This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Cascade of Distributed and Cooperating Firewalls in a Secure Data Network
September/October 2003 (vol. 15 no. 5)
pp. 1307-1315

Abstract—Security issues are critical in networked information systems, e.g., with financial information, corporate proprietary information, contractual and legal information, human resource data, medical records, etc. The theme of this paper is to address such diversity of security needs among the different information and resources connected over a secure data network. Installation of firewalls across the data network is a popular approach to providing a secure data network. However, single, individual firewalls may not provide adequate security protection to meet the user's needs. The cost of super firewalls, design flaws, as well as implementation inappropriateness with such firewalls may retain security loopholes. Toward this, the idea proposed in this paper is to introduce a cascade of (potentially simpler and less expensive) firewalls in the secure data network—where, between the attacker node and the attacked node, multiple firewalls are expected to provide an added degree of protection. This approach, broadly following the theme of redundancy in Engineering Systems' Design, will increase the confidence and provide more completeness in the level of security protection by the firewalls. The cascade of (i.e., multiple) firewalls can be placed across the secure data network in many ways, not all of which are equally attractive from cost and end-to-end delay perspectives. Toward this, we present heuristics for placement of these firewalls across the different nodes and links of the network in a way that different users can have the level of security they individually need, without having to pay added hardware costs or excess network delay. Three metrics are proposed to evaluate these heuristics: cost, delay, and reduction of attacker's traffic. Performance of these heuristics is presented using simulation, along with some early analytical results. Our research also extends the firewall technology into the well-known advantages of distributed firewalls. Furthermore, the distributed firewalls can be designed to cooperate and stop an attacker's traffic closest to the attack point—thereby reducing the amount of hacker's traffic into the network.

[1] D.B. Chapman and E.D. Zwicky, Building Internet Firewalls. O'Reilly and Assoc., Inc., 1995.
[2] R.N. Smith and S. Bhattacharya, Firewall Placement in a Large Network Topology Proc. Sixth IEEE Workshop Future Trends of Distributed Computing Systems (FTDCS '97), 1997.
[3] R.N. Smith and S. Bhattacharya, Operating Firewalls Outside the LAN Perimeter Proc. IEEE Int'l Performance, Computing, and Comm. Conf. (IPCCC '99), 1999.
[4] S.E. Lander and V.R. Lesser, "Sharing Meta-Information to Guide Cooperative Search among Heterogeneous Reusable Agents," IEEE Trans. Knowledge and Data Engineering, to appear in 1997.
[5] B. Thuraisingham and W. Ford, Security Constraint Processing in a Multilevel Secure Distributed Database Management System IEEE Trans. Knowledge and Data Eng., vol. 7, no. 2, pp. 274-293, Apr. 1995.
[6] W. Cheswick and S. Bellovin, Firewalls and Internet Security. Reading, Mass.: Addison-Wesley, 1994.
[7] T. Sheldon, Windows NT Security Handbook. Osborne McGraw-Hill, 1997.
[8] D.B. Parker, Information Security in a Nutshell Information Systems Security, Spring 1997.
[9] S. Garfinkel and E. Spafford, Practical UNIX Security, O'Reilly&Associates, Sebastapol, Calif., 1991.
[10] C. Liu et al. Managing Internet Information Services. O'Reilly and Assoc., 1994.
[11] J. Winsor, Solaris Advanced System Administrator's Guide. Emeryville, Calif.: SunSoft Press, Ziff-Davis Press, 1993.
[12] R. Oppliger, Internet Security: Firewalls and Beyond Comm. ACM, May 1997.
[13] M.L. Sobol, Firewalls Information Systems Security, Spring 1997.
[14] Cisco, Web Information on Catalyst 300 Family of Filters, http:// www.cisco.com/warp/public/729/c3000 c3000_an. htm, 14 Apr. 1997.
[15] T. Finin et al., "KQML as an Agent Communication Language," Third Int'l Conf. Information and Knowledge Management, ACM Press, New York, 1994.

Index Terms:
Firewall, network security, security management, multilevel security, class-filters, cascade of firewalls, data security.
Citation:
Robert N. Smith, Yu Chen, Sourav Bhattacharya, "Cascade of Distributed and Cooperating Firewalls in a Secure Data Network," IEEE Transactions on Knowledge and Data Engineering, vol. 15, no. 5, pp. 1307-1315, Sept.-Oct. 2003, doi:10.1109/TKDE.2003.1232280
Usage of this product signifies your acceptance of the Terms of Use.