Proactive Security Mechanism and Design for Firewall

doi:10.4236/jis.2011.23012

Paper Menu >>

Journal Menu >>

Journal of Information Security, 2011, 2, 122-130

doi:10.4236/jis.2011.23012 Published Online July 2011 (http://www.SciRP.org/journal/jis)

Proactive Security Mechanism and

Design for Firewall

Saleem-Ullah Lar1,3, Xiaofeng Liao2, Aqeel ur Rehman1, Qinglu Ma1

1Department of Com p uter Sci e nce , Chongqing University, Chongqing, China

2Faculty of Computer S cience , Senior Member IEEE, Chongqing University, Chongqing, China

3Departme nt of Comp uter Science and IT, T he Isl a mi a U niversi t y Bahawalpur, Pakistan

E-mail: salimbzu@gmail.com

Received June 2, 2011; revised July 5, 2011; accepted July 15, 2011

Abstract

In this paper we have present the architecture and module for internet firewall. The central component is

fuzzy controller while properties of packets are fuzzified as inputs. On the basis of proposed fuzzy security

algorithm, we have figured out security level of each packet and adjust according to packets dynamic states.

Internet firewall can respond to these dynamics and take respective actions accordingly. Therefore, proactive

firewall solves the conflict between speed and security by providing high performance and high security.

Simulation shows that if the response value is in between 0.7 and 1 it belongs to high security.

Keywords: Firewall Security, Security Evaluation, Network Security

1. Introduction

The expansion of the Internet and e-Commerce has made

organizations more vulnerable to electronic threats than

ever before. With the increasing quantity and sophistica-

tion of attacks on IT assets, companies have been suffer-

ing from breach of data, loss of customer confidence and

job productivity degrad ation, all of which even tu ally lead

to the loss of revenue. According to the 2004 CSI/FBI

Computer Crime and Security survey [1], organizations

that acknowledged financial loss due to the attacks (269

of them) reported $141 millio n lost, and this number has

only grown since. Moreover, as unskilled, unmanned

attacks such as worms and viruses multiply the probab il-

ity of attack approaches for every organization. The

question therefore shifts from whether an attack will oc-

cur, to when an attack will occur. Thus, a so und IT secu-

rity plan is more important than ever, and the protection

provided by current and emerging Intrusion Prevention

Systems (IPS) is becoming a critical component [2-5].

IPS utilizes IDS algorithms to monitor and drop or al-

low traffic based on expert analysis. These devices nor-

mally work at different areas in the network and proac-

tively monitor any suspicious activity that could other-

wise bypass the firewall. IPS “firewalls” can intelligently

prevent malicious traffic from entering/exiting the fire-

wall and then alert administrators in real time about any

suspicious activity that may be occu rring on the network

[6]. A complete network IPS solution also has the capa-

bility to enforce traditional static firewall rules and ad-

ministrator-defined whitelists and blacklists.

Though IPS devices are the most resource intensive, they

are still relatively high-performing due to the latest proces-

sors, software, and hardware advancements. IPS may be

distributed and hardware based [7-10]. Today two catego-

ries of IPS exist: Network-based Intrusion Prevention and

Host-based Intrusion Prevention. Network IPS monitors

from a network segment level, and can detect and prevent

both internal and external attacks. Network IPS devices

separate networks in much the same fashion as firewalls.

Host IPS software runs d irectly on workstation s and server s

detects and prevents threats aimed at the local host. In both

cases, attack recognition is usually accomplished via two

primary methods of IDS: known-attack detection, and ano-

malous beha vior det ecti on.

This paper focuses on fuzzy mechanism with the help of

Gaussian mechanism as a member function and center of

gravity procedure which is an implementation of a fuzzy in-

puts and outputs respectively in the model. The rest of the

paper is organized as follows: Section 2 presents the chal-

lenges faced by traditional security architectures. Section 3

describes proposed firewall architecture. Section 4 explains

about proposed pro active fuzzy security mechanism. Finally,

Section 5 presen ts simulati on results an d concludes t he paper.

S.-U. LAR ET AL.

123

2. The Challenges for Traditional Security

Architecture

In fact, it is still the Firewall that plays the key role in

traditional security architecture, since it controls most of

the incoming and outgoing traffic of an enterprise. Es-

sentially the firewall is almost a must-have in each en-

terprise. To review the challenges for the traditional ar-

chitecture, undoubtedly it is necessary to address on the

limitation of traditional firewalls. The inability of current

firewalls may include:

1) Limited ports & performance.

2) Complicated UI configuration and policy manage-

ment.

3) Scalability limitation to correspond to organization

growth.

4) Unreliable network secur ity, due to “Single Point of

Defense.

5) Insufficient capability to effectively manage

emerging internet applications hidden in HTTP traffic.

6) Passive security mechanism to respond network

threats including network worms, Trojans and cyber-

attacks.

Facing the emerging malicious codes, network worms

and hybrid attacks today, tradition al firewall is no longer

effectively to harden your enterprise network. Traditional

firewalls usually inspect the incoming traffic cautiously,

and it can base on the network policies to permit, deny or

drop the traffic depending on the traffic trusty or illegal.

But for the outgoing traffic, unfortunately the HTTP traf-

fic is always permitted in the enterprise network, and the

firewalls are lack of the management capability to in-

spect the evolving internet applications which now can

hide themselves in the HTTP traffic and sneak out. Thus,

the enterprises gate seems secure but in fact, the security

cracks have been created.

3. Proposed Firewall Architecture

A true firewall is the hardware and software that inter-

cepts the data between the Internet and your computer.

All data traffic must pass through it, and the firewall al-

lows only authorized data to pass into the corporate net-

work. Firewalls are typically implemented using one of

four primary architectures.

 Packet Filters

 Circuit-level Gateways

 Application Proxies

 Network Address Translation

3.1. Definition

Our definition covers the state of firewall technolog y as a

distributed security architecture placed on the data trans-

mission path between communication endpoints. Our

definition of firewall technology states that communica-

tion traffic needs to enter or leave a network security

domain to be of interest to firewall technology. Figure 1

illustrates the possible combinations for point-to-point

communication. For any traffic between sender ai and

receiver bi the definition includes traffic that traverses

the protected domain ({,}, 1)

Aii A

Dab Diand traffic

that traverses networks that are not part of DA with aiεDA

and bi DA (outbound traffic; i = 2), ai 2= DA and bi 2 DA

(inbound traffic i = 3), or both ai 2 DA and bi 2 DB (vir-

tual private networking between DA and DB; i = 4).

Communication traffic between ai and bi that neither

enters nor leaves a network policy domain is not subject

to firewall technology.

Sender {1,2,3,4}

Receiver













{,}, 1

iAii A

aDabD i





Fuzzy agent is the basic element in this architecture

specific attack or a particular phase of an attack. It con-

sists of three components; fuzzy Context, exponential

moving average module and fuzzy inference engine

shown in Figure 2. Fuzzy context represents the problem

domain i.e. normal profile of network in reference to

particular intrusion. Ex ponential moving average module

adapts the fuzzy context according to current network

conditions and traffic patterns, while fuzzy inference

engine actually classifies an event using fuzzy know-

ledge base and real-time inputs. Fuzzy context is a key

component of the fuzzy agent, which consists of rules

and membership functions. Context generation and evo-

lution module constructs optimized rules and member-

ship functions for current network. Fuzzy rules can be

expressed in terms of simple if-then statements with

higher interpretability score. Let the fuzzy sets for fuzzy

input variables are low, medium and high. The member-

ship functions of each linguistic fuzzy set in terms of

boundary parameters are describe by Equations (1)-(2).

The boundary parameters are functions of evolved para-

meters as defined in Equation (5) and moving average

Figure 1. Communication traffic governed by firewall tech-

nology between senders and receivers.

S.-U. LAR ET AL.

124

Figure 2. Architecture of a fuzzy typical approach.

modules output. Member-ship functions contract or ex-

pand linearly according to network history depending

upon exponential moving average modules output. This

helps in adjusting the attack threshold value at that par-

ticular interval while evolved parameters set the normal

and not-normal class boundaries.

Fuzzy inference engine that is third component of

fuzzy agent, classifies the real-time input as normal or

malicious using fuzzy knowledge base. It basically ac-

complishes three functions (fuzzification, fuzzy infe-

rence, defuzzification) based on Mumdani principle [11].

In fuzzification, a crisp input i.e. a record from feature

set is mapped to fuzzy sets to determine the membership

degree. The inference engine evaluates applicable rules

and their degree of matching to generate consequent

rules. The defuzzification function aggregates the con-

sequent rules and using centroid method, generates one

crisp output, which determines the class of input record

[11].

3.2. Controller

Proposed mechanism is employed in the controller which

is the core module this firewall. The controller has the

functionality to integrate with th e arrival packets (inputs)

applied rules, and fuzzy logic to measure the security

level of arriving packets. Using these values controller

has to do following main tasks to process the connections

accordingly.

1) Filtration

2) Dynamic Monitoring

3.3. Dynamic Packet Filtering

Dynamic packet filtering is a firewall and routing capa-

bility that provides network packet filtering based not

only on packet information in the current packet, but also

on previous packets that have been sent. For example

without dynamic packet filtering, a connection response

may be allowed to go from the internet to the secu re part

of the netwo rk. Dynamic packet filtering would con sider

whether a connection was started from inside the secure

part of the network and only allow a connection response

from the internet if the packet appeared to be a response

to the request.

Dynamic packet filtering filters packets based on:

1) Administrator defined rules governing allowed ports

and IP addresses at the network and transport layers of

the OSI network model.

2) Connection state which considers prior packets that

have gone through the firewall.

3) Packet contents including the application layer

contents

Static packet filtering only filters packets based on

administrator defined rules governing allowed ports and

IP addresses at the network and transport layers of the

OSI network model as mentioned in item 1 above.

Therefore dynamic packet filtering also called state-full

inspection which provides additional capabilities includ-

ing inspection of packet contents up to the application

layer and consideration of the state of any connections.

Dynamic packet filtering provides a better level of se-

curity than static packet filtering since it takes a closer

look at the conten ts of the packet and also considers pre-

vious connection states.

3.4. Network Address Translation

NAT is a very important aspect of firewall security. It

conserves the number of public addresses used within an

organization, and it allows for stricter control of access

to resources on both sides of the firewall. Most modern

firewalls are state full—that is, they are able to set up the

connection between the internal workstation and the In-

ternet resource. They can keep track of the details of the

connection, like ports, packet order, and the IP addresses

involved. This is called keeping track of the state of the

connection. In this way, they are able to k eep track of the

session composed of communication between the

workstation and the firewall, and the firewall with the

Internet. When the session ends, the firewall discards all

of the information about the connection. It is suggested

S.-U. LAR ET AL.

125

to design network using RFC-1918 [12] that never ad-

vertised outside from the intranet. The mapping is dy-

namic so it is difficult to guess either two connections

with the same IP actually come from the same or differ-

ent hosts.

3.5. Security Rules and Policies

Allowing or denying services or connections between

networks defined by security policies and rules.

4. Proactive Fuzzy Security Mechanism

Saniee Abadeh [13] presents combined fuzzy logic and

genetic algorithm to evolve fuzzy rules, optimize mem-

bership functions to detect new anomalies. While our

proposed proactive firewall security mechanism which is

employed in the fuzzy controller is different and ex-

plained as follows.

4.1. Proactive Control

Since the state of packets in the networks is constantly

varying, its security level is also changeable. Previous

secure user may initiate malicious attack or disobey the

security rules. So the fields of “attack times” are used to

record the times of disobeying security rules. Accor-

dingly, the source or destination security values will be

adjusted to respond to its varying security state. When

the source and destination security vary from 1 to 0, the

overall security level of the connection smoothly vary

accordingly. Therefore, the output can reflect the chan-

ges of packets status. Different methods and security

policies are used for 1148 different kinds of connections

and policies of control over them are adjusted according

to their varying states. So, the firewall is fuzzily adap tive

and proactive.

4.2. Source Generation

Figure 3 describe Input generation based on source and

destination security values employed in fuzzy controller.

Range of input is [0, 1] and value is directly proportional

to security level. We have defined Gaussian member

function for the source security, which is represented as



,, e01

Ssc S







 (1)



, Sm



and h



denoted as Low, Medium, and High

security levels for the source member function respec-

tively depending on parameters



and c.



,, e01

DDc D







 (2)



and



denoted as Low, Medium, and

High security levels for the destination member function

respectively.

4.3. Applied Rules and Regulations

For our system we have defined the rules as shown in the

Figure 3, while fuzzy applied relations for the applied

rules are as follows.

Rule 1 IF source = low and destination = low

THEN security = low

Rule 2 IF source = low and destination = medium

THEN security = low

Rule n IF source = high or destination = high

THEN security = high

Mathematically we can define applied relations as,

For Rule 1: 1111

SDZ



μμμ

For Rule n:

nSnDnZn



μμμ

So we can write that,

RR Rn



μμ μ

(3)

Therefore,





SDR



 (4)

and









SDR

μzμμ

(5)

We defined above rules just to cope up with the issue

of input space up to maximum possible effort. Since

process mostly requires non-fuzzy values, so defuzzifi-

cation process is necessary to implement this is described

in next section. For low priority based trusted packets

both application level and dynamic packet monitor are

used providing high security, while filtration takes place

for highly trusted packets. It is fuzzily adaptive and

proactive in a sense that its characteristics and packet

status are fuzzified and its output reflects the packet dy-

namic status (Figure 4).

4.4. Destination Generation

We have defined member function for destination output

which is obtained from Equation (5 ) as,



zzz

Zzz







The above equation used is based on center of gravity

method.

Figure 5 shows the characteristics and security level

designed for output generation based on the rules and

relations desc ribed earlier.

S.-U. LAR ET AL.

126

Figure 3. Input members function ge ne r a tion.

Figure 4. Defining fuzzy rules.

5. Simulation and Analysis

This section describes the experimental results and per-

formance evaluation of the proposed system. The pro-

posed system is implemented in MATLAB (7.0.1).

Based on above defined procedure our simulation results

described in the following figures. Figure 6 descr ibes the

value generated by source and destination with its secu-

rity level based on the defined rules. We can see that

values on both sides are almost directly proportional

which reflects the level of the security

The fuzzy rules given to the fuzzy system is done

S.-U. LAR ET AL.

127

Figure 5. Members function for destination output security.

Figure 6. Visualization of Source and destination with security level (rule observer).

manually by analyzing intrusion behavior. Some time it

is very difficult to generate fuzzy rules manually due to

the fact that the input data is huge and also having more

attributes. But, a few of researches are available in the

literature for automatically identifying of fuzzy rules in

recent times. Motivated by this fact, we make use of

mining methods to identify a better set of rules.

Table 1 and Figure 7 shows the clear view about the

security level for each connection.

Various control method used to monitor and control the

connection according to its security level. Therefore

firewall is proactive, intelligent and remains secure and

provide high perf ormance.

A smoothly varying surface can provide the value of

S.-U. LAR ET AL.

128

overall security level for each connection. It has been

observe deeply through ramp function that input and

output security varies from 0 to 1 and the overall security

level also varies smoothly, and we can get the status of

the packets from the output generation. The ramp func-

tion is an elementary unary real function, easily comput-

able as the mean of its independent variable and its ab-

solute value and it is derived by the look of the graph.

From Figures 8 and 9 we can see that as source gen-

erated value increases or decreases it has clear effect on

the security level and a particular action will be taken

place based on the results.

6. Conclusions

In this work, fuzzy based system was designed to eva-

luate the threat level of identified threats, because it is

impossible to provide assurance for the system and jus-

tify security measures incorporated unless the system is

analyzed during the designing state of computer based

systems. With this system designed, risk analysis has

been made easier to perform.

Figure 7. Surface level view (final result).

Figure 8. Rule and surface viewer (high security).

S.-U. LAR ET AL.

129

Figure 9. Rule and surface viewer (low security).

Table 1. Security level for each connection.

Output Value -μ(z) Security Level Action Taken for

Connection

>0 and <0.2 Insecure Denied

>0.2 and <0.4 Low Security Dynamic Monitoring and

Auditing

>0.4 and <0.7 Medium Security Dynamic Monitoring and

Filtering

>0.7 and <1 High Security Only Filter

Overall security level and methods to control packets

and connections can be adjusted as per network dynamic

status. It resolves the issues between security and speed

providing high security and high performance. It is fuz-

zily adaptive and intelligent and has flexibility with a

high degree of perfo rmance.

7. Future Work

For further research, this system designed can be rede-

signed using object orientated programming language

and other models like DREAD and SWOT model can be

used.

8. References

[1] CSI/FBI, “Computer Crime and Security Survey,” 2004.

http://i.cmpnet.com/gocsi/db_area/pdfs/fbi/FBI2004.pdf

[2] C. Baumrucker, J. Burton, S. Dentler, et al., “Cisco Secu-

rity Professional’s Guide to Secure Intrusion Detection

Systems,” Syngress Publishing, Burlington, 2003.

[3] C. Endorf, E. Schultz and J. Mellander, “Intrusion Detec-

tion & Prevention,” McGraw-Hill, Boston, 2004.

[4] “Technical Overview of The Bouncer,”

http://www.cobrador.net/docs/whitepaper.pdf

[5] M. Barkett, “Intrusion Prevention Systems,” NFR Secu-

rity, Inc., 2004.

http://www.nfr.com/resource/downloads/SentivistIPS-W

P.pdf

[6] K. Xinidis, K. G. Anagnostakis and E. P. Markatos, “De-

sign and Implementation of a High Performance Network

Intrusion Prevention System,” Proceedings of the 20th

International Information Security Conference (SEC

2005), Makuhari-Messe, Chiba, 30 May-1 June 2005.

[7] T. Sproul and J. Lockwood, “Wide-Area Hardware-Ac-

celerated Intrusion Prevention Systems (WHIPS),” Pro-

ceedings of the International Working Conference on Ac-

tive Networking (IWAN), Lawrence, 27-29 October 2004.

[8] D. Sarang, K. Praveen, T. S. Sproull and J. W. Lockwood,

“Deep Packet Inspection Using Parallel Bloom Filters,”

IEEE Micro, Vol. 24, No. 1, 2004., pp. 52-61.

[9] D. V. Schuehler, J. Moscola and J. W. Lockwood, “Ar-

chitecture for a Hardware-Based, TCP/IP Content-Proc-

essing System”, IEEE Micro, Vol. 24, No. 1, 2004, pp.

62-69.

[10] H. Song and J. W. Lockwood, “Efficient Packet Classifi-

cation for Network Intrusion Detection Using FPGA,”

Proceedings of the International Symposium on Field-

Programmable Gate Arrays (FPGA’05), Monterey, 20-22

February 2005.

[11] J. Yen and R. Langari, “Fuzzy Logic: Intelligence, Con-

trol and Information,” Prentice Hall, Upper Saddle River,

1999.

S.-U. LAR ET AL.

130

[12] http://tools.ietf.org/html/rfc1918

[13] M. S. Abadeh, J. Habibi and C. Lucas, “Intrusion Detec-

tion Using a Fuzzy Genetics-Based Learning Algorithm,”

Journal of Network and Computer Applications, Vol. 30,

No. 2007, 2007, pp. 414-428.