1

FIREWALLS IN VIRTUAL PRIVATE NETWORKA NEW APPROACH

ABSTRACT
Internet is one of the frequently used essential tools in business. Basically for sake of providing secured data transaction, business concerns used to own a private dedicated network. But, if it is a global company then, it cannot establish and maintain a costly leased network over large graphical areas. Hence there comes a need to connect the private intranet with internet, provided enough privacy and security. This could be enabled by means of Virtual Private Networks (VPN). Firewalls, Encryption and Antivirus are the three different methods commonly used in internet security. Among them, firewalls follow a mechanism called packet filtering for securing VPN. But, there are lots of pot holes which pave way for unsafe network traffic. Thus firewalls face a variety of problems in VPN, today. This paper contains the diagrammatic analysis of a typical case; it provides a new approach, algorithm and fine solution containing a simulation program. The typical case of problem is considered, examined and an innovative solution is provided which offers reliable security.

CONTENTS
(Basics: 1 to 4; Firewall approach: 5 to 10)

1) Introduction a) Internet security b) Fire walls 2) Concepts of networking protocols and internet 3) How does firewall control hostile attackers 4) Virtual Private Networks 5) Problem Definition-Problems in fire walls a) Consideration of the case 6) Solution Provided a) Database model 7) Firewall Design a) Flag attacher b) Blocker c) Encryptor 8) Conclusion 9) Bibliography 10) Appendix- Blocker Simulation program

(Some of the basics regarding the network and firewalls are given in chapters 1- 4. Remaining chapters 5 10 contains the core of the paper)

INTRODUCTION: INTERNET SECURITY: It is quite commonly known that As quantity increases quality decreases. This is true in case of internet. Since internet is a network of networks a lot of problems are faced, nowadays. In day-to-day life we came across some people who stick bills or write unwanted words on our house walls, or even damage our home mail box. This could be seen in internet too. Some hostile attackers may intentionally or unintentionally retrieve or cause damage to our private data. During earlier days internet security was not considered as a main factor. Nowadays, hackers are to be concerned in framing Cyber crime laws. FIREWALLS: Firewalls, cryptography and antivirus (different from each other) are three major methods consigned for internet security. Firewall denotes to a system or group of systems (either hardware or software or even hardware & software) that prevent our network/server from the attack of hostile users over the internet. In other words, they are the devices that allow users at a protected site to use internet services in a relatively safe manner and restricting incoming access by potential attackers. There are two approaches to control a sites internet access Permissive access: This permits everything except risky traffic. Restrict access: This restricts everything except limited allowed traffic. CONCEPTS OF NETWORK PROTOCOLS & PACKETS: Generally a node (or system) in a network is called host system. There may be servers, routers in the same network itself. In a network while message is passed from source host to destination host there are certain rules devised for the communication to take place in the network, called protocols. TCP/IP, FTP, IPX/SPX, SNA are some of the examples. Based on these protocols these messages are basically converted into packets.

www.abc.com

Internet

F i r e w a l l

End users: 1 Hacker

Fig.: Representation of a firewall protecting a network from hacker while providing outbound access to internet.

These packets contain the address of the destination; they travel in the network, locate the address and reach the destination. Whatever the data may be, everything is converted into packet before getting traversed in a network. Any packet in the internet contains protocol headers included with data being sent. The common format of a header is as follows.

Data link Internet Transport header header header

Application header

Data being sent

Fig.: Format of packet in internet protocol

The protocols use port numbers in the headers to indicate the behavior or property of the packet. For example TCP/IP uses a specific port number in the Transport header to indicate which software or service (e-mail) is to handle the packet when it is received and put server hosts address in the Internet header.

How does firewall control hostile attacker? As far as firewall is concerned, the familiar method used is packet filtering. Packet filtering is based on a set of rules that identify the properties of individual packets that are to be blocked or passed through. All access control decisions are based on information available after analyzing the packets. By this method, if any unauthenticated user (hacker) wishes to enter our protected area the firewall detects those packets without authentication and blocks them at the gateway itself. This authentication information is given in the specific header of the packets, which vary upon the application. Sometimes, traffic from only a set of websites is allowed. In this case, the firewall allows only those packets with appropriate port number in the header corresponding to the websites. Packet filtering follows permissive access type (explained in the beginning of the paper). There is another mechanism called Circuit filtering used in few fire walls. In this method, the firewall passes a connection from a client on one side of the firewall to a server on the other. For example, if the firewall is set to allow the Telnet connections, then the circuit filter will accept connection requests to port 23, the Telnet connection port. This circuit filtering follows restrictive access. VIRTUAL PRIVATE NETWORK: A company establishes a fast, secure and reliable intranet to maintain transactions of information between its branches. Intranet could be made use in case of local or regional markets. If the company establishes global markets the cost of laying leased private networks will be more. Hence to avoid that, the Virtual Private Network (VPN) is introduced. VPN is a network that connects a public network, namely internet to a private intranet. In other words, many intranets are connected via internet with privacy and security. Here, firewalls play an important role in VPN to provide security. It is high time to protect our intranet from the attack of hackers to pursue a growing business.

PROBLEM DEFINITION: -Problems in Firewalls: It is known that packet filtering is commonly used in firewalls; there are some problems faced with this method. Packets contain some information along with the data. Usually the firewalls analyze the behavior of these packets with the information provided in the headers and act accordingly i.e. either permit or block them. Password authentication is commonly used to provide a secured communication in internet/VPN. But, hackers use some of the pot holes in the way how packet filtering supports the password authentication. A global company with numerous branches is assumed to have established a VPN. It has given provision for the employee at any of its branches to access the head quarters database (server) by means of password authentication. Password authenticated packet will be coded in such way that if the password information gets matched then, firewall should allow a fixed number of packets following the password packet. This method is followed to reduce the size of the packets instead of carrying password in all the packets, sent by the particular user. The hacker will replace some of the packets of an authenticated user with packets containing unwanted information and firewalls check the first packet, if password gets matched then, it allows all the following packets including the unauthenticated packet or traffic.

7 Until now, many firewall builders concentrate on analyzing the behavior of the incoming packets and these hackers too keep up their way to make packets that break the restricted rules. Consideration of the case: There are two cases of effect produced due to the hackers arrival into our VPN. Case-1: In this case the hacker makes changes in our database i.e. crashing our data. Case-2: In this case the hacker feels more profited by stealing our data instead of crashing our data. Here in this paper, case-2 is considered. SOLUTION PROVIDED: In this paper a new approach of solution is presented innovatively for the case of problem dealt by us. Before going to solution, the analyzing and understanding of the problem is required. One of the practical examples for the case-2 problem is hacking the account keepers password in a banks database; in this case instead of crashing the password he is benefited more by knowing it. So, this kind of problem is faced in database of criminals in Police. DATABASE MODEL: Fire Mobile worker

Internet Head Quarter (Database)

Local branches(intranets)

Fig.: A VPN of company with a headquarter, various intranets and mobile users.

Fig.: Head Quarter Database(Embedded LANS ) Shaded area- High priority data White area- Low priority data

The inner shaded circle of network contains highly confidential database that can be handled only by higher officials who are given administrator rights, where as outside of the circle contains low priority data that can be handled by other branches via internet. The high priority database is embedded within the low priority database because there may be conditions due to which some data or information should be passed to white area network based on the high priority database i.e. the higher officials sometimes adopt new policies in inner circle and according to that, certain data vary in the white area network, which are to be told to its branches/intranets or mobile workers. Any employee (mobile user) or branch can enter the head quarters network via internet only by some authentication means. But, at the same time that authenticated user is not eligible to enter the shaded area. Suppose a hacker or even a spy in the company enters the head quarters outer white area bypassing the pot holes in packet filtering of the firewalls. In our case, he is considered to be more potential to enter the inner database to steal a data. Under these circumstances the firewalls cannot prevent this stealing rather some firewalls can provide that the data has been taken by some unauthenticated user. Anyhow, our data taken is taken and he can make use of the data before we know that it has been copied and taken.

Fig.: High priority data being copied away from the secured network of database.

9 Mostly the firewall builders waste their time on finding new secured methods of analyzing the behavior of the various hacker designed packets in our case of problem. Here, we give a different way of approach to find solution to the problem. According to the case of problem the data should not be known to the hacker and prevent him from making use of it. So, even if he tries to enter our safe area we can make our data not known to him. That is the data could be known to him only if the copied packets go away of our firewall. So, why cant the fire wall be designed to prevent the high priority data from getting away instead of focusing over finding the packets sent by hacker? FIREWALL DESIGN: All the high priority data kept inside shaded area should be given a flag along with the data. These data after conversion into packets, contains headers, data along with the flag (See fig. below). The fire wall is designed in such a way that it wont allow the packets with flag as it is very easy to find the flag attached packet rather hackers packets. So, even if the hacker enters safe network, he cant know the data in that network.. Hence, the problem of hacking our data (case-2) is solved by our algorithm in the design of firewall.

Data link Internet header header Fig.: Ordinary packet

Transport Application header header

Data being sent

Data link Internet header header

Transport Application header header

Data being sent

Fig.:Flag attached packet The flag attacher attaches the flag with the high priority data; the blocker identifies those data and blocks the packets. This kind of design offers reliable security when

10 compared with the former. encrypting system. Fire wall Even, we have given an additional provision called

To internet Blocker Flag attacher packets Encryptor

Fig.: Flag attached packets getting blocked by firewall In future, even if the hacker were potential enough to get the flag attached packets across the blocker in the firewall there is another system called encryptor , which encrypts those packets of messages and give wrong information to the hacker, thus given protection logically. Hence we could obtain a 99.99% secured network. Flag Attacher: When the file packets from the inner circle are transferred to outer white area, i.e. when they get copied to outer area, a flag, indicating its high priority is attached. This flag attacher may be either a software or hardware; but here this flag attaching job is implemented only by means of a program and not by hardware because the database model is an embedded one (one within other) and hence we cannot separate them and have a hardware- flag attacher. Suppose, an ordinary packet is of 50 bytes out of which 10 bytes are for headers and remaining 40 bytes for user data. Usually, all the 40 bytes of the user data area will not be used. It contains at least more than 2 bytes for null values, which are unused. Our flag is going to capture one of the unused null bytes. Then, the flag byte is moved at the beginning of the data area. Ordinary Packet: Headers Flag attached packet: Headers FLAG Data Data Data Null Data Data Data NULL Data Null Data

11 |-----------10B---------|---------------------------------40B------------------------------| The program neither affects the actual data in the packet nor performs any encryption. Since it is a simple program the cost and performance of the database will not have any drastic changes. Blocker: After flag attached packets get mingled with the other packets in the outer area it is the job of blocker to block the high priority packets that are copied by the hacker. The blocker is a program located with in already existing Firewall. The blocker scans all the data going out of the firewall, identifies the flag attached data packet alone and finally blocks them from being hacked out. The simulation of the Blocker in firewall is shown with a CPP program considering that transferring data is just copying data from one file to other, in the appendix. Encryptor: Encryption is commonly done while sending data in networks. Usually anyone of cryptographic algorithms, which depends upon the data, is used for encrypting them. A crypto key is also developed which is known to both sender and receiver. Unless the key is known, the actual data cannot be retrieved. Here, our encryptor is kept after the blocker (refer fig in fire wall design section). It changes the data of the packet coming out of the blocker. No need for developing common crypto key as we are not at all going to use the data. This encryptor is added in the firewall for additional security as the blocker does major part. Only if the blocker gets failed, this gets activated and acts being loyal to us. The most important thing to be noted is that firewall keeps on doing its actual routine and doesnt get diverted by the addition of two components blocker & encryptor. These two components work only if the high secured data is being transferred out. Hence firewalls performance is not affected. CONCLUSION: Thus, analyzing any problem in same view may not bring the solution to it rather wastes our time. If we approach in slightly different view we can solve it. That is what weve analyzed in our problem of firewalls. Even it may not bring solution to all

12 the problems faced by firewall it can solve at least the problem dealt in virtual private networks. BIBLIOGRAPHY: Richard E.Smith, Internet Cryptography , Pearson Education Asia Publications. Jean gray, Basics of Networks, Hennesyson publications www.howstuffworks.com

APPENDIX:
BLOCKER SIMULATION: Two text files are taken into consideration. 1.Source.txt 2.Dest.txt Source file contains both high priority as well as low priority data. The destination file is an empty file. The input to the blocker is just the output of the blocker. The flag attacher attaches a flag ~ (tilde symbol) in the beginning of data string to indicate that it should be blocked. The program has 3 phases. Phase-1: Getting values from the source file Phase-2: Filtering Phase-3: Copying file. In phase-1 all the data string from the source file are copied to an array. In phase-2 the flag attached strings are filtered and in the phase-3 the remaining low prior data are copied to destination file. Suppose the source file contains following message. Account name is ~FIFA and the passwd is ~01krs- Source.txt After transferring this through the blocker the resultant file contains Account name is and the passwd is | Dest.txt

Here the secured data FIFA and 01krs are prefixed with ~ and hence not transferred. Thus, this simulation could be implemented in terms of network protocols. The program is as follows.

13

///////////////////////////////////////////BLOCKER SIMULATION/////////////////////////////////////////// //////////////////////////////////////// #include<stdio.h> #include<conio.h> #include<iostream.h> #include<stdlib.h> void main( ) { FILE *fs,*fd; /////declaring pointers for files//// char ch;int i=0;char ch1[50], ch2[50]; fs =fopen("source.txt","r"); fd =fopen("dest.txt","w"); //////////////exiting out if the files are empty//////////// if (fs==NULL) { puts("cannot open the file"); exit('0'); } if (fd==NULL) {puts("cannot open the file"); exit('0'); } /////////////////initializing both arrays ch1[],ch2[] as null/////////// for (int j=0;j<=50;j++) { ch1[j]='\n'; ch2[j]='\n'; } ///////////////////////////////////////////////////////////////////////////////////////////////////////////// ///////////////PHASE-1:GETTING VALUES FROM SOURCE FILE///////////// ///////////////////////////////////////////////////////////////////////////////////////////////////////////// while(1) { ch=fgetc(fs);////////Getting and moving to ch////////// ch1[i]=ch;///////////moving 'ch'-values to 'ch1[]' array//////// i++; //////////////Getting exit from while loop after end of source file///// if (ch==EOF) { break; } }

14

//////////////////////////////////////////////////////////////////////////////////////////////////////////// //////////////////PHASE-2:FILTERING /////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////////////////////////////////////////// int flag=0;/////////intializing 'flag' as 0///////////// int m=0; for(int k=0;k<=i-1;k++) { ///////filtering the `~'attached string/////////////////// if (ch1[k]=='~') flag=1; if (ch1[k]==' ') flag=0; if(flag==0) { ch2[m]=ch1[k]; m++; } } ////////////////////////////////////////////////////////////////////////////////////////////////////////// /////////////////////PHASE-3:COPYING FILE //////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////////////////////////////////// for ( i=0;i<m-1;i++) { fputc(ch2[i],fd); } fclose(fs); fclose(fd); }