Embed Size (px)
Citation preview
Towards Universitas Indonesia Next Generation Firewall Service
Tonny Adhi Sabastian, M. Kom ([email protected])
Gnome Asia Summit 2015 - Universitas Indonesia7th - 9th May 2015
Introduction
Research & Development Team● Gladhi Guarddin , M. Kom ([email protected])
■ Researcher - Lecturer, Pervasive Computing Lab, Faculty of Computer Science
■ Division Head of Information System Development, Office of Information System Development and Services
● Tonny Adhi Sabastian, M. Kom ([email protected])■ Research Assistant - Lecturer, Pervasive Computing
Lab, Faculty of Computer Science■ ICT Network Coordinator,
Introduction
Research & Development Team● Alfan Presekal ([email protected])
■ Student, Faculty of Engineering
● Harrish M. Nazief ([email protected])■ Student, Faculty of Computer Science
● Raden Rheza ([email protected])■ Staff, Network Infrastructure Service, Office of Information
System Development and Services
Presentation Overview
❏ Introduction to Our Research Lab
❏ Next Generation Firewall (NGFW) Concept
❏ Experiments on NGFW at Universitas Indonesia
❏ NGFW Prototype at Universitas Indonesia
Pervasive Computing Research Lab. : What we do ?
Smart Space Research
Outcome 2013 - 2014
2013
Location Extractor
Outcome 2013 - 2014
2014
Zigbee REST Gateway API
Zigbee Lighting using ZLL
Next Generation Firewall Concept
“Next Generation Firewalls are Deep Packet Inspection Firewalls that move beyond port / protocol inspection
and blocking to add application level inspection, intrusion prevention, and bringing intelligence from
outside the firewall”
Ali Kapucu, Kent State University
“Making a Firewall to become Content Aware and Context Aware”
Next Generation Firewall Concept
A Legacy Firewall
Next Generation Firewall Concept
Current Internet Condition
Next Generation Firewall Concept
Deep Packet Inspection
Next Generation Firewall Concept
Deep Packet Inspection
Next Generation Firewall Concept
What NGFW can do ?
Next Generation Firewall Concept
Challenges on NGFW :
● Performance on DPI Techniques○ Regular Expression and String Matching (Aho-
Corasick Algorithm)○ Machine Learning
● User Privacy
Next Generation Firewall Experiments on UI
● Started on 2012
● Using Free/Open Source Software Stock○ Debian GNU/Linux 7○ IPTables & IPSet○ JASIG CAS (Common Authentication System) for
Single Sign On Authentication [http://jasig.github.io/cas/4.0.0/index.html]
○ One Production Environment and One Prototyping Environment
Next Generation Firewall Experiments on UI
Production Environment● Using Linux Kernel 2.6.32.x, unsupported for
kernel 3.x● IPSet for list of authenticated IP from UI SSO● IPtables L7-Netfilter [http://l7-filter.
clearfoundation.com/]○ L7-Netfilter is not developed since 2013 ○ Static regex pattern per protocol○ In kernel regex library
Next Generation Firewall Experiments on UI
Prototyping Environment● Using Linux Kernel 3.2.x● Active development state● IPSet for list of authenticated IP from UI SSO● IPtables nDPI-Netfilter [http://www.ntop.
org/products/ndpi/] [https://github.com/ewildgoose/ndpi-netfilter/]
○ Per protocol pattern search - Aho-Corasick algorithm
○ Buggy netfilter conntrack● Published at International Conference on Advance
Computer Science & Information System, 2014
Next Generation Firewall Experiments on UI
Buggy Netfilter Patch
Next Generation Firewall Experiments on UI
Typical Deployment Architecture
Next Generation Firewall Experiments on UI
Rules Example
#iptables -A INSPEKSI -m ndpi --twitter -j ACCEPT#iptables -A INSPEKSI -m ndpi --yahoo -j STD_PROTO#iptables -A INSPEKSI -m ndpi --steam -j REJECTED_PROTO#iptables -A INSPEKSI -m ndpi --dropbox -j STD_PROTO#iptables -A INSPEKSI -m ndpi --h323 -j STD_PROTO
Next Generation Firewall Experiments on UI
Authorization Portal*
Next Generation Firewall Experiments on UI
SSO Portal
Deployment Result
Legacy implementation, we don’t know if somebody tunneled Bittorrent packets
DPI implementation is able to capture and filtered a target protocol
Next Plan
● Traffic Classifier (using machine learning)● DPI Technique (also using machine learning)● Automatic provisioning on Firewall and
Bandwidth Management
References
Acharya, H. B., Joshi, A., & Gouda, M. G. (2010). Firewall Modules and Modular Firewalls. 2010 18th IEEE
International Conference on Network Protocols (pp. 174-182). Kyoto: IEEE.
Alcock, S., & Nelson, R. (2013). Measuring the Accuracy of Open-Source Payload-Based Traffic Classifiers Using
Popular Internet Applications. IEEE Workshop on Network Measurements (pp. 956-963). Sydney: IEEE.
Allot Communications. (2007). Digging Deeper into DPI. Allot Communications.
Al-Shaer, E. S., & Hamed, H. H. (2002). Design and Implementation of Firewall Advisor Tools. Chicago: DePaul
University.
Ou, G. (2009, October 27). Understanding Deep Packet Inspection (DPI) Technology. Retrieved from Digital Society:
http://www.digitalsociety.org/2009/10/understanding-deep-packet-inspection-technology/
Papatheodoulou, N., & Sklavos, N. (2009). Architecture & System Design Authentication, Authorization, &
Accounting Services. IEEE, 1831-1837.
Parsons, C. (2008). Deep Packet Inspection in Perspective: Tracing its lineage and surveilance potentials. The New
Transparency Surveilance and Social Sorting, 1-16.
References
Harish Muhammad Nazief, Tonny Adhi Sabastian, Alfan Presekal, Gladhi Guarddin (2014). Development of
University of Indonesia Next Generation Firewall Prototype and Access Control With Deep Packet
Inspection. 2014 IEEE International Conference on Advance Computer Science and Information System.
Jakarta: IEEE.
Thomason, S. (2012). Improving Network Security: Next Generation Firewallas and Advanced Packet Inspection
Devices. Global Journal of Computer Science and Technology Network, Web & Security, 47-49.
Wang, C. (2009, June 4). Forrester: Deep Packet Inspection as an Enabling Technology. Retrieved from CSO Online:
http://www.csoonline.com/article/2124061/network-security/forrester--deep-packet-inspection-as-an-enabling-
technology.html
Q & A
Thank You
