Network Security Cs 473

The project entails the implementation of a web firewall for the LUMS community having the features of filtering traffic on the basis of specified rules. The filtering criterion includes content as well as the source and destination addresses. Moreover, it allows monitoring of individual users through keeping record of their searches made on famous search engines. The firewall is incorporated in a proxy server and makes its decisions based on access control lists, which are applicable to both individual users as well as groups. The flexibility of applying filters on group as well as individual users makes our implementation scalable. The incorporation of firewall in the proxy server does not require any changes to the existing protocols. Therefore, any standard client can be used as a web browser to interact with our proxy server. This makes the presence of a firewall transparent to the client which is one of the most important goals of a firewall. Lahore University of Management Sciences possesses a large network of computers which provides service to a host of faculty, students, and different sets of staff. The varying user characteristics pose a need for an application which can simultaneously control access to the Internet of different users as well as monitor their activity on the web. This calls for the need of a web firewall. The firewall should not only control access to the web of different users but should also block web pages having unwanted material; in other words, the firewall should also filter the contents of the web pages. Firewalls provide a common point of access to a private network to interact with the outside world. The rapid growth of Internet combined with the ever increasing security threats calls for a secured point which could provide access to the Internet. Firewalls not only ensure that outside threats do not disrupt internal operation but also keeps a check on the activities of the internal users. Since, everyone using the private network, gets access to the Internet through the firewall, they can be effectively monitored. Apart from protecting against potential security risks, a firewall can be used to account for the network resources used by each user. A potential measure for this could be the number of packets seen by the firewall of a certain user. This could be used to charge the user for resource consumption. Fahad R. Dogar, Nazim Ashraf and Ihsan A. Qazi Lahore University of Management Sciences { fahad, nazim, ihsan}@lums.edu.pk Network Security CS 473 2 http://www.im.ntu.edu.tw/IM/Faculty/sunny/pdf/IS/Firewall.pdf There are various options for the deployment of a firewall. The three types of firewall implementations which are currently being used are, 1) Packet filters, 2) Circuit Level Gateways and 3) Application Proxies. The following explanation discusses each of these options and their suitability considering our requirements. 1) Packet Filters: Packet Filters are employed within the gateway that connects the private network to the Internet. Since a router or a gateway works at the IP layer, packet filtering makes use of information available at the IP layer to filter packets. Moreover, they can also make use of information in the transport layer header to apply their filtering rules. The common filtering criterion used by packet filters is to allow or discard a packet based on its source or destination IP address and in case it also filters packets on the basis of transport layer header it can use the source or destination port information for filtering purposes. These packet filters are very fast since a small set of criterion is used to check the validity of a packet. Moreover, since they base their decisions on IP and TCP layer information all applications are subjected to filtering. However, with IP spoofing and the option of disguising the traffic by using a different port, their efficacy as a firewall are limited. [3] The state-of-the-art approach in packet filters is to make them stateful. In a stateful packet filter apart from the filtering rules, there are signatures for the normal behavior of different kinds of applications. With the routing of every packet the state is updated. In case an anomaly is detected which violates the signature pattern, the incoming/outgoing traffic can be blocked. Therefore, these kinds of firewalls also provide Intrusion Detection capabilities. A common problem with packet filters is their inability to apply application specific rules. Since they are deployed at the IP layer, it is simply impractical to apply thousands of rules for different applications on all the packets. Considering our requirements which are specific to web browsing, packet filters are not very suitable. 2) Circuit Level Gateways: Circuit level gateways do not examine each packet; instead they monitor a session. They operate at the transport layer. Once a session is established, all other packets in that session are allowed to pass through the firewall. Since, sessions instead of individual packets are being monitored its performance overheads are less as compared to packet filters. However, like packet filters, they do not examine application information and thus are not suitable to meet our requirements which are specific to web filtering. [2] 3) Application Level Proxies: Application specific proxies act as a server while communicating with the client and act as a client while communicating with the web Network Security CS 473 3 server. They are application specific and are designed to follow a given application level protocol. Since, everything goes through the proxy, filtering can be applied on the user requests as well as the web server’s responses. The filters can also be applied on lower layer information such as source or destination IP addresses and source or destination port numbers. This information can be retrieved through various application level function calls. Moreover, filters can also be applied on the application level content. Therefore, we can monitor the exchange of content in various application level protocols such as HTTP, FTP and SMPTP. [1] Considering the above mentioned capabilities of an application level proxy, which fit into the requirements of our project, we decided to implement our firewall within an HTTP proxy server.