Abstract
Network firewalls are a standard security measure in computer networks that connect to the Internet. Often, ready-to-use firewall appliances are trusted to protect the network from malicious Internet traffic. However, because of their black-box nature, no one can be sure of their exact functionality.
We address the possibility of actively compromised firewalls. That is, we consider the possibility that a network firewall might collaborate with an outside adversary to attack the network. To alleviate this threat, we suggest composing multiple firewalls from different suppliers to obtain a secure firewall architecture. We rigorously treat the composition of potentially malicious network firewalls in a formal model based on the Universal Composability framework. Our security assumption is trusted hardware.
We show that a serial concatenation of firewalls is insecure even when trusted hardware ensures that no new packages are generated by the compromised firewall. Further, we show that the parallel composition of two firewalls is only secure when the order of packets is not considered. We prove that the parallel composition of three firewalls is insecure, unless a modified trusted hardware is used.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Interactive graphic: The nsa’s spy catalog. Spiegel Online International, December 2013. http://www.spiegel.de/international/world/a-941262.html
Backes, M., Pfitzmann, B., Waidner, M.: A general composition theorem for secure reactive systems. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 336–354. Springer, Heidelberg (2004)
Bellovin, S., Cheswick, W.: Network firewalls. IEEE Commun. Mag. 32(9), 50–57 (1994)
Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: 2001 Proceedings of 42nd IEEE Symposium on Foundations of Computer Science, October 2001
Chari, S., Jutla, C.S., Roy, A.: Universally composable security analysis of oauth v2. 0. IACR Cryptology ePrint Archive 2011, 526 (2011)
Freed, N.: Behavior of and requirements for internet firewalls. RFC 2979 (2000)
Goldwasser, S., Kalai, Y.T., Rothblum, G.N.: One-time programs. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 39–56. Springer, Heidelberg (2008)
Gouda, M.G., Liu, A.X., Jafry, M.: Verification of distributed firewalls. In: 2008 IEEE GLOBECOM 2008 Global Telecommunications Conference, pp. 1–5. IEEE (2008)
Herzberg, A.: Folklore, practice and theory of robust combiners. J. Comput. Secur. 17(2), 159–189 (2009)
Hofheinz, D., Shoup, V.: Gnuc: a new universal composability framework. Cryptology ePrint Archive, Report 2011/303 (2011). http://eprint.iacr.org/
Ingham, K., Forrest, S.: A history and survey of network firewalls. University of New Mexico, Technical report (2002)
Ingols, K., Chu, M., Lippmann, R., Webster, S., Boyer, S.: Modeling modern network attacks and countermeasures using attack graphs. In: 2009 Annual Computer Security Applications Conference, ACSAC 2009, pp. 117–126. IEEE (2009)
Katz, J.: Universally composable multi-party computation using tamper-proof hardware. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 115–128. Springer, Heidelberg (2007). http://dx.doi.org/10.1007/978-3-540-72540-4_7
Katz, J., Maurer, U., Tackmann, B., Zikas, V.: Universally composable synchronous computation. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 477–498. Springer, Heidelberg (2013). http://dx.doi.org/10.1007/978-3-642-36594-2_27
Lamport, L., Shostak, R., Pease, M.: The byzantine generals problem. ACM Trans. Program. Lang. Syst. 4(3), 382–401 (1982). http://doi.acm.org/10.1145/357172.357176
Maurer, U.: Constructive cryptography – a new paradigm for security definitions and proofs. In: Mödersheim, S., Palamidessi, C. (eds.) TOSCA 2011. LNCS, vol. 6993, pp. 33–56. Springer, Heidelberg (2012)
Maurer, U., Renner, R.: Abstract cryptography. In: Chazelle, B. (ed.) The Second Symposium in Innovations in Computer Science, ICS 2011, pp. 1–21. Tsinghua University Press , January 2011
Pfitzmann, B., Waidner, M.: A model for asynchronous reactive systems and its application to secure message transmission. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy, S&P 2001, pp. 184–200. IEEE (2001)
Schuba, C.L., Spafford, E.H.: A reference model for firewall technology. In: 1997 Proceedings of the 13th Annual Computer Security Applications Conference, pp. 133–145. IEEE (1997)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Serial Composition of Two Firewalls
We prove the previously stated Theorem 1 here. First, we provide the protocol of the serial architecture and define the ideal network function (Fig. 11).
Definition 9
(The protocol of the serial firewall architecture \(\pi _{\mathsf {serial}}\) ) . The protocol the parties are following is defined as follows:
-
\(\mathrm {split}\): Upon receiving \((\mathsf {input},p)\): Call \(\mathcal {F}_{\mathsf {serial}}(\mathsf {send},\mathrm {out_{fw}},\mathrm {out_{hw}},p)\).
-
\(\mathrm {fw}_k\): Upon receiving \((\mathrm {in},p)\): Calculate \(F_{fw_k}(p,\mathrm {in},s)=(p',i',s')\). If \(p'\ne \bot \) and \(i'\ne \bot \), call \(\mathcal {F}_{\mathsf {serial}}(\mathsf {send},i',p')\). Save the new internal state \(s'\).
-
\(\mathrm {hw}\): Check whether there are two entries \((p,\mathrm {in})\) and \((q,\mathrm {in_{cmp}})\) in the local storage (with \(p\equiv q\)). If so, write p to the output tape and delete the entries.
We now show that the serial concatenation of firewalls is not secure, even with a trusted comparator. To prove the statement, it suffices to show that there exists an attack which can not be simulated. We describe such an attack. The general idea is that if \(\mathrm {fw_2}\) is corrupted, it could output a malicious packet just at the same time this packet arrives at \(\mathrm {split}\) (sent by the environment). This would force \(\mathrm {hw}\) to output the packet, even though it was blocked by \(\mathrm {fw_1}\).
Theorem 1
\(\pi _{\mathsf {serial}}\) does not UC realise \(\mathcal {F}_{\mathsf {ideal}}\) in the \(\mathcal {F}_{\mathsf {serial}}\)-hybrid model.
Proof
Let \(\mathrm {fw}_2\) be corrupted and \(\mathrm {fw}_1\) be honest. Let p be a packet that is blocked by \(\mathrm {fw}_1\). The environment inputs p to \(\mathrm {split}\). This will cause \((p,\mathrm {in_{cmp}})\) to be send to \(\mathrm {hw}\) from \(\mathrm {split}\). In its next activation the adversary uses \(\mathrm {fw_2}\) to call \(\mathcal {F}_{\mathsf {serial}}(\mathsf {send},\mathrm {out},p)\) and advises the ideal functionality to deliver \((p,\mathrm {in})\) to \(\mathrm {hw}\). \(\mathrm {hw}\) will now have two identical packets on different interfaces (one from \(\mathrm {split}\) and one from \(\mathrm {fw_2}\)) in its storage and output p, even though p has been blocked by \(\mathrm {fw_1}\).
There is no simulator which can simulate this attack, since \(\mathrm {fw_1}\) will block the packet in the ideal model and the output of \(\mathrm {fw_2}\) will not be considered. \(\square \)
B Parallel Composition of Three Firewalls
Theorem 5
\(\pi _{\mathsf {parallel}_4}\) UC realises \(\mathcal {F}_{\mathsf {ideal}_4}\) in the \(\mathcal {F}_{\mathsf {parallel}_3}\)-hybrid model.
Proof
The proof is similar to the proof of Theorem 3. We argue that the simulator behaves identically to the adversary and that the output of the ideal network is identical to the output of the real network. Let \(\mathcal {S}\) be a simulator with the following functionality:
-
Upon activation, or when given a packet p, simulate the real model and observe its output. If the output of the real model is a packet p’, calculate (for the ideal functionality) the index of the memory structure in which p’ is saved as well as its position within the memory. Advise the functionality to deliver the packet on that index. (The case that p’ is not found in the internal memory structure of the ideal functionality need not be covered, as is proven below.)
The argument that \(\mathcal {S}\) will never mistakenly suppress a packet in the ideal model is identical to Case 1 in the proof of Theorem 3. We need to argue Case 2: It is impossible that \(\mathcal {S}\) is unable to schedule a packet it observes in the output of its internal simulation of the real network. Let p be such a packet that, after the input stream S is processed, is written to the output tape of hw in the real model but not to the internal memory structure of \({{\mathcal {F}}_{\mathsf {ideal}_4}}\).
Let \(m_{A}\), \(m_1\) and \(m_2\) be the lists the trusted hardware uses in the protocol for storing the packets output by the firewalls and marking the “negative” packets. Let \(m_\mathrm{hw}\) be the list of all packets it has ever output. Let \(m'_1\), \(m'_2\), \(m'_{\mathrm{out}}\) be the lists the ideal functionality uses for keeping track of the packets. Let \(|\!|m|\!|_p\) denote the number of packets p the list m contains. We then define \(|m|_p := |\!|m|\!|_p - |\!|m|\!|_{-p}\).
First, observe that \(\mathcal {S}\) only schedules packets it observes in its simulation of the real model. Hence, by the description of \(\mathrm{hw}\): \(|m_1|_p = |m'_1|_p - |m_\mathrm {hw}|_p\) and \(|m_2|_p = |m'_2|_p - |m_\mathrm {hw}|_p\). Via the argument from Case 1 (\(\forall p: |m'_{out}|_p \le |m_\mathrm {hw}|_p\)) we have:
For p to be output in the real model, one of the following conditions has to hold:
This is true because the trusted hardware will only forward packets which are in at least two of the packet lists. The functionality of hw can be restated in the following way: For every packet p which is output, insert a packet \(-p\) into the lists of the three firewalls. If there are two packets p and \(-p\) in the same list, both cancel each other out.
For p not to be written to the internal memory structure of \({{\mathcal {F}}}_{{\mathsf {ideal}}_4}\) in the ideal model, the following condition has to hold:
This again describes the difference between the amount of packages p each individual firewall has output and the amount of packages p which got output in total after processing S.
Concluding the argument, conditions (1) to (5) give us \(|m'_1|_p - |m'_{out}|_p > 0\) and \(|m'_2|_p - |m'_{out}|_p > 0\), which contradict condition (7). \(\square \)
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Achenbach, D., Müller-Quade, J., Rill, J. (2015). Universally Composable Firewall Architectures Using Trusted Hardware. In: Ors, B., Preneel, B. (eds) Cryptography and Information Security in the Balkans. BalkanCryptSec 2014. Lecture Notes in Computer Science(), vol 9024. Springer, Cham. https://doi.org/10.1007/978-3-319-21356-9_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-21356-9_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-21355-2
Online ISBN: 978-3-319-21356-9
eBook Packages: Computer ScienceComputer Science (R0)