Advanced Search
CS Search Google Search
Subscribers, please login

Published Articles >> Table of Contents >> Abstract

Publication Home Page
September/October 2003 (Vol. 15, No. 5)   pp. 1307-1315
Cascade of Distributed and Cooperating Firewalls in a Secure Data Network
Robert N. Smith, IEEE
Yu Chen
Sourav Bhattacharya

Full Article Text: View linked HTML of full textDownload PDF of full textBuy this articleGet full text from IEEE Xplore

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/TKDE.2003.1232280
Send link to a friend

Abstract
Security issues are critical in networked information systems, e.g., with financial information, corporate proprietary information, contractual and legal information, human resource data, medical records, etc. The theme of this paper is to address such diversity of security needs among the different information and resources connected over a secure data network. Installation of firewalls across the data network is a popular approach to providing a secure data network. However, single, individual firewalls may not provide adequate security protection to meet the user's needs. The cost of super firewalls, design flaws, as well as implementation inappropriateness with such firewalls may retain security loopholes. Toward this, the idea proposed in this paper is to introduce a cascade of (potentially simpler and less expensive) firewalls in the secure data network—where, between the attacker node and the attacked node, multiple firewalls are expected to provide an added degree of protection. This approach, broadly following the theme of redundancy in Engineering Systems' Design, will increase the confidence and provide more completeness in the level of security protection by the firewalls. The cascade of (i.e., multiple) firewalls can be placed across the secure data network in many ways, not all of which are equally attractive from cost and end-to-end delay perspectives. Toward this, we present heuristics for placement of these firewalls across the different nodes and links of the network in a way that different users can have the level of security they individually need, without having to pay added hardware costs or excess network delay. Three metrics are proposed to evaluate these heuristics: cost, delay, and reduction of attacker's traffic. Performance of these heuristics is presented using simulation, along with some early analytical results. Our research also extends the firewall technology into the well-known advantages of distributed firewalls. Furthermore, the distributed firewalls can be designed to cooperate and stop an attacker's traffic closest to the attack point—thereby reducing the amount of hacker's traffic into the network.
References
[1] D.B. Chapman and E.D. Zwicky, Building Internet Firewalls. O'Reilly and Assoc., Inc., 1995.
[2] R.N. Smith and S. Bhattacharya, Firewall Placement in a Large Network Topology Proc. Sixth IEEE Workshop Future Trends of Distributed Computing Systems (FTDCS '97), 1997.
[3] R.N. Smith and S. Bhattacharya, Operating Firewalls Outside the LAN Perimeter Proc. IEEE Int'l Performance, Computing, and Comm. Conf. (IPCCC '99), 1999.
[4] S.E. Lander and V.R. Lesser, "Sharing Meta-Information to Guide Cooperative Search among Heterogeneous Reusable Agents," IEEE Trans. Knowledge and Data Engineering, to appear in 1997.
[5] B. Thuraisingham and W. Ford, Security Constraint Processing in a Multilevel Secure Distributed Database Management System IEEE Trans. Knowledge and Data Eng., vol. 7, no. 2, pp. 274-293, Apr. 1995.
[6] W. Cheswick and S. Bellovin, Firewalls and Internet Security. Reading, Mass.: Addison-Wesley, 1994.
[7] T. Sheldon, Windows NT Security Handbook. Osborne McGraw-Hill, 1997.
[8] D.B. Parker, Information Security in a Nutshell Information Systems Security, Spring 1997.
[9] S. Garfinkel and E. Spafford, Practical UNIX Security, O'Reilly&Associates, Sebastapol, Calif., 1991.
[10] C. Liu et al. Managing Internet Information Services. O'Reilly and Assoc., 1994.
[11] J. Winsor, Solaris Advanced System Administrator's Guide. Emeryville, Calif.: SunSoft Press, Ziff-Davis Press, 1993.
[12] R. Oppliger, Internet Security: Firewalls and Beyond Comm. ACM, May 1997.
[13] M.L. Sobol, Firewalls Information Systems Security, Spring 1997.
[14] Cisco, Web Information on Catalyst 300 Family of Filters,http:// www.cisco.com/warp/public/729/c3000 c3000_an. htm, 14 Apr. 1997.
[15] T. Finin et al., "KQML as an Agent Communication Language," Third Int'l Conf. Information and Knowledge Management, ACM Press, New York, 1994.
Additional Information
Index Terms- Firewall, network security, security management, multilevel security, class-filters, cascade of firewalls, data security.

Citation:  Robert N. Smith, Yu Chen, Sourav Bhattacharya, "Cascade of Distributed and Cooperating Firewalls in a Secure Data Network," IEEE Transactions on Knowledge and Data Engineering, vol. 15,  no. 5,  pp. 1307-1315,  Sept/Oct,  2003

RSS Feed

Similar Articles

Abstract Contents
Abstract
References
Index Terms
Citation

Download Citation
Ascii Text
BibTex
RefWorks
Procite/RefMan/Endnote




Free access to

  • Abstracts
  • Selected PDFs

Electronic subscribers login to:

  • Access HTML/PDFs of full text articles

Subscription information

Get a Web account

PDFs require Adobe Acrobat Reader.

Peer Review Notice

Give us Feedback