is processing overhead for
    mapping and translation
  • Context information on the host can be leveraged
    for finer access control
  • Initial prototype shows minimal delay from user
    POV

15
Thank you!
  • Questions/Comments to ravi.sahita_at_intel.com
Write a Comment
User Comments (0)
About PowerShow.com