Threat comparison Distributed firewall

1 threat comparison

1.1 service exposure , port scanning
1.2 ip address spoofing
1.3 malicious software
1.4 intrusion detection
1.5 insider attacks

threat comparison

distributed firewalls have both strengths , weaknesses when compared conventional firewalls. far biggest difference, of course, reliance on topology. if network topology not permit reliance on traditional firewall techniques, there little choice. more interesting question how 2 types compare in closed, single-entry network. is, if either work, there reason choose 1 on other?

service exposure , port scanning

both types of firewalls excellent @ rejecting connection requests inappropriate services. conventional firewalls drop requests @ border; distributed firewalls @ host. more interesting question noticed host attempting connect. today, such packets typically discarded, no notification. distributed firewall may choose discard packet, under assumption legal peers know use ipsec; alternatively, may instead send response requesting connection authenticated, in turn gives notice of existence of host. firewalls built on pure packet filters cannot reject stealth scans well. 1 technique, example, uses fragmented packets can pass through unexamined because port numbers aren t present in first fragment. distributed firewall reassemble packet , reject it. on balance, against sort of threat 2 firewall types @ least comparable.

ip address spoofing

on network addresses not favored concept. using cryptographic mechanisms prevents attacks based on forged source addresses, under assumption trusted repository containing necessary credentials has not been subject compromise in itself. these problems can solved conventional firewalls corresponding rules discarding packets @ network perimeter not prevent such attacks originating inside network policy domain.

malicious software

with spread use of distributed object-oriented systems corba, client-side use of java , weaknesses in mail readers , there wide variety of threats residing in application , intermediate level of communication traffic. firewall mechanisms @ perimeter can come useful inspecting incoming e-mails known malicious code fingerprints, can confronted complex, resource-consuming situations when making decisions on other code, java. using framework of distributed firewall , considering policy language allows policy decision on application level can circumvent of these problems, under condition contents of such communication packets can interpreted semantically policy verifying mechanisms. stateful inspection of packets shows adapted these requirements , allows finer granularity in decision making. furthermore, malicious code contents may disguised screening unit @ network perimeter, given use of virtual private networks , enciphered communication traffic in general , can disable such policy enforcement on conventional firewalls.

intrusion detection

many firewalls detect attempted intrusions. if functionality provided distributed firewall, each individual host has notice probes , forward them central location processing , correlation. former problem not hard; many hosts log such attempts. 1 can make case such detection should done in event. collection more problematic, @ times of poor connectivity central site. there risk of coordinated attacks in effect causing denial-of-service attack against central machine.

insider attacks

given natural view of conventional firewall on networks topology consisting of inside , outside, problems can arise, once 1 or more members of policy network domain have been compromised. perimeter firewalls can enforce policies between distinct networks , show no option circumvent problems arise in situation discussed above. given distributed firewalls independence on topological constraints supports enforcement of policies whether hosts members or outsiders of overall policy domain , base decisions on authenticating mechanisms not inherent characteristics of networks layout. moreover, compromise of endpoint either legitimate user or intruder not weaken overall network in way leads directly compromise of other machines, given fact deployment of virtual private networks prevents sniffing of communication traffic in attacked machine not involved. on other side, on end-point same problems arise in conventional firewalls: assuming machine has been taken on adversary must lead conclusion policy enforcement mechanisms them self may broken. installation of backdoors on machine can done quite once security mechanisms flawed , in lack of perimeter firewall, there no trusted entity anymore might prevent arbitrary traffic entering or leaving compromised host. additionally use of tools ssh , allow tunneling of other applications communication , can not prevented without proper knowledge of decrypting credentials, given fact in case attack has shown verifying mechanisms in them self may not trusted anymore. @ first glance, biggest weakness of distributed firewalls greater susceptibility lack of cooperation users. happens if changes policy files on own? distributed firewalls can reduce threat of actual attacks insiders, making easier set smaller groups of users. thus, 1 can restrict access file server users need it, rather letting inside company pound on it. worth expending effort prevent casual subversion of policies. if policies stored in simple ascii file, user wishing to, example, play game turn off protection. requiring would-be uncooperative user go more trouble worthwhile, if mechanism theoretically insufficient. example, policies digitally signed, , verified frequently-changing key in awkward-to-replace location. more stringent protections, policy enforcement can incorporated tamper-resistant network card.