FACT(Active Firewall)
1. Project Overview
Proposal summary: This is a core R&D project internal to Center for Development of Advanced Computing (C-DAC). The project duration is 24 months starting from Feb 2008 onwards.
Objective: To carryout research in the areas of perimeter security and protocol analysis, and develop proof of concept dynamic firewall mechanisms.
Proposal Overview
Phase – I DyNeF (Dynamic Network Firewall)
Our aim is to configure a dynamic network firewall for grid environment, that supports the dynamic nature of grid and protects it from network intrusions. Our architecture provides host- based access privileges to hosts within virtual communities, and utilize these privileges for configuring network firewall dynamically. DyNeF is composed with the following capabilities:
- Extension to Community Authorization Service (CAS) for supporting host-based access privileges
- Reconfiguration of network firewall based on host-based privileges
Phase – II FACT (Active Firewall)
In this initiative we aim to carry out research in protocol analysis and to configure network firewall for the Internet environment dynamically. We intend to perform protocol analysis to detect applications at runtime in order to protect the network from unintended applications' intrusion through allowed ports. FACT is an active firewall that uses application detection capability to reconfigure the network firewall. Features supported by FACT are:
- Dynamic application detection through protocol analysis
- Reconfiguration of network firewall based on dynamic application detection capability
Why DyNeF?
Static firewall implementations for grid environment promise to provide consistent security but does not meet the dynamic requirements set forth by the grid environment. Whereas, the dynamic firewall meets the grid-specific requirements, but opens up the challenge to devise a mechanism for dynamic firewall configuration. DyNeF addresses the need for dynamic firewall in grid environment by devising a mechanism through extended CAS architecture.
Why FACT?
Firewalls identify applications based on port numbers and cannot go into deeper to find out whether the port number belongs to the right application intended on that port. In order to accurately identify the right application on the right port, protocol analysis is required. Upon identifying the application through protocol analysis, policy enforcement needs to be done accordingly. FACT addresses these two requirements by performing protocol analysis to identify
the applications dynamically and reconfigures the network firewall in order to achieve meaningful enforcement of policy.
2. Overall strategy
- Literature Survey and Requirements Specification
- Analysis
- Designing the extended architecture of CAS and DyNeF
- Implementation of E-CAS and DyNeF
- Integration of the components Client, E-CAS and DyNeF
- Deployment and Testing : Labs set-up with globus 4.0.7 and a H3C router
3. Expected outcome
- Client module for VO policy configuration
- Server module for VO policy configuration
- Client module for E-CAS
- Server module for E-CAS
- Firewall Agent module
- Integrated system
4. Current Status
The team has completed Phase – I and started work on Phase – II recently. As part of Phase – I, the team has developed, deployed, integrated and tested the following components.
DyNeF (Dynamic Network Firewall)
DyNeF : Architectural Blocks
5. International Publications
-
DyNeF: Host-privilege-based Dynamic Network Firewall for Grid Environment
By Subramanian N, Usha Rani Edara, RaviKumar B published in CGCS 2008 : "International Conference on Cluster and Grid Computing System" Singapore held on August 29-31, 2008
