AU2002248989B2 - Network security system - Google Patents

Network security system Download PDF

Info

Publication number
AU2002248989B2
AU2002248989B2 AU2002248989A AU2002248989A AU2002248989B2 AU 2002248989 B2 AU2002248989 B2 AU 2002248989B2 AU 2002248989 A AU2002248989 A AU 2002248989A AU 2002248989 A AU2002248989 A AU 2002248989A AU 2002248989 B2 AU2002248989 B2 AU 2002248989B2
Authority
AU
Australia
Prior art keywords
packet
network
con
root
acceptable
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
AU2002248989A
Other versions
AU2002248989A1 (en
Inventor
Patrick Culbert
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Firebridge Systems Pty Ltd
Original Assignee
Firebridge Systems Pty Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from AUPR4355A external-priority patent/AUPR435501A0/en
Application filed by Firebridge Systems Pty Ltd filed Critical Firebridge Systems Pty Ltd
Priority to AU2002248989A priority Critical patent/AU2002248989B2/en
Publication of AU2002248989A1 publication Critical patent/AU2002248989A1/en
Application granted granted Critical
Publication of AU2002248989B2 publication Critical patent/AU2002248989B2/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Landscapes

  • Computer And Data Communications (AREA)

Description

WO 02/084916 PCT/AU02/00499 NETWORK SECURITY SYSTEM TECHNICAL FIELD The invention pertains to a network security device and more particularly to a firewall device using packet filtering and bridging.
BACKGROUND ART Many network services have been proven exploitable and tools to do so, even for the beginner have become widely available. Even without compromising information, the temporary blackout of a server or network can mean many hours of lost work and missed business opportunities.
Companies connect to the Internet, and exchange data via dialup; isdn and leased lines. Furthermore, employees are offered remote access options.
However, every incoming connection is likely to have outgoing connections as well.
No computer network is completely secure. Like any lock, if it is human built it can be human broken. A small security measure may take out most the amateurs that otherwise would cause an annoyance. On the other hand, a major site should not settle for said small security measures.
Security is expensive. Dedicated hardware and software has to be purchased, installed, configured and maintained by either hiring, employing or creating expertise. Often changes have to be made to existing infrastructure requiring more hardware or causing downtime.
Glossary of Terms Bridge A device which forwards traffic between network segments based on data link layer information. These segments would have a common network layer address.
WO 02/084916 PCT/AU02/00499 2 Firewall A dedicated gateway machine with special security precautions on it, used to service outside network, especially Internet connections and dial-in lines. The idea is to protect a cluster of more loosely administered machines hidden behind it from crackers. The typical firewall is an inexpensive microprocessor-based unit machine with no critical data, with modems and public network ports on it, but just one carefully watched connection back to the rest of the cluster.
Router A device which forwards packets between networks. The forwarding decision is based on network layer information and routing tables, often constructed by routing protocols.
Packets The unit of data sent across a network. "Packet" is a generic term used to describe a unit of data at any layer of OSI protocol stack, but it is most correctly used to describe application later data units ("application protocol data unit", APDU).
Packet Filters Every packet is compared against the rulebase and based on the matching rule a decision is executed.
Rule Base A set of rules which determines which packets to allow or disallow through a network.
HTML: Hypertext Markup Language The language used to describe WWW pages.
A tag-based ASCII language that is used to specify the content and hypertext links to other documents on World Wide Web servers on the Internet.
WO 02/084916 PCT/AU02/00499 3 Browsers made for any operating system, (hardware platform, monitor resolution, etc.) can then be used to view the prepared documents and follow links to display other documents.
Network Interface Card (Network Card) A name for the LAN Adaptor (printer circuit board) installed in a PC, that enables it to communicate over a LAN. The term is used commonly by IBM PC and token ring users.
IP Address All network-layer protocols have an address format, and for the 32-bit IP addresses of the TCP/IP protocol, addresses are of the form "199.12.1.1".
This is called dotted decimal, and each of the four sections is a decimal number from 0 to 255, representing 8 bits of the IP address specifies a specific host on that network.
Since there are only 32 bits to the entire IP address and some networks have many more hosts than others (and there are fewer larger networks), there are different address classes. These allocate different numbers of bits to the network and host portion of the address.
DMZ De-Militarised Zone From the military term for an area between two opponents where fighting is prevented.
DMZ Ethernets connect networks and computers controlled by different bodies. They may be external or internal. External DMZ Ethernets link regional networks with routers to internal networks. Internal DMZ Ethernets link local nodes with routers to the regional networks.
Current Technology WO 02/084916 PCT/AU02/00499 4 Many different types of firewall and security software are known. They can be broken down to three categories. (We do not consider personal firewalls protecting a single home computer).
Proxy based: The firewall serves as an application-proxy between systems that physically connect to different network interfaces on the firewall server. An application-proxy acts as an agent or substitute at the application level for entities that reside on one side of the firewall when dealing with entities on another side of the firewall. By maintaining this separation between interfaces, and continuously protocol checking, provides a very secure environment. This is demanding on CPU time and this can become an issue in high volume sites.
Stateful inspection: Whenever the firewall receives a packet initiating a connection, that packet is reviewed against the firewall rulebase in sequential order. If the packet goes through any rule without being accepted, the packet is denied. If the connection is accepted, the session is then entered into the Firewall's stateful connection table, which is located in memory. Every packet that follows is then compared to the stateful inspection table. If the session is in the table, and the packet is part of that session, then the packet is accepted. If the packet is not part of the session then it is dropped. This improves system performance, as every single packet is not compared against the rule base.
0 Packet filters: Every packet is compared against the rulebase and based on the matching rule or rules a decision is executed.
Most of the high-end firewalls provide combinations or hybrids of the above-mentioned techniques. All known examples have in common, that they are technically routers and need to have different subnets on each network interface.
WO 02/084916 PCT/AU02/00499 Router vs. Bridge A router is a device that forwards packets between networks. The router is aware of different networks and how to get there. This is the technique currently used by all known commercial firewalls. This implies that hosts on a different side of the firewall have to have a different network address, as the traffic will otherwise never end up at the firewall. Network changes needed on the dial-in device as well as on the LAN.
A bridge is a device that forwards traffic between network segments based on data link layer information. It works based on the MAC address.
The present invention emerged from a real life situation where a company wanted to protect their dial-in server. That server already provided network connectivity for employees and third parties. A new third party company needed access, but it was known that that company had an insecure Internet connection.
Implementing any sort of conventional firewall would have meant reconfiguring the addressing-scheme of the dial-in server and coordinating changes with the remote companies.
DISCLOSURE OF THE INVENTION Accordingly the need exists for a security device which requires no changes to existing infrastructure.
Also required is a fully transparent firewall. The systems of the present invention will never show in traceroute, as it is not a logical part of the network.
Further, the invention may be implemented without assigning an IP address to it. This means console access for configuration but results in a security device without an address.
Accordingly, there is provided, a network security device which does not require a separate computer to implement. The device is preferably configured WO 02/084916 PCT/AU02/00499 6 from an HTML interface and uses three network cards. The first two cards are used for the Firewall. A third card is a management interface having a private, not publicly routed IP address. The first network card forwards packets to a packet filter. Packets which pass the filter are forwarded to the second network card and subsequently to their destination. None of these cards have a publicly routed IP address. The device acts as a packet filter which bridges rather than routes or proxies. It may be located between a router and a hub or server machine.
BRIEF DESCRIPTION OF THE DRAWINGS In order that the invention may be more readily understood and put into practical effect, reference will now be made to the accompanying drawings in which:- Fig. 1 is a flow chart illustrating how the system of the present invention is configured, Fig. 2 is a flow chart illustrating how network traffic enters an internal network through the system of the present invention, Fig. 3 is a flow chart illustrating how internal network traffic passes through the system of the present invention into the external world, Fig. 4 is an illustration of the graphical user interface which provides a user with editorial control over a packet filtering rule set.
MODES FOR CARRYING OUT THE INVENTION Implementation of the invention requires, for example: Hardware Minimum 200Mhz Processor Min 64MB RAM One solid-state hard drive of 64MB Capacity WO 02/084916 PCT/AU02/00499 7 3 x Network Cards 10/100/1000 Case with power supply and LCD panel with input device for system configuration.
Serial port for debugging and startup information as we do not use a video card.
Software Linux Kernel Version 2.2.20 Apache Web Server 1.3.22 mod perl mod_SSL Perl Version 5.6.1 OpenSSH OpenSSL GNU Tools and utilities needed for running SYS V Linux OS Web Interface using mod_perl, HTML and CSS Installation is accomplished by creating a computer using the hardware listed in the "Hardware" section above. A detailed system build description can be found in appendix A.
As shown in Fig. 4, the invention comprises a configuration interface, which include two parts: Firewall Configuration System Monitoring Firewall Configuration 1. The interface 10, uses plain text configuration files 20, manipulated through a CGI 50, that contain the ruleset.
2. The configuration files are manipulated by Perl scripts that are accessed through an HTML interface.
3. The configuration files are then translated 30 into the kernel rules by Perl scripts.
WO 02/084916 PCT/AU02/00499 8 A detailed configuration description can be found in appendix B.
System Monitoring 1. Monitors LOAD status. This will tell the users what the current load on the CPU is.
2. Monitors Disk Space Status. This will tell the users what the current level of Disk Space Usage is.
3. Monitors CONFIGURATION status. This will tell the users whether Or not the changes they have made to the configuration of the firewall have been committed to the firewall, 4. Monitors and Logs whether or not packets have been allowed or denied.
As shown in Fig. 2, the inward flow of information comprises a flow of packets.
A packet comes into the network 60 from the world 70. It then passes through the first network card 80. The packet is then inspected by the packet filter 90 and compared to the rules. If the packet is accepted 100 it will be then forwarded to the second network card 110 and through to the network 60. If the packet is denied 120 it will then be dropped 130 which means that it disappears. A log can record what happened to the packet.
As shown in Fig. 3, an outbound packet goes out to the world 70 from the network 60. It then passes through the second network card 110. The packet is then inspected by the packet filter 90 and compared to the ruleset. If the packet is accepted 100 it will be then forwarded to the first network card and through to the world. If the packet is denied 120 it will then be dropped 130 which means that it disappears. The log can record what happened to the packet.
WO 02/084916 PCT/AU02/00499 9 The following table compares the features of the present invention to two other commercial products.
Present Invention FireBox II TM Firewall I TM Raptor TM 1. All-In-One Network All-In-One Network Software Based Network Security Device that Security Device that Security Device requires no other devices requires no other devices Require: Extra Hardware to protect a network or to protect a network or (a computer) Extra segment of a network segment of a network Software (an operating system) 2. HTML Interface for HTML Interface for Uses its own Interface for Configuration which Configuration which configuration which means that it can be means that it can be means that it can only be configured from any configured from any configured from a computer that has a computer that has a computer that has the browser without installing browser without installing software installed on it.
any additional software any additional software 3. Uses 3 Network Cards- Uses 3 Network Cards Uses at least 2 Network Management Interface DMZ Cards. Can uses as with dummy internal IP Local many as supported by address Internet hardware and OS No IP Address combination.
No IP Address Internal External 4. Requires No IP Requires Multiple Requires Multiple Addresses on the Relevant IP Addresses Relevant IP Addresses protected segments Uses Packet Filtering Uses Packet Filtering Uses State-ful inspection WO 02/084916 PCT/AU02/00499 Firewall Technology Firewall Technology and proxy Firewall Technology 6. Checks Packet and Checks Packet and then Checks Packet and then then Bridges it Routes it Routes it (Completely Transparent) Firewall I and Raptor require a separate computer with an operating system before they can run and is therefore very different to the other two firewalls.
The present invention uses 3 Network Cards: Management Interface with dummy internal IP address This Network Card is only used to configure the firewall. It is not used in the operation of the firewall in any way and has no IP address. The other two network cards 810, 110 do not have an IP address signed to them.
This is the greatest difference between the invention and any known Firewall on the market. Because the present inventive solution does not use IP addresses, it is not a logical part of the network. This means that it cannot be detected and that it can be implemented simply by disconnecting an existing interface and plugging this in the middle. No other network reconfiguration is required. This makes it completely unique.
The Firebox TM uses 3 Network Cards and requires 3 relevant IP addresses. This means that the Network needs to be reconfigured to allow for the installation of this product.
Firewall I m' and Raptor'" use 2 Network Cards and require 2 relevant IP addresses. This means that the Network needs to be reconfigured to allow installation of these products.
WO 02/084916 PCT/AU02/00499 11 The present invention checks a packet and then bridges it, which is completely transparent. The Firebox T checks a packet and then routes it.
Firewall I and Raptor check the packet and then route it. Raptor T' checks the requests and then proxies it.
All three firewalls check a packet. One significant difference is that the present invention will bridge it rather than route it.
As shown in Fig. 4, a rule set 90 can be edited through a graphical user interface 200. All rules 210 are given an order. This order may be modified at any time. The rules 210 are checked by the computer, one at a time, in order. If a packet satisfies a rule 210 it will be actioned 230 as determined by the rule, otherwise it will go to a default rule. The rule set tabs into account the packet source 220, the destination 240, the relevant service 250 and options 260 such as logging requirements. Graphical buttons 270, 280 easy user editing or deletion.
WO 02/084916 PCT/AU02/00499 12 Appendix A Embedded system build description: The reason for having an embedded Linux system is to take away any administrative overhead for the user who might not be familiar with the Linux operating system. Furthermore we eliminate issues like file system corruption when the system is powered off rather then shut down properly.
We use a separate machine to build the OS. This system contains a development environment, which allows us to build the necessary binaries, and shared libraries for our production machine.
On the build machine a separate partition exists which emulates the final destination of the OS (the solid state drive).
The following root directory structure is created: /bin (system binaries) /boot (kernel directory) /dev (device character devices) /etc (configuration files) /home (home directories) /lib (share libraries) /proc (proc filesystem mount point) /root (root home directory) /sbin (system binaries) /tmp (tmp space mount point) /usr (usr libraries and binaries) /var (var mount point) WO 02/084916 WO 02/84916PCT/AU02/00499 13 We populate the /dev directory with the following required character files: crw 1 root crw 1 root crw 1 root brw-rw 1 root brw-rw 1 root brw-rw 1 root brw-rw 1 root brw-rw 1 root brw-rw 1 root brw-rw 1 root brw-rw 1 root brw-rw 1 root crw 1I root crw 1 root prw 1 root crw-r--1 root crwxrwxr-x 1 root srw-rw-rw- 1 root crw-r--1 root crw-rw-rw- 1 root crw-r--1 root crw-rw-rw- 1 root drwxr-xr-x 2 root brw 1 root brw-rw 1 root root root root disk disk root disk disk disk disk disk disk Sys Sys root kmem www root kmem root kmem root root disk disk 5, 1 Apr 9 14:34 console 5, 64 Feb 26 16:52 cua0 5, 65 Feb 26 16:52 cual 3, 0.Feb 26 16:52 hda 3, 1 Feb 26 16:52hMal 3, 2 Feb 26 16:52 hda2 3, 3 Feb 26 16:52 hda3 3, 4 Feb 26 16:52 hda4 3, 5 Feb 26 16:52 3, 6 Feb 26 16:52 hda6 3, 7 Feb 26 16:52 hda7 3, 8 Feb 26 16:52 hda8 89, 0 Feb 26 16:52 i2cO 89, 1 Feb 26 16:52 i2cl o Apr 4 19:54 initotl 1, 2 Feb 26 16:52 kmem 10, 140 Feb 26 16:52 lcd 0 Apr 9 14:34 log 1, 1 Feb 26 16:52 main 1 3 Feb 26 16:52 null 1, 4 Feb 26 16:52 port 5, 2 Aprl10l2:53 ptmx 0OApr 9 14:34 pts 1, 0 Feb 26 16:52 ramO 1, 1 Feb 26 16:52 ram] WO 02/084916 WO 02/84916PCT/AU02/00499 brw-rw brw-rw brw-rw crw-r--r-- 1 crw-rw-r-- Irwxrwxrwx Irwxrwxrwx Irwxrwxrwx crw 1 crw-rw-rworw 1 crw 1 crw 1 crw 1 crw 1 crw 1 crw 1 1 crw 1 crw 1 crw-r--1 crw-r--r 1 crw-r--r 1 1 root 1 root 1 root root 1 root 1 root 1 root 1 root root 1 root root root root root root root root root root
UUCP
root root root disk disk disk root root root root root root root tty fty fly fly fty tty fly fly fly fly root root root 1, 2 Feb 26 16:52 ram2 1, 3 Feb 26 16:52 ramS 1, 4 Feb 26 16:52 ram4 1 8 Feb 26 16:52 random 10, 135 Feb 26 16:52 rtc 17 Mar 18 21:09 stderr ->./proo/selflfd/2 17 Mar 18 21:09 stdin ./proc/self/fd/0 17 Mar 18 21:09 stdout ->./proclselflfdll 4, 0 Feb 26 16:52 systty 5, 0 Mar 18 20:50 fly 4, 0 Feb 26 16:52 ttyO 4, 1 Feb 26 16:52 ftyl 4, 2 Feb 26 16:52 tty2 4, 3 Feb 26 16:52 ty3 4, 4 Feb 26 16:52 tty4 4, 5 Feb 26 16:52 4, 6 Feb 26 16:52flty6 4, 7 Feb 26 16:52 tty7 4, 8 Feb 26 16:52 tty8 4, 64 Apr 9 14:34 ttySO 4, 65 Feb 26 16:52 flySi 1, 9 Feb 26 16:52 urandom 10, 130 Feb 26 16:52 watchdog 1, 5 Feb 26 16:52 zero crw-rw-rw- 1 root WO 02/084916 PCT/AU02/00499 We use Linux kernel 2.2.20 (www.kernel.org) enhanced with the OW security patches (www.openwall.com). We replace the existing kernel bridging code with the 2.4 kernel code (bridge.sourceforge.net).
The kernel is configured with the following parameters: Automatically generated by make menuconfig: don't edit CONFIG_X86=y Code maturity level options CONFIG_EXPERIMENTAL=y Processor type and features CONFIG M386 is not set CONFIG M486 is not set CONFIG M586 is not set CONFIG_M586TSC=y CONFIG M686 is not set CONFIG_X86_WP_WORKS_OK=y CONFIG_X86_INVLPG=y CONFIGX86_BSWAP=y CON FIG_X86_POPADOK=y CONFIG_X86_TSC=y CONFIG MICROCODE is not set WO 02/084916 WO 02/84916PCT/AU02OO-199 16 CONFIGX86_MSR is not set CON FIGX86_OPUID is not set CONFIG_1 GB=y CONFIG_2GB is not set CON FIGMATHEMUJLATION is not set CONFIGMTRR=y CONFIGSMP is not set Loadable module support CONFIGMODULES=y CONFIGMODVERS IONS is not set CONFIGKMOD=y General setup CONFIGNET=y CONFIGPCIz~y CONFIGPCIGOBIOS is not set CON FIGPCIGODI RECT~y h CONFIGPCIGOANY is not set CONFIGPCIDIRECT=y CONFIGPCIQUIRKS=y CONFIGPCIOPTI MIZE is not set CON FIGPCIO LDPROC=y CONFIGMCA is not Set CONFIGVISWS is not set WO 02/084916 WO 02/84916PCT/AU2OO-199 17 CONFIGCOBALTGENIII1=y CONFIGCOBALTGENis noset #f CON FIG COBALT BOOTLOADER is not set CONFIGSYSVIPC=y CON FlGBSDP ROCESSACOT is not set CONFIGSYSCTL=y CONFIG BINFMT AOUT=m CONFIGBINFMTELF~y CON FIGBINFMTELFAOUT is not set CONFIGBINFMTMISC=m #f CON FIGBINFMTJAVA is not set if CON FIGPARPORT is not set CONFIGAPM is not set CONFIGTOSHIBA is not set #f Plug and Play support CONFIGPNP=y if Block devices #f CONFIGBLKDEVFD is not set CONFIGBLKDEVIDE=y CONFIGBLKDEVHOIDE is not set CON FIGBLKDEVI DEDI SK=y CONFIGBLK_0EVIDEOD is not set CONFIGBLKDEVIDETAPE is not set WO 02/084916 WO 02/84916PCT/AU02OO-199 18 #t CONFIGBLK_0EVIDEFLOPPY is not set #t CON FI GBLKDEVI DESOSI is not set #t CON FIG-BLK-DEV-CMD640 is not set CON FIGBLKDEVRZ1 000 is not set CONFIGBLKDEVIDEPCI~y CON FlGBLKDEVI DEDMA=y #t CON FIGBLK_0EVOFFBOARD is not set CONFIGIDEDMAAUTG=y CONFIGBLKDEV_0PT1621 is not set CON FIGBLKDEVALI 15X3=y CONFIGBLKDEVTRM290 is not set ft CONFI GBLKDEVNS87415 is not set CON FIGBLK_0 EVVIA82C586 is not set #t CON FI GBLK_0 EVCMD646 is not set ft CONFIGBLK_0EVCS5530 is not set ft CONFIGIDECHIPSETS is not set #t CONFIGBLKDEVLOOP is not set #t CONFIGBLKDEVNBD is not set #t CONFIG BLK 0EV MD is not set CONFIGBLK_0EVRAM=m CON FIGBLK_0EVRAMSIZE=4096 ft CONFIGBLK_0EVXD is not set ft CONFIGBLK_0EVDAC960 is not set CON FIGPARI DEPARPORT=y #t CONFIGPARIDE is not set ft CONFIGBLKCPQDA is not set #t CON FI GBLKCPQCISSDA is not set WO 02/084916 WO 02/84916PCT/AU02OO-199 19 CON FIGBLKDEV HD is not set Networking options CONFIGPACKET=y CONFIG_NETLINK~y CONFIG_RTNETLINK is not set CONFIGNETLINKDEVy CONFIGFIREWALL=y CON FIGFILTER is not set CONFIGUNIX=y CONFIGINEThy CON FIG_IF_MU LTI CAST is not set CONFIGIPADVANCEDROUTER is not set CONFIGIPPNP is not set CONFIGIPFIREWALL=y CONFIGIPFIREWALLNETLINK is not set CON FIGIPTRANSPARENTPROXY is not set CONFIGJPMASQUERADE is not set CONFIGIPROUTER is not set CONFIGNETIPIP is not set CONFIGNETIPGRE is not set CONFIGIFALIAS=y CONFIGSYNCOOKIES=y CONFIGINETRARP is not set CONFIGSKBLARGE=y CONFIG_IPV6 is not set WO 02/084916 WO 02/84916PCT/AU02OO-199 #fCONFIGIPX is not set CON FIGATALK is not set CONFIGBRIDGE=m CONFIGX25 is not set CONFIGLAPB is not set CON FIG NET DIVERT is not set CONFIGLLC is not set CONFIGECONET is not set CON FIGWANROUTER is not set CONFIGNETFASTROUTE is not set CON FI GNETHWFLOWOONTROL is not set CONFIGCpuISSLOW is not set QoS and/or fair queueing CONFIGNETSCHED is not set Telephony Support CONFIGPHONE is not set CONFIGPHONEIXJ is not set SCSI support #CONFIGSCSI is not set ft 120 device support WO 02/084916 WO 02/84916PCT/AU02/00499 21 OFG-2 s o e ft CONFIG_120P is not set #t CON FIG_1 20_B LOCK is not set ft CON FIG_120SCSI is not set fNetwork device support CONFIGNETDEVICES=y ft #t AR~net devices CON FIGARONET is not set ft CONFIGDUMMY is not set CONFIGB0NDING is not set ft CON FiGEQUALIZER is not set #t CONFIGETHERTAP is not set CONFIGNETSB1 000 is not set Ethernet (10 or 1 OOM bit) CONFIGNETETHERNET=y CONFIGNETVENDOR_3COM=y #t CON FIGELi is not set ft CON FIGEL2 is not set ft CON FIGELPLUS is not set ft CONFIGEL16 is not set WO 02/084916 WO 02/84916PCT/AU2OO-199 22 CONFIGEL3 is not set CONFIG_30515 is not set CONFIGVORTEX=y CONFIGLANCE is not set CONFIGNETVENDORSMC is not set CON FIGN ETVENDORRACAL is not set CDNFIGRTL8139 is not set CON FIGRTL81 39TDO is not set CONFIGNETISA is not set CONFIGNETEISA=y CON FIGPCNET32 is not set CONFIGADAPTECSTARFIRE is not set CONFIGAC3200 is not set CONFIGAPRICOT is not set CONFIGLP486E is not set ft CONFIGCS89xO is not set CONFIGDM9102 is not set It CONFIGDE4X5 is not set It CONFIGDECELCP is not set It CONFIGDECELOPOLD is not set It CONFIGDGRS is not set CONFIGFEXPRESSPRO1 00=y It CONFIGLNE390 is not set It GON FlGN E321 0 is not set ft CON FIGNE2KPCI is not set It CONFIGTLAN is not set II CONFIGVIARHINE is not set WO 02/084916 WO 02/84916PCT/AU02OO-199 23 CONFIGSIS900 is not set CON FlGES321 0 is not set CONFIGEPIC1 00 is not set CONFIGZNET is not set CON FIGNETPOCKET is not set Ethernet (1000 Mbit) CONFIGACENIC is not set CONFIGHAMACHI is not set CON FIGYELLOWFIN is not set CONFIGSK98LIN is not set CONFIGEDDI is not set CONFIGHIPPI is not set CONFIGPPP is not set CONFIG SLIP is not set CONFIGNETRADIO is not set II Token ring devices 1* CONFIGTR is not set CONFIGNETFO is not set CONFIGRCPCI is not set CONFIGSHAPER is not set ft #t Wan interfaces ft WO 02/084916 WO 02/84916PCT/AU2OO-199 24 #f CON FIGHOSTESSSV1 1 is not set #f CON FIGCOSA is not set #f CONFIG-SEALEVEL-4021 is not set CONFIGSYNCLINKSYNCPPP is not set CONFIGLANMEDIA is not set if CONFIGCOMX is not set #f CONFIG HDLC is not set CONFIGDLCI is not set CON FIG_XPEED is not set #f CONFIGSBNI is not set ifAmateur Radio support CONFIGHAM RADIO is not set IrDA (infrared) support #f CONFIGIRDA is not set #f ISDN subsystem H CONFIGISDN is not set Hf Old CD-ROM drivers (not SCSI, not IDE) ft if CONFIGCDNOIDESOSI is not set WO 02/084916 WO 02/84916PCT/AU2OO-199 ifCharacter devices CONFIGVThy CONFIGVTCONSOLE=y CONFIGSERIAL=y CONFIGSERIALCONSOLE=y if CON FIG SERIAL EXTENDED is not set if CON FIGSERIALNONSTANDARD is not set CONFIGUNIX98_PTYS=y CON F GU NIX98_PTYC0UNT=256 CONFIG MOUSE is not set Joysticks CONFIGJOYSTICK is not set CONFIGQIC02_TAPE is not set CONFIGWATCHDOG=y Watchdog Cards #f CONFIGWATCHDOGNOWAYOUT is not set if CONFIGACQUIREWDT is not set CONFIG ADVANTECH WDT is not set CONFIGPCWATCHDOG is not set #ON FIG_1 81 0TCO is not set #f CONFIGMIXCOMWD is not set WO 02/084916 PCT/AU02/00499 26 CONFIG 60XX WDT is not set CONFIGSOFT WATCHDOG=m CONFIG WDT is not set CONFIG WDTPCI is not set CONFIG MACHZ WDT is not set CONFIG NVRAM is not set CONFIG_RTC=y CONFIG INTEL RNG is not set CONFIG AGP is not set CONFIG DRM is not set CONFIG_COBALT_LCD=y Video For Linux CONFIG VIDEO DEV=m CONFIG RADIO RTRACK is not set CONFIG RADIO RTRACK2 is not set CONFIG RADIO AZTECH is not set CONFIG RADIO CADET is not set CONFIG RADIO GEMTEK is not set CONFIGRADIOMAESTRO is not set CONFIG RADIO MIROPCM20 is not set CONFIG RADIO TRUST is not set CONFIG VIDEO BT848 is not set CONFIG VIDEO CPIA is not set CONFIG VIDEO PMS is not set CONFIGVIDEOSAA5249 is not set WO 02/084916 WO 02/84916PCT/AU02OO-199 27 CONFIGRADIOSF16FMI is not set CONFIGRADIOTYPHOON is not set CONFIGRADIOZOLTRIX is not set CONFIGVIDEOZORAN is not set #f CONFIGVIDEOBUZ is not set CON FIGDTLK is not set Rape, the floppy tape device driver #f CONFIGFTAPE is not set USB support CONFIGUSB is not set if #f Filesystems #f CONFIGQUOTA is not set CONFIGAUTOFSFS is not set if CON FIG ADFS FS is not set #f CON FIGAFFSES is not set if CONFIGHESFS is not set ftCONFIGFATFS is not set CONFIGMSDOSES is not set if CONFIGUMSDOSES is not set CONFIGVFATFS is not set if CONFIG_1S09660_ES is not set WO 02/084916 WO 02/84916PCT/AU02OO-199 28 CON FIGJOLIET is not set CONFIGMINIXES is not set CONFIGNTFSES is not set /f CONFIGHPFSES is not set CONFIGPROCFS=y CONFIGDEVPTSFS=y if CON FIGQNX4FSFS is not set CON FIGROMFSES is not set CONFIGEXT2_FS=y CONFIGSYSVES is not set #f CONFIGUFSFS is not set CONFIGEFSES is not set Network File Systems CON FIG CODA ES is not set if CONFIGNFSFS is not set CONFIGNFSD is not set #f CONFIGSUNRPC is not set CON FIGLOCKID is not set #f CONFIGSMBES is not set CON FIGNOPES is not set Partition Types f CON FIGBSDDISKLABEL is not set CONFIGMACPARTITION is not set WO 02/084916 WO 02/84916PCT/AU02OO-199 29 CON FI GMI NIXSUBRPARTITION is not set if CONFIGSMDDISKLABEL is not set #f CONFIGSOLARISX86_PARTITION is not set CON FIGU NIXWAREDISKLABEL is not set CONFIGNLS is not set #f Console drivers CONFIGVGACONSOLE is not set CON FIGVIDEOSELECT is not set if CONFIGMDACONSOLE is not set #f CONFIGFB is not set #f Sound #f #f CONFIQSOUND is not set #f Security options if CONFIG SECURE STACK is not set if CONFIGSECURELINK is not set ft CONFIGSECUREFIFO is not set #f CONFIGSECUREPROC is not set #f CONFIGSECURE FD 0 1 2 is not set #f CONFIGSECURERLIMITNPROC is not set if CON FIGSECURESHM is not set WO 02/084916 PCT/AU02/00499 Kernel hacking CONFIG MAGIC SYSRQ is not set We build the production kernel and place it on the destination partition in the /boot directory.
We then start building the supporting binaries as needed in order to get a functional SYS V Linux system, web server and any other tools as desired.
After building these binaries they are placed on the destination partition along with their required shared libraries and configuration files.
Once all the required binaries are build and functional we use the following setup.
During the boot process we generate the following ram drives which are used by the system for write operations. Obviously RAM is volatile and the shutdown sequence will take care of storing any information which needs to be available after a reboot or power outage. Since each RAM drive is created and formatted on startup there is no chance for File system corruption upon unclean shutdowns.
Drive Mounted as /dev/ram0 swap /dev/raml /tmp /dev/ram2 /var WO 02/084916 PCT/AU02/00499 31 /dev/ram3 /usr/local/firebridge/http swap: used by the OS when physical RAM is running low. (By generating swap space in RAM we reserve that part of memory for swap usage.
/tmp: Used for temporary files by the management interface /var: used for logging (note that logfiles will currently not be saved upon reboot.
In order to achieve permanent logging we provide syslog which can log to a loghost) Used for the webserver's web pages and graphics. In order to achieve fast access and increase interface performance we serve these graphics from RAM as access times are much higher then from any other device.
WO 02/084916 PCT/AU02/00499 32 Appendix B Management interface and Firewall configuration files: The CGI interface uses mod perl and distinguishes between two types of files.
*.cgi files which deal with what the user sees in the webbrowser. *-lib.pl files which contain functions for checking user input and manipulating the configuration files. There are static html files, images and cascading stylesheets used as a framework for the dynamic content and presentation.
The following files are used to manipulate the configuration files: fb-cgilib.pl (general functions used by all scripts) ipcalc-lib.pl (ip calculator library) ipcalc.cgi (ip calculator presentation) bridgeview (this contains the read only versions) vwgroups.cgi vwnetobjects.cgi vwrules.cgi vwservices.cgi *fw fwconf-lib.pl (write ipchains compatible config based on rules) fwconf.cgi (activate/roll back configuration) groups-lib.pl (manipulate group file) groups.cgi (presentation for group file) netobjects-lib.pl (manipulate network objects file) netobjects.cgi (presentation for network objects file) WO 02/084916 PCT/AU02/00499 rules-lib.pl rules.cgi services-lib.pl services.cgi (manipulate rules file) (presentation for rules file) (manipulate services file) (presentation for services file) logvw logvw.cgi options fbgconf-lib.pl fbgconf.cgi status (view current log file) (manipulate global configuration options) (presentation global configuration options) (check if current configuration is identical to active) (check the load of the box) (step by step creation of rules and related objects) confstatus.cgi loadstatus.cgi wizard wizard.cgi Firebridge uses the following configuration files: Actions (Possible actions for a rule) nr:action fbgcfg (Global configuration options) option=value (true or false) fbrules (rules by number) nr:allow/deny:source-name:destination-name:service-name:action-nr:comment (note that source/destination/service can be a group name) groups (groups) name:type:member-name,member-name,member-name:comment netobjects (network entities) WO 02/084916 PCT/AU02/00499 34 name:address/mask protocols (ip protocols by number) nr:name:comment name:description:protocol-nr:source-port:destination-port (ports can be ranges separated by a dash, e.g: 1024-65535) The Firebridge uses the following directories for it's configuration: /usr/local/firebridge/fwconfig/active /usr/local/firebridge/fwconfig/config Upon boot the system will write the files from ./active to ./config which physically lives on the /var ram drive (symbolic link to the above name). When a user makes changes to the firewall these will be recorded in the ./config directory. Once the user is happy with all the changes he then selects activate config within the management interface.
The system then takes all the files from the ./config and overwrites the files in ./active. It then starts creating ipchains compatible output translating groups into multiple rules as desired. When all rules were written successfully it activates these in ipchains.
Alternatively the user can select roll back upon which the system will take the files from ./active and overwrite the files in ./config.

Claims (12)

1. A packet filtering bridging network security device for controlling the flow of a packet into and out of an internal network, said network security device 00oo oC comprising: 00 C a first network card, O a second network card, a firewall comprising a packet filter, and a third network card that is a management interface comprising a private, not publicly routed, IP address, wherein: the first and the second network cards do not have publicly routed IP addresses, (ii) the third network card is used to configure the firewall, (iii) during inflow of a packet, the first network card forwards the packet to the packet filter for inspection wherein the packet is compared with a first set of rules to determine whether the packet is acceptable to the internal network or is not acceptable to the internal network, wherein if the packet is acceptable to the internal network, it is forwarded to the second network card and to the internal network and if the packet is not acceptable, it is dropped and disappears, and (iv) during outflow of the packet, the packet passes through the second network card to the packet filter wherein the packet is compared with a second set of rules to determine whether the outbound packet is acceptable to the internal network or is not acceptable to the internal network, wherein if the packet is 23/04/07 e acceptable to the internal network, it is forwarded to the first Snetwork card to exit the network security device and if the packet is not acceptable to the internal network, it is dropped and disappears. 00oo oo 00 c
2. The device of claim 1 wherein the device bridges packets.
3. The device of claim 1 wherein the device is connected between a router and a hub or a server machine.
4. The device of claim 1 wherein the device implements independent of a separate computer.
The device of claim 1 wherein the device is configurable from an HTML interface.
6. The device of claim 1 wherein the device is configured with an HTML interface which is supplied with the device.
7. The device of claim 1 further comprising a LOAD monitor which provides LOAD status, and for providing a graphic notification of the current load on a CPU to a user.
8. The device of claim 1 further comprising a CONFIGURATION status monitor that provides a graphic notification of the commitment of changes made to the configuration of the firewall to a user. 23/04/07
9. The device of claim 1 further comprising a monitor and log which Sprovides for a graphic indication of the allowance and denial of the packets.
The device of claim 1 further comprising an HTML interface for 00 oC configuration so that the device may be configured with any networked 00 C-i computer installed with an HTML browser.
11. The device of claim 1 wherein the first and second network cards are provided with non-assigned IP addresses.
12. A packet filtering bridging network security device substantially as hereinbefore described with reference to the accompanying drawings. Dated this 2 3 rd day of April, 2007 Firebridge Systems Pty Limited Patent Attorneys for the Applicant PETER MAXWELL ASSOCIATES 23/04/07
AU2002248989A 2001-04-11 2002-04-11 Network security system Ceased AU2002248989B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2002248989A AU2002248989B2 (en) 2001-04-11 2002-04-11 Network security system

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
AUPR4355 2001-04-11
AUPR4355A AUPR435501A0 (en) 2001-04-11 2001-04-11 Network security system
PCT/AU2002/000499 WO2002084916A2 (en) 2001-04-11 2002-04-11 Network security system
AU2002248989A AU2002248989B2 (en) 2001-04-11 2002-04-11 Network security system

Publications (2)

Publication Number Publication Date
AU2002248989A1 AU2002248989A1 (en) 2003-04-17
AU2002248989B2 true AU2002248989B2 (en) 2007-05-17

Family

ID=38055373

Family Applications (1)

Application Number Title Priority Date Filing Date
AU2002248989A Ceased AU2002248989B2 (en) 2001-04-11 2002-04-11 Network security system

Country Status (1)

Country Link
AU (1) AU2002248989B2 (en)

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
IEE Communicatons Society, Internet Workshop, 1999, published Piscataway, NJ, USA, 1999, Jianbing Lui and Yan Ma, "Packet Filtering in Bridge", pp 94-98 *

Similar Documents

Publication Publication Date Title
EP1389377B1 (en) Network security system
US7512781B2 (en) Firewall with stateful inspection
US8640237B2 (en) Integrated firewall, IPS, and virus scanner system and method
Kamp et al. Jails: Confining the omnipotent root
JP4567293B2 (en) file server
US7882540B2 (en) System and method for on-demand dynamic control of security policies/rules by a client computing device
US20060074618A1 (en) Methods and apparatus for implementing a virtualized computer system
AU2002248989B2 (en) Network security system
AU2003227123B2 (en) Firewall with stateful inspection
Ioannidis et al. Design and implementation of virtual private services
US6763378B1 (en) Synchronous TCP/IP port monitor for enhanced computer system security
Cisco Configuring User Profiles and CSS Parameters
Cisco Operating the System
Cisco Release Notes for RSM/VIP2 IOS 11.3T Software Release
Cisco Release Notes for Cisco Secure Policy Manager Version 2.3.1f
Cisco PIX Firewall Manager Version 4.2(1) Release Notes
Cisco Planning Your Cisco Security Manager Installation
Cisco Completing the Cisco ICS 7750 Installation
Cisco Cisco Centri Firewall Version 4.0.2 Release Notes
AU2002248989A1 (en) Network security system
Watters Solaris 8 Administrator's Guide: Help for Network Administrators
JP2000298612A (en) Online data transfer device
Row et al. Security issues in small linux networks
Trinidad Using Linux to set up a low cost Internet infrastructure
Miller et al. Auditing The Small Office it Infrastructure

Legal Events

Date Code Title Description
FGA Letters patent sealed or granted (standard patent)
MK14 Patent ceased section 143(a) (annual fees not paid) or expired