Wits Firewall Project

IP Filters or firewalls play a very important role in enhancing the security and performance of networks. When a network packet arrives at a filter, the filter decides whether to let the packet through or not based upon a set of rules (commonly called an access list). Two problems have been identified with packet filters

Performance: the filter can become a bottleneck, particularly if the access list grows in size;
Maintenance: an access list may be developed over a period of years and by different people. This may make it difficult to understand what the access list actually means, and more seriously make it difficult to maintain in a secure way.

The Wits Firewall Project, one of the research projects of the Programme for Highly Dependable System, is examining a number of different aspects of firewalling to see how these problems can be addressed. Based on a novel representation of the firewall rules, preliminary experimental results have shown significant potential for not only overcoming these problems, but creating more flexible, powerful and efficient firewalls. We currently have four academic staff, two MSc and four honours students working on different aspects of this project.

Example

The diagram below is a simplified view of what a firewall or filter does.

Firewall picture A packet arrives from the internet. The firewall examines the IP packet header and consults its rule list. The rule list is examined in order for a rule that matches the header. The first rule that matches is applied and the packet is accepted or rejected depending on what the rule says. Similarly, packets leaving the internet are also examined to see whether they should be passed through or not.

This is an example of an IP filter because only the IP header (actually sometimes also part of the TCP or UDP header) are examined. There are more sophisticated (and expensive!) firewalls that use information in the higher level protocols to decide what to do.

Some of our Firewall Projects

Software lookup

Adi Attar and Scott Hazelhurst and examined how software lookup can be done using this novel representation. As part of her MSc research, Adi has designed and built a filter to act as a firewall and is running a series of experiments with real and synthetic data to evaluate the new approach.
Vimal Lala and Vashti Galpin extended this work, by using a more efficient data structure. For his honours research project, Vimal will design an algorithm for `squashing' the rule data structure and exploring the space/time trade-offs of this more sophisticted data structure
Opeyemi Oni extended this work by seeing its performance on IPv6.

Hardware implementation

The new technique looks ideal for flexible hardware implementation. Raymond Sinnappan and Scott Hazelhurst are proposing using field programmable gate arrays (FPGAs) for this. FPGAs have the advantage that they can be reprogrammed, which is ideal for firewalls since we may need to update the rules regularly. Implementing the firewall in hardware not only has the advantage that the lookup can be done far more quickly, but also that a lot of overhead (interrupts and data copying can be avoided). For his MSc research, Raymond has designed an algorithm for convering the access list of a firewall into a form suitable for programming and FPGA, and will be running a series of experiments to develop a performance model for FPGAs.

Rule Analysis and Validation

Analysis of the rules is potentially very useful. A simple protoype tool has been developed that allows a network administrator to view the rules from different perspective, to perform queries on the rules, and to do some limited automatic validation. It is also possible to explore the effects of making changes to the rules.

This tool can be extended in functionality in various ways to allow, for example, graphical analysis, more automatic validation, and conversion from one format into another.

Dynamic access lists

Currently access lists tend to be relatively static. This has several disadvantages since it means that a fixed, global security policy has to be in place at all times. This makes it difficult to cater for different classes of user, as well as for applications which may need varying types of connections when they run. If we have a too strict policy, then certain applications may not be able to run at full functionality; but if we have a too liberal policy then we may open some security holes.

As a simple example, suppose certain types of privileges across the firewall. Allowing those privileges opens up some security holes; not allowing them means that the application will not be able to run. One simple dynamic policy is to allow the firewalls rules to be updates for the period that the application runs. Thus, it is only while the application is running that we open up potential security holes.

Virtual Firewall Selector

PHDS has a virtual redirector project, intended for web applications where there is a need for high availability. A cluster of low-cost servers cooperate among themselves in transparent way to provide service in a scalable way.

Some references

Opeyemi Oni and Scott Hazelhurst. A Scheme to Improve Internet Firewall Efficiency for IPv6. Accepted for International Conference on Internet Technologies and Applications (ITA05), Wrexham, United Kingdom, September 2005.
S. Hazelhurst. Semantics, implementation and performance of dynamic access lists for TCP/IP packet filtering. South African Computer Journal, Vol. 33 December 2004. (preprint
S. Hazelhurst, O. Weissberg, G. Kamhi and L. Fix. A Hybrid Verification Approach : Getting Deep into the Design. Proceedings of the 39th ACM/IEEE Design Automation Conference, New Orleans, United States, June 2002.
S. Hazelhurst and J. Arlat. Specifying and Verifying Fault Tolerant Hardware. Designing Correct Circuits, Grenoble, France, April 2002.
S. Hazelhurst. A Proposal for Dynamic Access Lists for TCP/IP Packet Filtering. Proceedings of the South African Institute of Computer Scientists and Information Technologists, September 2001.
R. Sinnappan and S. Hazelhurst. `A Reconfigurable Approach to Packet Filtering'. In Proceedings of FPL 2001: 11th International Conference on Field Programmable Logic and Applications, Belfast, United Kingdom, August 2001.
S. Hazelhurst. Algorithms for Analysing Firewall and Router Access Lists. Technical Report TR-Wits-CS-1999-5, July, 1999.Abstract Docu ment Gzipped PostScript
S. Hazelhurst, A. Attar, R. Sinnappan. Algorithms for Improving the Dependability of Firewall and Filter Rule Lists. Workshop on Dependability of IP Applications, Platforms and Networks. Published in Proc. Int Conf on Dependable Systems and Network, IEEE Computer Society Press, New York, June 2000.
Y. Chen, V. Galpin, S. Hazelhurst, R. Mateer and C. Mueller. Development of a Decentralized Virtual Service Redirector for Internet Applications. Proceedings of the Seventh IEEE Workshop on Future Trends of Distributed Computing Systems, December 1999, pp. 235--241.

Last modified August 13, 2000

Also see our Computational Molecular Biology and Bioinformatics pages.