DIADEM FIREWALL    FP6 IST-2002-002154














MonAM 2006


[Abstract] [State-of-the-art] [Objectives] [Workpackages] [Impact]

Potential impact

The current firewalls are software or hardware entities applying various forms of ACLs to network traffic exiting or entering a controlled network. They are located between the network and the servers. Therefore, they tend to be a bottleneck due to amount of traffic they handle. Also, these firewalls have no control over the traffic that is internal to the network. State based protocols that use random ports for data transfer after the control messages are exchanged also cause firewalls to be very complex and require extensive state keeping. As e-commerce transactions become cost-effective and prevalent, there is a need to open parts of the enterprise network to customers and/or suppliers. This dictates an additional layer of complexity. End-to-End encryption of traffic is affected due to the firewalls having to proxy the secure connections. This is also the case in the context of SOHO and SME. Dealing with security only at the edge of the network does not prevent massive attacks (such as "Distributed Denial of Service").

Just to give an idea of the primary issue of the problem studied by DIADEM FIREWALL, since 2000, the cost of security attacks in the world have been approximately evaluated to 1.600 billion of Dollars according to InformationWeek Research and PriceWaterHouseCoopers. Moreover, and 50% of all the companies have been attacked in 1998, this ratio has climbed to 74% in 2002. With the generalization of broadband networks, we may expect even more. And new attacks should come soon with the advent and the generalization of broadband access networks. We think that the security solutions have to take into account new generation networks characteristics: generalized broadband, QoS support, mobility issue, etc. Moreover, security must be treated accordingly to QoS management and at a lower degree with heterogeneity of access networks (fixed or mobile).

Another problem consists in the rapid emergence of new services and protocols (standard or proprietary) particularly in the multimedia domain. All the providers and operators upgrade the associated protocols and services. But currently, security solutions are rather static and processed manually. The limits of this approach can be overseen today when introducing multimedia application that dynamically open communication channels and introduce real-time constraints. We may consider for simplicity at least two types of media: discrete media (a still frame, a text) and continuous streams (audio, video). The latter entail time constraints, which are more or less restricting depending on the type of application used. In order to take these new applications and associated protocols into account, the firewall architecture must be rethought, as well as the architecture of all the functionalities. In particular, with 3G Internet, mobility and always evolving data rates, it is necessary to combine the security mechanisms with the mechanisms for high data rate processing and mobility (for instance secure MPLS pipes based on Ipv6). The challenge of the DIADEM FIREWALL project is not only to react on demand to the frequent changes at the edge of the network but also inside the network by separating concerns between transfert/control/services planes (NGN architecture) and introducing more programmability within the control plane. The project includes the requirements for DIADEM FIREWALL and the various elements that constitute the framework and the future security network solution for the high data bit rate. Using this approach, the security policies can be defined in a flexible but secure way to be corporate wide as well as tailored to specific partitions of the network. Business relationships can be translated into dynamic rules installed possibly as an overlay, without change in the baseline security rules of other nodes.

On the other hand, it is not enough to protect servers against attacks coming from inside by managing the whole chain between clients and servers, but we need also to preserve each network inside a domain against interconnected networks. In this project we propose high data rates solutions and we will provide solutions for interconnection based on available routers. With the DIADEM FIREWALL solution, the DDOS attack will not be able to propagate between different network domains, and it is an important point for the operators. The project permits a new approach for the exchanges between the different actors (operators, clients, providers, etc.). The interface development between the different equipments in the network will be the first step for the operator interactions. We will deploy the solution into a real-scale experimentation between two operators.