Professional Documents
Culture Documents
Firewalls in Virtual Private Network-A New Approach
Firewalls in Virtual Private Network-A New Approach
Firewalls in Virtual Private Network-A New Approach
ABSTRACT
Internet is one of the frequently used essential tools in business. Basically for
sake of providing secured data transaction, business concerns used to own a private
dedicated network. But, if it is a global company then, it cannot establish and maintain a
costly leased network over large graphical areas. Hence there comes a need to connect
the private intranet with internet, provided enough privacy and security. This could be
enabled by means of Virtual Private Networks (VPN). Firewalls, Encryption and
Antivirus are the three different methods commonly used in internet security. Among
them, firewalls follow a mechanism called “packet filtering” for securing VPN. But,
there are lots of pot holes which pave way for unsafe network traffic. Thus firewalls
face a variety of problems in VPN, today. This paper contains the diagrammatic
analysis of a typical case; it provides a new approach, algorithm and fine solution
containing a simulation program. The typical case of problem is considered, examined
and an innovative solution is provided which offers reliable security.
2
CONTENTS
1) Introduction
a) Internet security
b) Fire walls
2) Concepts of networking protocols and internet
3) How does firewall control hostile attackers
4) Virtual Private Networks
5) Problem Definition-Problems in fire walls
a) Consideration of the case
6) Solution Provided
a) Database model
7) Firewall Design
a) Flag attacher
b) Blocker
c) Encryptor
8) Conclusion
9) Bibliography
10) Appendix- Blocker Simulation program
(Some of the basics regarding the network and firewalls are given in chapters 1- 4.
Remaining chapters 5 – 10 contains the core of the paper)
3
INTRODUCTION:
INTERNET SECURITY:
It is quite commonly known that –As quantity increases quality decreases. This
is true in case of internet. Since internet is a network of networks a lot of problems are
faced, nowadays. In day-to-day life we came across some people who stick bills or
write unwanted words on our house walls, or even damage our home mail box. This
could be seen in internet too. Some hostile attackers may intentionally or
unintentionally retrieve or cause damage to our private data. During earlier days
internet security was not considered as a main factor. Nowadays, hackers are to be
concerned in framing Cyber crime laws.
FIREWALLS:
Firewalls, cryptography and antivirus (different from each other) are three major
methods consigned for internet security. Firewall denotes to a system or group of
systems (either hardware or software or even hardware & software) that prevent our
network/server from the attack of hostile users over the internet. In other words, they
are the devices that allow users at a protected site to use internet services in a relatively
safe manner and restricting incoming access by potential attackers.
Generally a node (or system) in a network is called host system. There may be servers,
routers in the same network itself. In a network while message is passed from source
host to destination host there are certain rules devised for the communication to take
place in the network, called protocols. TCP/IP, FTP, IPX/SPX, SNA are some of the
examples. Based on these protocols these messages are basically converted into
packets.
4
www.abc.com F
i
r
e L
w
a
l
Internet l
End users: 1 2 3
Hacker
These packets contain the address of the destination; they travel in the network,
locate the address and reach the destination. Whatever the data may be, everything is
converted into packet before getting traversed in a network. Any packet in the internet
contains protocol headers included with data being sent. The common format of a
header is as follows.
The protocols use port numbers in the headers to indicate the behavior or
property of the packet. For example TCP/IP uses a specific port number in the
Transport header to indicate which software or service (e-mail) is to handle the packet
when it is received and put server host’s address in the Internet header.
5
There is another mechanism called Circuit filtering used in few fire walls. In this
method, the firewall passes a connection from a client on one side of the firewall to a
server on the other. For example, if the firewall is set to allow the Telnet connections,
then the circuit filter will accept connection requests to port 23, the Telnet connection
port. This circuit filtering follows restrictive access.
PROBLEM DEFINITION:
-Problems in Firewalls:
It is known that packet filtering is commonly used in firewalls; there are some
problems faced with this method. Packets contain some information along with the
data. Usually the firewalls analyze the behavior of these packets with the information
provided in the headers and act accordingly i.e. either permit or block them. Password
authentication is commonly used to provide a secured communication in internet/VPN.
But, hackers use some of the ‘pot holes’ in the way how packet filtering supports the
password authentication.
The hacker will replace some of the packets of an authenticated user with packets
containing unwanted information and firewalls check the first packet, if password gets
matched then, it allows all the following packets including the unauthenticated packet
or traffic.
7
Until now, many firewall builders concentrate on analyzing the behavior of the
incoming packets and these hackers too keep up their way to make packets that break
the restricted rules.
There are two cases of effect produced due to the hacker’s arrival into our VPN.
Case-1: In this case the hacker makes changes in our database i.e. crashing our data.
Case-2: In this case the hacker feels more profited by stealing our data instead of
crashing our data.
Here in this paper, case-2 is considered.
SOLUTION PROVIDED:
In this paper a new approach of solution is presented innovatively for the case of
problem dealt by us. Before going to solution, the analyzing and understanding of the
problem is required.
One of the practical examples for the case-2 problem is hacking the account
keeper’s password in a bank’s database; in this case instead of crashing the password he
is benefited more by knowing it. So, this kind of problem is faced in database of
criminals in Police.
DATABASE MODEL:
Fire Mobile
worker
Internet
Local
branches(intranets)
Head Quarter (Database)
Fig.: A VPN of company with a headquarter, various intranets and mobile users.
8
The inner shaded circle of network contains highly confidential database that can be
handled only by higher officials who are given administrator rights, where as outside of
the circle contains low priority data that can be handled by other branches via internet.
The high priority database is embedded within the low priority database because
there may be conditions due to which some data or information should be passed to
white area network based on the high priority database i.e. the higher officials
sometimes adopt new policies in inner circle and according to that, certain data vary in
the white area network, which are to be told to its branches/intranets or mobile workers.
Any employee (mobile user) or branch can enter the head quarter’s network via
internet only by some authentication means. But, at the same time that authenticated
user is not eligible to enter the shaded area. Suppose a hacker or even a spy in the
company enters the head quarter’s outer white area bypassing the ‘pot holes’ in packet
filtering of the firewalls. In our case, he is considered to be more potential to enter the
inner database to steal a data. Under these circumstances the firewalls cannot prevent
this stealing rather some firewalls can provide that the data has been taken by some
unauthenticated user. Anyhow, our data taken is taken and he can make use of the data
before we know that it has been copied and taken.
Mostly the firewall builders waste their time on finding new secured methods of
analyzing the behavior of the various hacker designed packets in our case of problem.
Here, we give a different way of approach to find solution to the problem. According to
the case of problem the data should not be known to the hacker and prevent him from
making use of it. So, even if he tries to enter our safe area we can make our data not
known to him. That is the data could be known to him only if the copied packets go
away of our firewall.
So, why can’t the fire wall be designed to prevent the high priority data from getting
away instead of focusing over finding the packets sent by hacker?
FIREWALL DESIGN:
All the high priority data kept inside shaded area should be given a flag along
with the data. These data after conversion into packets, contains headers, data along
with the flag (See fig. below). The fire wall is designed in such a way that it wont allow
the packets with flag as it is very easy to find the flag attached packet rather hacker’s
packets. So, even if the hacker enters safe network, he cant know the data in that
network.. Hence, the problem of hacking our data (case-2) is solved by our algorithm
in the design of firewall.
compared with the former. Even, we have given an additional provision called
encrypting system.
Fire wall
To internet
Blocker Encryptor
Flag attacher packets
In future, even if the hacker were potential enough to get the flag attached
packets across the blocker in the firewall there is another system called encryptor ,
which encrypts those packets of messages and give wrong information to the hacker,
thus given protection logically. Hence we could obtain a 99.99% secured network.
Flag Attacher:
When the file packets from the inner circle are transferred to outer white area,
i.e. when they get copied to outer area, a flag, indicating its high priority is attached.
This flag attacher may be either a software or hardware; but here this flag attaching job
is implemented only by means of a program and not by hardware because the database
model is an embedded one (one within other) and hence we cannot separate them and
have a hardware- flag attacher.
Suppose, an ordinary packet is of 50 bytes out of which 10 bytes are for headers
and remaining 40 bytes for user data. Usually, all the 40 bytes of the user data area will
not be used. It contains at least more than 2 bytes for null values, which are unused.
Our flag is going to capture one of the unused null bytes. Then, the flag byte is moved
at the beginning of the data area.
Ordinary Packet:
Headers Data Data NULL Data Null Data
|-----------10B---------|---------------------------------40B------------------------------|
The program neither affects the actual data in the packet nor performs any encryption.
Since it is a simple program the cost and performance of the database will not have any
drastic changes.
Blocker:
After flag attached packets get mingled with the other packets in the outer area it
is the job of blocker to block the high priority packets that are copied by the hacker.
The blocker is a program located with in already existing Firewall. The blocker scans
all the data going out of the firewall, identifies the flag attached data packet alone and
finally blocks them from being hacked out.
The simulation of the Blocker in firewall is shown with a CPP program considering
that transferring data is just copying data from one file to other, in the appendix.
Encryptor:
Encryption is commonly done while sending data in networks. Usually anyone
of cryptographic algorithms, which depends upon the data, is used for encrypting them.
A ‘crypto key’ is also developed which is known to both sender and receiver. Unless the
key is known, the actual data cannot be retrieved.
Here, our encryptor is kept after the blocker (refer fig in fire wall design
section). It changes the data of the packet coming out of the blocker. No need for
developing common crypto key as we are not at all going to use the data. This
encryptor is added in the firewall for additional security as the blocker does major part.
Only if the blocker gets failed, this gets activated and acts being loyal to us.
The most important thing to be noted is that firewall keeps on doing its actual
routine and doesn’t get diverted by the addition of two components – blocker &
encryptor. These two components work only if the high secured data is being
transferred out. Hence firewall’s performance is not affected.
CONCLUSION:
Thus, analyzing any problem in same view may not bring the solution to it
rather wastes our time. If we approach in slightly different view we can solve it. That is
what we‘ve analyzed in our problem of firewalls. Even it may not bring solution to all
12
the problems faced by firewall it can solve at least the problem dealt in virtual private
networks.
BIBLIOGRAPHY:
APPENDIX:
BLOCKER SIMULATION:
1.Source.txt
2.Dest.txt
Source file contains both high priority as well as low priority data. The destination file
is an empty file. The input to the blocker is just the output of the blocker. The flag
attacher attaches a flag ‘~’ (tilde symbol) in the beginning of data string to indicate that
it should be blocked.
In phase-1 all the data string from the source file are copied to an array. In phase-2 the
flag attached strings are filtered and in the phase-3 the remaining low prior data are
copied to destination file.
After transferring this through the blocker the resultant file contains
Here the secured data ‘FIFA’ and ‘01krs’ are prefixed with ~ and hence not transferred.
///////////////////////////////////////////BLOCKER SIMULATION///////////////////////////////////////////
////////////////////////////////////////
#include<stdio.h>
#include<conio.h>
#include<iostream.h>
#include<stdlib.h>
void main( )
{
FILE *fs,*fd; /////declaring pointers for files////
char ch;int i=0;char ch1[50], ch2[50];
fs =fopen("source.txt","r");
fd =fopen("dest.txt","w");
/////////////////////////////////////////////////////////////////////////////////////////////////////////////
///////////////PHASE-1:GETTING VALUES FROM SOURCE FILE/////////////
/////////////////////////////////////////////////////////////////////////////////////////////////////////////
while(1)
{
ch=fgetc(fs);////////Getting and moving to ch//////////
ch1[i]=ch;///////////moving 'ch'-values to 'ch1[]' array////////
i++;
//////////////Getting exit from while loop after end of source file/////
if (ch==EOF)
{
break;
}
}
14
////////////////////////////////////////////////////////////////////////////////////////////////////////////
//////////////////PHASE-2:FILTERING ///////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////////////////////////////////////
/////////////////////PHASE-3:COPYING FILE ////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////////////////////////////////////
for ( i=0;i<m-1;i++)
{
fputc(ch2[i],fd);
}
fclose(fs);
fclose(fd);
}