See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/228852607

Analysis of Identity Based Firewall Systems

Article · January 2010

CITATIONS READS

2 3,210

2 authors:

Nenad Stojanovski Marjan Gusev

6 PUBLICATIONS   25 CITATIONS   
Ss. Cyril and Methodius University in Skopje
473 PUBLICATIONS   1,769 CITATIONS   
SEE PROFILE
SEE PROFILE

Some of the authors of this publication are also working on these related projects:

SIARS (Smart I (eye) Advisory Rescue System) View project

ECGalert View project

All content following this page was uploaded by Marjan Gusev on 21 May 2014.

The user has requested enhancement of the downloaded file.

 Analysis of Identity Based Firewall Systems

Nenad Stojanovski1, Marjan Gušev2,

1
Makedonski Telekom AD, Orce Nikolov BB,
1000 Skopje, Macedonia
[email protected]
2
Faculty of Natural Sciences and Mathematics, Ss. Cyril and Methodius University
Arhimedova b.b., PO Box 162, 1000 Skopje, Macedonia
[email protected]

Abstract. The advances in today’s computer technology bring the user's

experience to such level where one of the most important things is the user
mobility. The rise of user mobility within enterprise networks has brought the
needs to allow mobile users to use mobility with full capacity in all aspects of
collaboration. This problematic issue inspired many IT vendors to develop their
own security solutions that extend user mobility. The general security solution
to extend user mobility was introduced with identity based firewall systems,
which extend the evaluation level of TCP/IP packets by inserting user identity
to the whole inspection process.
In this paper we will give a detailed analysis of the current identity based
firewall solutions. During the analysis we will compare in lot of details how
these solutions work and what they need in order to allow user mobility. As part
of our research we develop and apply methodology with indicators to evaluate
how these solutions affect computer network complexity and how they affect
complexity in enterprise network.

Keywords: Identity based firewalls, user identity, firewalls, network security,

computer networks, firewall analysis.

1 Introduction

The advances in today’s computer technology bring the user's experience to such
level where one of the most important things is the user mobility. The rise of user
mobility within enterprise networks has brought the needs to allow mobile users to
use mobility with full capacity in all aspects of collaboration. This problematic issue
inspired many IT vendors to develop their own security solutions that extend user
mobility.
The main purpose of this paper is to analyze identity based firewall solutions that can
be found on today’s IT market. In the first chapter we give a general review on how
firewall systems work and what intelligence is present behind the filtering
mechanisms. The second chapter gives an analysis of the major players in the identity
based firewall market. The analysis consists of information from technical character,
where we present the findings of what is needed for these solutions to properly
function and how they affect the network hierarchy. The last chapter gives a summary
about the analysis of the firewall systems.

2 Firewall Technologies

2.1 Today’s firewall technology

During the past two decades, Information Technology has evolved at such level that
the complexities of the applications that are used by the users introduce the needs of
extra security layers, aside from those present by the applications. Because of these
needs, the firewall technology was introduces to help protect the assets that are
sensitive and that shouldn't be accessed by everyone. It can be easily concluded that
the firewall is a security gateway which is made up of the following components:

- Security policy – is a special type of policy that resides on the security

gateway (firewall), which contains all the rules that allow or deny access to
certain resources. The rules are designed using IP addresses, TCP/UDP ports
or applications
- The firewall is a software or a hardware device – it comes in the form of an
appliance or in the form of software add-on to operating systems
- Extra security features - as an addition to the firewall security policy, the
firewall implements extra features that help protect the assets behind the
firewall. Such features are NAT, PAT, DoS defense
- Demilitarized Zone or DMZ - a network segment that exists between the
trusted and untrusted networks. DMZs offer some level of protection to the
hosts that exist within that segment of the network.

Although, firewalls are introduced as a security mechanics it must be pointed out that
there are advantages and disadvantages in using firewalls. The main advantage is the
extra centralized security they introduce, as well as the total cost of ownership of
having a centralized firewall. The disadvantages are that they pose a bottleneck to the
network, as well as false sense of total security when we speak about the insider
attack.
In the beginning, the firewall had the task to protect the network at the IP level, layer
3 of the TCP/IP model. As time passed and applications evolved there were new
challenges that had to be fulfilled by the firewall. In order to fulfill the needs, firewall
systems had to evolve to a level where they could actively support the needs of
modern IT technology. Today's firewall systems support all layers starting from the IP
layer and ending to the Application layer.
Firewall systems are usually placed at layer 3, 4 or 5, depending on the control and
protection they have to offer to the assets. The firewall systems that operate at layer 3
and 4 are called packet filtering firewalls. Their purpose is to filter IP and ICMP
traffic, as well as TCP/UDP ports. A firewall system at layer 5 is also known as
application gateway and has the purpose to filter the traffic based on the application
that generates the traffic.

2.2 Packet filtering firewalls

Packet filtering firewalls were the first firewall systems that were invented. To be
more precise, the first packet filtering devices were routers which had the ability to
filter traffic based on layer 3 and 4 information. Packet filtering firewalls should be
able to do the filtering based on the following fields:
- source IP address
- destination IP address
- TCP/UDP source port
- TCP/UDP destination port
Example firewall rules are shown on Figure 1. Some packet filtering firewalls allow
additional layer 4 options to be added to the rules, like TCP flags that sometimes are
very vital for enhancement of the TCP/IP communication between hosts.
Packet filtering firewalls also support stateful packet inspection. The state oriented
connection tracking add a state table to the firewall in which the firewall keeps
information about the incoming or outgoing connections that go through the firewall
system. In this way, the firewall system adds the flavor of inspecting if the incoming
or outgoing packet correlates with an entry in the state table of the firewall. In this
way, the firewall adds an extra mechanism to the network which protects against
certain types of network attacks.

Fig. 1. Example firewall policy

2.3 Application Level Firewalls

Application layer firewall is a computer networking firewall operating at the

application layer of the TCP/IP protocol stack. These types of firewall systems can be
implemented as a piece of software running on a single computer, or a stand-alone
piece of hardware. Often, it is a host using various forms of proxy servers to proxy
traffic before passing it to a gateway router. Because it acts on the application layer, it
may inspect the contents of the traffic, blocking specified content, such as certain
websites, viruses, and attempts to exploit known flaws in client software.
Application layer firewalls may intercept all packets traveling to or from an
application. They block other packets, if configured, dropping them without
acknowledgment to the sender. In principle, application firewalls can prevent all
unwanted outside traffic from reaching protected machines. One of the newest
additions to the host based application level firewalls is the possibility to add rules
that would allow or deny access to certain applications. It is also possible to allow
different types of privileges to the application. Another branch of application firewalls
is the web application firewall. It can be an appliance, server plug-in, or filter that
applies a set of rules to an HTTP conversation. Generally, these rules cover common
attacks such as Cross-site Scripting (XSS) and SQL Injection. By customizing the
rules to your application, many attacks can be identified and blocked. The effort to
perform this customization can be significant and needs to be maintained as the
application is modified.
Issues regarding the use of application level firewalls might be administrative tasks
where they can be very complex for configuration, since they bring extra levels of
complexity. This means that the total cost of ownership is much bigger because most
of these firewalls need individual maintenance and support. Figure 2 shows the
performance comparison between firewalls that filter traffic on layer 3, 4 and layer 5.

Fig. 2. Performance comparison between different types of firewall systems

2.4 Identity based firewall systems

In the last few years the windows domain infrastructure has spread rapidly among
companies. This has brought the ability to uniquely identify users in this domain,
since every user has been given a unique domain user name. Moreover, with the rapid
development of new devices, like smart phones, laptops and the lowering of the prices
for them, the need of user mobility within these companies has rises. The whole
concept of mobility requires that the users are mobile within their work environment,
which forces them to use different IP addresses. By using different IP addresses, they
are limited in the access to their resources. In order to solve the issues with the
mobility, security companies have started to design and develop new concepts that
could be implemented into the current firewall technology. These concepts should
allow users to extend their mobility and let them be mobile in such ways that they
would be able to access resources from where ever they are.
The whole idea behind the identity based firewall concept is to use the domain user
name to build firewall rules. This can be done by embedding it with the standard
firewall rules, but instead of using a source or destination IP, the rule will use the user
name.

3 Analysis of Identity Based Firewalls

3.1 Analysis of Microsoft Internet Security and Acceleration server

One of the youngest firewall systems around is the Microsoft Internet Security and
Acceleration server, or Microsoft ISA. Microsoft Internet Security and Acceleration
Server (ISA Server) is described by Microsoft as an "integrated edge security
gateway". Originating as Microsoft Proxy Server, ISA is a Firewalling & Security
product based on Microsoft Windows primarily designed to securely publish web
servers and other server systems, provide stateful, Application-Layer Firewalling, act
as a VPN endpoint, and provide Internet Access for client systems in a Business
Networking environment.
ISA Server 2006 is a multi-featured and multi-purpose security product that can be
deployed in a variety of ways to meet the unique requirements of virtually any
organization. As an integrated firewall, Web proxy and VPN server and gateway, ISA
Server can be configured to act in each of these roles or be set up to provide only a
subset. As an integrated solution, ISA server offers the following features:
− A network layer firewall
− An application layer inspection security gateway
− Forward and reverse Web proxy and caching server
− Remote access VPN server
− Site to site VPN gateway
Along these features that are provided by Microsoft ISA, it has to be noted that the
ISA server is also an application level firewall. This means that ISA server allows
advanced configuration in the domain of web applications.
When it comes to user mobility, the ISA server offers some interesting features in the
domain of user mobility. ISA server solves the mobility issues by using a dual
formula. It means that the ISA server solves the mobility issues by presenting two
solutions for a certain problem.
As said before, ISA server is one of the few servers that solves the user mobility. The
technology used to allow user mobility is user based access rules. By introducing user
based access rules, ISA server allows the administrators to connect layer 3 or 4
information with layer 5 information, the user name. This type of filtering would
allow unique filtering based on user names and group.
The ISA firewall enables this functionality by offering a piece of software to be
installed on the clients, which is called a firewall client. The firewall client software
is a piece of software that provides the following enhancement towards the ISA
server:
- It allows strong user or group authentication for all windows applications
that use TCP or UDP protocols
- Allows recording of user or application information into the ISA server log
files
The firewall client software transparently sends user information to the ISA server.
This information comprise of user credentials (user name and NTLM hash). In this
way, the ISA server has information about the clients in the network and it is possible
to build firewall rules based on user names or groups. The user has to be connected
with an account from the Active Directory or with a mirrored account on the ISA
server. For example, if you have an Active Directory domain, users should log on to
the domain, and the ISA Server 2006 firewall must be a member of the domain. The
ISA Server 2006 firewall is able to authenticate the user and allows or denies access
based on the user’s domain credentials.

Fig. 3. Example User Based policy on Microsoft ISA 2006

The other way to enforce user mobility is by using the ISA web proxy. This way,
clients don't need to install extra software. This approach brings some limitations,
which allow only rules for the web traffic. Every other traffic is filtered the good old
fashion way via the use of IP addresses.
The approach that the ISA server uses has some disadvantages. One of the
disadvantages is that when the web proxy approach is used, only the web traffic gets
the possibility for user mobility. The firewall client approach brings the disadvantage
that the ISA firewall is dependent on the firewall client, and vice versa. If the link
between the firewall client and the ISA fails, the user of that system will lose the
mobility.
Another general disadvantage of the ISA firewall is that is only supports Microsoft
Windows environments. User mobility on other operating systems, like Linux, Mac
OS X is not support.

3.2 Analysis of NuFW firewall

Another interesting player from the identity based firewall market is the NuFW.
NuFW is a firewall solution developed by the french open source company INL.
NuFW is based on the Linux operating system. The core of NuFW is the Linux
firewall which is extended with the Firewall add-on Netfilter. NuFW extends the
previously described Netfilter solution by adding the charm of user identity to the
firewall. With NuFW, the firewall permissions follow an authenticated user instead of
a PC's address. The NuFW concept allows admins to define not only user based
firewall rules, but also rules that enforce policies upon IP addresses. The Identity
concept allows that the security policy can be enforced for a user no matter where he
or she is on the network. This also lends itself to marrying the firewall with an SSO
(single sign on) authentication system. NuFW offers the following features:
- Authenticate any connection that goes through the security gateway or only
from/to a chosen subset or a specific protocol
- Perform accounting, routing and quality of service based on users and not
simply on IPs.
- Filter packets with criteria such as application and OS used by distant users.
- Be the key of a secure and simple Single Sign On system.
In order for NuFW to work, it requires that he client install the NuFW client. Same as
with the ISA server, this client sends user information to the NuFW firewall. NuFW
can me authenticated by using and LDAP server or by using a database which stores
user name information. NuFW uses the following authentication algorithm, which is
shown on figure 4:

Fig. 4. NuFW authentication algorithm

The process of authentication is defined in the following steps:
1. A standard application sends a packet.
2. The Nufw client sees that a connection is being initiated and sends a
user request packet.
3. The Nufw server queues the packet and sends an auth request packet to
the Nuauth server.
4. The Nuauth server sums the auth request and the user request packet and
checks this against an authentication authority.
5. The Nuauth server sends answer back to the Nufw server
6. The Nufw server transmits the packet following the answer given to its
request.
NuFW clients can be installed on almost every platform. In general all major
platforms are support, Windows, Mac OS X and Linux.
The NuFW approach along with its advantages has some disadvantages. The first
disadvantage is the same as with Microsoft ISA server, and it is because NuFW uses
agents to authenticate users on the hosts. Another disadvantage is that NuFW
generates a big overhead because on every packet is sends authentication request. In
high load networks this can be a big issue, because the network will be extra utilized
because of NuFW authentication packets.

3.3 Analysis of Checkpoint User Authority

One of the most advanced solutions regarding identity based firewalls is Checkpoint's
User Authority. Check Point UserAuthority brings Web and network applications into
one centrally managed security framework by leveraging Check Point’s proven
networking, encryption and authentication technologies. UserAuthority transparently
integrates “best of breed” authentication mechanisms into network applications,
enabling intelligent authorization decisions based on a connection’s security context:
user identity and profile information, encryption and authentication parameters,
networking information and desktop security parameters. UserAuthority is the
“security glue” that binds Web and network applications to users, Check Point VPN-
1/FireWall-1 to create a Secure Virtual Network for the enterprise.
Key features of UserAuthority are:
- Identity based firewall rules
- Identity based remote access rules
- Single sign-on to web applications
The approach that User Authority uses is similar to the ones used with Microsoft ISA
server and NuFW. One of the biggest differences that UserAuthority brings into the
identity firewall schema is the ability to integrate it with remote access. By doing this,
 the user gets all of his resources anywhere.
In order to work, UserAuthority needs the network clients to install Checkpoint's
SecureAgent. This software is agent based software that sends user credentials to the
UserAuthority. By logon, SecureAgent detects the user name and sends the
information to the UserAuthority server. When the user tries to pass through a
security gateway to access his or her resources, the security gateway asks the
UserAuthority server to identify the user that tries to access the resource. Upon
successfully verifying the user, the security gateway grants access to the resources.
Another addition to the UserAuthority model is that network administrators are able
to upload access rules to the SecureAgent, which would explicitly allow or deny
access to resources.
The disadvantage that this solution brings is the dependency on the SecureAgent,
because if the agent doesn’t work properly the whole concept of identity based
firewall will not work.

4 Summary

From the analysis we can conclude that every solution analyzed had the need of using
an agent. This can lead to a conclusion that it is the weakness of these identity based
firewall because the whole filtering is based upon information that is sent by the
clients. If the clients fail to send information, then the whole user mobility concept
fails. This brings us to the summary that the identity based firewall technology as it is
has some flaws.
Our future work on this topic will be to design an identity based firewall which
will allow identity based traffic filtering without using software that has to be
installed on every client PC.

References

1. CheckPoint UserAuthority, www.checkpoint.com

2. Microsoft ISA server 2006, www.microsoft.com
3. NuFW, www.nufw.org
4. Amon, C., Shinder, T., Carasik-Henmi, A.: The Best Dan Firewall Book Period, Syngress,
2003
5. Noonan, W., Dubrawsky, I.: Firewall Fundamentals, Cisco Press (2006)
6. Zwicky, E., Cooper, S., Chapman, D.: Building Internet Firewalls, O’Reilly Media Inc.
(2000)

View publication stats