![Page 1: Domain and Type Enforcement Firewalls Karen Oostendorp, Lee Badger, Christopher Vance, Wayne Morrison, Michael Petkac, David Sherman, Daniel Sterne Trusted](https://reader036.vdocument.in/reader036/viewer/2022070605/5a4d1af47f8b9ab05998056f/html5/thumbnails/1.jpg)
Domain and Type Enforcement Firewalls
Karen Oostendorp, Lee Badger, Christopher Vance, Wayne Morrison, Michael Petkac, David
Sherman, Daniel SterneTrusted Information Systems Inc.
The Annual Computer Security Applications Conference (ACSAC) December, 1997
Presented byChris Dion
![Page 2: Domain and Type Enforcement Firewalls Karen Oostendorp, Lee Badger, Christopher Vance, Wayne Morrison, Michael Petkac, David Sherman, Daniel Sterne Trusted](https://reader036.vdocument.in/reader036/viewer/2022070605/5a4d1af47f8b9ab05998056f/html5/thumbnails/2.jpg)
Outline For Tonight
• Introduction• Domain and Type Enforcement review• DTE Firewall design and mechanisms• Evaluation of DTE firewall security• Related work/Future Directions• Conclusions
![Page 3: Domain and Type Enforcement Firewalls Karen Oostendorp, Lee Badger, Christopher Vance, Wayne Morrison, Michael Petkac, David Sherman, Daniel Sterne Trusted](https://reader036.vdocument.in/reader036/viewer/2022070605/5a4d1af47f8b9ab05998056f/html5/thumbnails/3.jpg)
Internet Firewalls
• Conventional firewalls use simplistic inside vs. outside model
• Incompatible with business practices that require trust outside the firewall
• No protection from inside attacks and do not protect sensitive data
• We need a better way to protect inside networks!
![Page 4: Domain and Type Enforcement Firewalls Karen Oostendorp, Lee Badger, Christopher Vance, Wayne Morrison, Michael Petkac, David Sherman, Daniel Sterne Trusted](https://reader036.vdocument.in/reader036/viewer/2022070605/5a4d1af47f8b9ab05998056f/html5/thumbnails/4.jpg)
What are DTE’s?
• An enhanced form of type enforcement (a table-oriented mandatory access control mechanism)
• Split logically into two categories:– Passive entities: files or network packets
• Associated with a type
– Active entities: processes• Associated with a domain, protected user identifier (UID)
• Access control decisions are made by consulting database to determine access
![Page 5: Domain and Type Enforcement Firewalls Karen Oostendorp, Lee Badger, Christopher Vance, Wayne Morrison, Michael Petkac, David Sherman, Daniel Sterne Trusted](https://reader036.vdocument.in/reader036/viewer/2022070605/5a4d1af47f8b9ab05998056f/html5/thumbnails/5.jpg)
What are DTE’s?
• To extend protection across networks, DTE uses 3 attributes (carried in IP option)– The DTE Type of the information– Domain of the source process– DTE-protected User ID of the source process
• For non-DTE system compatibility, packets are assigned based upon source IP address
![Page 6: Domain and Type Enforcement Firewalls Karen Oostendorp, Lee Badger, Christopher Vance, Wayne Morrison, Michael Petkac, David Sherman, Daniel Sterne Trusted](https://reader036.vdocument.in/reader036/viewer/2022070605/5a4d1af47f8b9ab05998056f/html5/thumbnails/6.jpg)
DTE Firewall Concept
![Page 7: Domain and Type Enforcement Firewalls Karen Oostendorp, Lee Badger, Christopher Vance, Wayne Morrison, Michael Petkac, David Sherman, Daniel Sterne Trusted](https://reader036.vdocument.in/reader036/viewer/2022070605/5a4d1af47f8b9ab05998056f/html5/thumbnails/7.jpg)
DTE Firewall Concept
• As with a ‘normal’ firewall, DTE firewall intercepts network traffic between internal/external hosts
• If end host is DTE:– Passing along communication attributes
• For non DTE hosts:– Performs access control on behalf of the non-
DTE hosts
![Page 8: Domain and Type Enforcement Firewalls Karen Oostendorp, Lee Badger, Christopher Vance, Wayne Morrison, Michael Petkac, David Sherman, Daniel Sterne Trusted](https://reader036.vdocument.in/reader036/viewer/2022070605/5a4d1af47f8b9ab05998056f/html5/thumbnails/8.jpg)
Controlling Exported Services
Non-DTE
Attributes assigned by Firewall
Determines if Comm. Is allowed
Specific to the protocol
![Page 9: Domain and Type Enforcement Firewalls Karen Oostendorp, Lee Badger, Christopher Vance, Wayne Morrison, Michael Petkac, David Sherman, Daniel Sterne Trusted](https://reader036.vdocument.in/reader036/viewer/2022070605/5a4d1af47f8b9ab05998056f/html5/thumbnails/9.jpg)
Proxy Algorithm
1. Extract Client Attributes• Attributes are available in each IP message
2. Optionally Authenticate• If non-DTE, uses configured method• If DTE, may trust UID
3. Connect to Server4. Pass Data and DTE attributes bidirectional
• May choose to block data based upon attributes
![Page 10: Domain and Type Enforcement Firewalls Karen Oostendorp, Lee Badger, Christopher Vance, Wayne Morrison, Michael Petkac, David Sherman, Daniel Sterne Trusted](https://reader036.vdocument.in/reader036/viewer/2022070605/5a4d1af47f8b9ab05998056f/html5/thumbnails/10.jpg)
Controlling Imported Services
Relays DTE attributes
1.) Prevents attack on client
2.) labels data with trust identifier
![Page 11: Domain and Type Enforcement Firewalls Karen Oostendorp, Lee Badger, Christopher Vance, Wayne Morrison, Michael Petkac, David Sherman, Daniel Sterne Trusted](https://reader036.vdocument.in/reader036/viewer/2022070605/5a4d1af47f8b9ab05998056f/html5/thumbnails/11.jpg)
Network Services Evaluation• Evaluation of several network services running through a DTE
firewall:– rlogin– TELNET– Mail– FTP– NFS– HTTP
• Evaluation criteria considered:– Security– Preservation of functionality– Compatibility with non-DTE hosts– Performance
![Page 12: Domain and Type Enforcement Firewalls Karen Oostendorp, Lee Badger, Christopher Vance, Wayne Morrison, Michael Petkac, David Sherman, Daniel Sterne Trusted](https://reader036.vdocument.in/reader036/viewer/2022070605/5a4d1af47f8b9ab05998056f/html5/thumbnails/12.jpg)
Security Evaluation
• Effectiveness of attacks is reduced if programs execute with the minimum access rights required
• Three primary areas where program auth. are reduced by DTE:– Confined proxies in a separate domain for each– Protected servers on the firewall
• Services can run on DTE firewall safely because of access rights
– Defense in depth• Prevent clients from tricking interior services into access
![Page 13: Domain and Type Enforcement Firewalls Karen Oostendorp, Lee Badger, Christopher Vance, Wayne Morrison, Michael Petkac, David Sherman, Daniel Sterne Trusted](https://reader036.vdocument.in/reader036/viewer/2022070605/5a4d1af47f8b9ab05998056f/html5/thumbnails/13.jpg)
Functionality Evaluation
• For Importing services, functionality is rarely affected– User authentication can be supplied by the client DTE
system• For Exported services functionality increases
– No longer have to run server outside firewall– Can run behind firewall with the additional security of
running a server in a domain restricted according to trust level
![Page 14: Domain and Type Enforcement Firewalls Karen Oostendorp, Lee Badger, Christopher Vance, Wayne Morrison, Michael Petkac, David Sherman, Daniel Sterne Trusted](https://reader036.vdocument.in/reader036/viewer/2022070605/5a4d1af47f8b9ab05998056f/html5/thumbnails/14.jpg)
Compatibility Evaluation
• Can operate either with DTE or non-DTE systems• Few changes to applications to function with DTE
firewalls, with the exception of the NFS server (kernel-resident in UNIX)
• Some services required administrative configuration– NFS clients must explicitly name the firewall host as
the server whose file systems behind firewall
![Page 15: Domain and Type Enforcement Firewalls Karen Oostendorp, Lee Badger, Christopher Vance, Wayne Morrison, Michael Petkac, David Sherman, Daniel Sterne Trusted](https://reader036.vdocument.in/reader036/viewer/2022070605/5a4d1af47f8b9ab05998056f/html5/thumbnails/15.jpg)
Performance Evaluation
• Testbed setup:– 3 Pentium 166Mhz machines on isolated net– Running BSD/OS 2.0 with DTE prototype– Configuration is a triple (client, firewall,
server)• (n,y,n) indicates firewall running DTE, client and
server are non-DTE
![Page 16: Domain and Type Enforcement Firewalls Karen Oostendorp, Lee Badger, Christopher Vance, Wayne Morrison, Michael Petkac, David Sherman, Daniel Sterne Trusted](https://reader036.vdocument.in/reader036/viewer/2022070605/5a4d1af47f8b9ab05998056f/html5/thumbnails/16.jpg)
Performance Evaluation
• For rlogin, TELNET, and FTP, use Expect script to authenticate a pass traffic (20 iterations)– Performance was at worst 13% degradation– Actually better when client running DTE, which passes
UID instead of authentication (except for FTP, which has its own)
• For HTTP, used ZeusBench which connects, retrieves web page, and disconnects– Approx. 50% slower in worst case due to a low-
performance implementation of DTE
![Page 17: Domain and Type Enforcement Firewalls Karen Oostendorp, Lee Badger, Christopher Vance, Wayne Morrison, Michael Petkac, David Sherman, Daniel Sterne Trusted](https://reader036.vdocument.in/reader036/viewer/2022070605/5a4d1af47f8b9ab05998056f/html5/thumbnails/17.jpg)
Raw Performance in Seconds
![Page 18: Domain and Type Enforcement Firewalls Karen Oostendorp, Lee Badger, Christopher Vance, Wayne Morrison, Michael Petkac, David Sherman, Daniel Sterne Trusted](https://reader036.vdocument.in/reader036/viewer/2022070605/5a4d1af47f8b9ab05998056f/html5/thumbnails/18.jpg)
NFS Performance
• Used two widely known benchmark packages (Iozone and NFSstones)
• Performance of writes moderately affected• Reads dominate NFS performance, with a
slowdown of 38% max.• Largely due to dual domain combination
and manipulation of additional file handles
![Page 19: Domain and Type Enforcement Firewalls Karen Oostendorp, Lee Badger, Christopher Vance, Wayne Morrison, Michael Petkac, David Sherman, Daniel Sterne Trusted](https://reader036.vdocument.in/reader036/viewer/2022070605/5a4d1af47f8b9ab05998056f/html5/thumbnails/19.jpg)
NFS Test Results
Larger numbers indicate better performance
![Page 20: Domain and Type Enforcement Firewalls Karen Oostendorp, Lee Badger, Christopher Vance, Wayne Morrison, Michael Petkac, David Sherman, Daniel Sterne Trusted](https://reader036.vdocument.in/reader036/viewer/2022070605/5a4d1af47f8b9ab05998056f/html5/thumbnails/20.jpg)
Related Work• 3 types of firewalls
– Packet-filtering– Circuit gateway (force TCP connections to go through
intermediary)– Application gateway (per-protocol basis)
• DTE can be added to all three, but incorporated into application gateways because of the protocol interaction
• Type enforcement is implemented on a number of systems, such as DTOS, XENIX, and Secure Ada Target
![Page 21: Domain and Type Enforcement Firewalls Karen Oostendorp, Lee Badger, Christopher Vance, Wayne Morrison, Michael Petkac, David Sherman, Daniel Sterne Trusted](https://reader036.vdocument.in/reader036/viewer/2022070605/5a4d1af47f8b9ab05998056f/html5/thumbnails/21.jpg)
Future Directions
• This paper address first-phase: manually-administered DTE firewall
• Second phase is to allow dynamic updates to DTE modules and support interactions between non-identical policies
• Third phase will allow for a central administration of security policies
![Page 22: Domain and Type Enforcement Firewalls Karen Oostendorp, Lee Badger, Christopher Vance, Wayne Morrison, Michael Petkac, David Sherman, Daniel Sterne Trusted](https://reader036.vdocument.in/reader036/viewer/2022070605/5a4d1af47f8b9ab05998056f/html5/thumbnails/22.jpg)
Conclusions
• Firewall perimeter security is relatively weak• DTE supports role-based policies that relate
resource access to individual responsibilities • Showed functionality stayed the same (and
increased for NFS), with performance hits that can be eliminated through optimization techniques
• Administrative costs are still an open issue