| Author | Mudgal, Mayank |
| Call Number | AIT Thesis no.ICT-06-01 |
| Subject(s) | Firewalls (Computer security)
|
| Note | A thesis submitted in partial fulfillment of the requirements for the degree of Master of Engineering, School of Engineering and Technology |
| Publisher | Asian Institute of Technology |
| Series Statement | Thesis ; no. ICT-06-01 |
| Abstract | Security issues are critical in networked information systems, e.g., with financial information, corporate proprietary information, contractual and legal information, human resource data, medical records, etc. The theme of this is to address such diversity of security needs among the different information and resources connected over a secure data network. Installation of firewalls across the data network is a popular approach to providing a secure data network. However, single, individual firewalls may not provide adequate security protection to meet the user's needs. The cost of super firewalls, design flaws, as well as implementation inappropriateness with such firewalls may retain security loopholes. Toward this, the idea proposed in this thesis is to introduce a cascade of (potentially simpler and less expensive) firewalls in the secure data network-where, between the attacker node and the attacked node, multiple firewalls are expected to provide an added degree of protection. This approach, broadly following the theme of redundancy in Engineering Systems' Design, will increase the confidence and provide more completeness in the level of security protection by the firewalls. Three metrics are proposed to evaluate the Design: cost, delay, and reduction of attacker's traffic. Performance of these heuristics is presented using simulation, along with some early analytical results. The distributed firewalls can be designed to cooperate and stop an attacker's traffic closest to the attack point-thereby reducing the amount of hacker's traffic into the network. However, managing firewall rules, particularly in multi-firewall enterprise networks, has become a complex and error-prone task. Firewall filtering rules have to be written, ordered and distributed carefully in order to avoid firewall policy anomalies that might cause network vulnerability. Therefore, inserting or modifying filtering rules in any firewall requires thorough intra- and inter-firewall analysis to determine the proper rule placement and ordering in the firewall. We have presented an algorithm to automatically discover policy anomalies in centralized and distributed legacy firewalls. These techniques are implemented in a software tool that give the network topology and simplifies the management of filtering rules and maintains the security of next-generation firewalls. |
| Year | 2006 |
| Corresponding Series Added Entry | Asian Institute of Technology. Thesis ; no. ICT-06-01 |
| Type | Thesis |
| School | School of Engineering and Technology (SET) |
| Department | Department of Information and Communications Technologies (DICT) |
| Academic Program/FoS | Information and Communication Technology (ICT) |
| Chairperson(s) | Rajatheva, R.M.A.P.; |
| Examination Committee(s) | Ahmed, Kazi M.;Teerapat Sa-nguankotchakorn; |
| Scholarship Donor(s) | Asian Institute of Technology Fellowship; |
| Degree | Thesis (M.Eng.) - Asian Institute of Technology, 2006 |