KR20030038873A - Embeded Stealth Firewall - Google Patents

Abstract

PURPOSE: A system for defending against stealth of an embedded router is provided to directly insert modularized firewall cores excepting an IOS(Internetwork Operating System) into an existing switching device including a router thereby enhancing the performance of a firewall, and to install an embedded stealth firewall in the router so as to defend against attach through lots of packets. CONSTITUTION: Packet information delivered from an external is not processed, because the packet information passes a stealth bridge. The not-processed information is delivered to a firewall. The firewall detects routing information as well as each kind of protocol, and is capable of performing packet filtering precisely. Internal information is filtered through the firewall and passes the stealth bridge. The stealth bridge does not includes an IP(Internet Protocol) address thereby being mapped to an outgoing gateway. As the internal information is delivered outside through only the gateway, thereby defending the internal information. When the information is delivered outside, only the gateway is displayed while the information is concealed, so that crackers do not know whether the firewall exists or not.

Description

Embeded Router Stealth Defense {Embeded Stealth Firewall}

1) What is Network defending system based on Router & Switching?

Devices, commonly referred to as switches (including routers), are located in the critical place of network-to-network connectivity, among the OSI 7 layers, between the network and data link layers.

Let's see how it relates to security.

In Figure 2, there seems to be no problem in Public Internet.

However, if you look at Subnet2 and Subnet3, you can see that multiple attack attempts are being made on subnet1. What would Subnet1 do if such an attacking host were to be tried in different places, as opposed to the picture? Fortunately, the Subnet1 router can cope with packet attacks, but the question is whether it can effectively cope with other cracking attacks.

In conclusion, it is not.

Because routers move according to fixed rules, they can mitigate packet attacks to some extent on the screening router side, but they do not effectively prevent server-like firewalls.

There are many ways of attacking crackers today. Among them, 100% perfect security is achieved with various attack methods using vulnerabilities of TCP / IP such as IP spoofing, DNS spoofing, tear drop, high-jacking, etc. It is a tough state.

Then you can see that existing server-dependent firewall systems cannot be fully secure.

If the switching foundation is broken, the networks and servers in it will be defenseless. This results in economic losses, prolonged recovery time, and loss of important data.

In this situation, any server-dependent firewall system will be disabled.

However, the method to prevent this is described in the above item [brief description of the drawings].

▶ Firewall Technology Overview

See [Fig. 3]

◎ Step Expression ◎

1) Send packet information to I / O memory through Rx-Ring.

(1 -1) In Main Processor, interrupt the I / O memory and check Packet information.

2) Packet data confirmed through I / O is stored in Route Cache through IOS core system and processed by optimized routing algorithm.

3) The processed packet information is filtered through the filtering rule in the Firewall Core system. If it is deemed unnecessary after decomposing routing information and various protocol information, it is discarded through drop-processing.

4) Packet information through the firewall designates route selection and final destination by IOS Processing.

5) Through Log Processing, all processes of Processing are logged, and the logged information is transmitted through the set administrator mail.

6) Packet information passing through Routing Processing is reassembled and moved to the corresponding Desitination through the final Tx-Ring.

▶ Flow Diagram

See [Fig. 4]

Security Visuality

▷▷ Enterprise or ISP / ASP / IDC case

See [Fig. 5]

Security Visuality

▷▷ Enterprise or ISP / ASP / IDC case

See Figure 6.

Security Region

▷▷ Switching / Network Security Zone

An external security zone located between the switch (including the router) and the switch, in which a secondary switching defense system can be used in the enterprise.

▷▷ Server Based Security Zone

It has the same function as the existing firewall system, and it is an internal security area that can protect a server or network that is extremely security critical.

There are several security solutions available, but you can't trust them 100% and you won't be very happy with the price / performance ratio.

The present invention is excellent in terms of performance, can take full advantage of free software, and can make use of the programmer's own code, so a complete defense system can be constructed.

However, as mentioned above, the defense system is not a problem in the general network environment, but it can be defenseless against the more fundamental problem, that is, a defect in the network and a malicious attack of the cracker.

In the end, it reveals the limitations of the server-dependent defense system.

Most of today's security solutions use server-dependent firewall systems. However, you will find that this is not a fundamental solution.

If so, the answer is out.

Running a switching-level security system solves this problem.

But routers and switching devices are too expensive for the general public. So there are products with firewall function in IP sharing device with SOHO type routing function that is released for personal use these days.

But when I think about it, I wonder if I need to buy such a device.

In other words, if Embeded Stealth Firewall is a server-oriented firewall, the first-pass secondary defense system, Embeded Smart Firewall is the primary defense system.

No matter how perfect the internal secondary defense system is, attacking the router will result in paralyzing of the internal network and various financial losses.

In addition, the secondary defense system is easily accessible due to the development of various hacking tools, but the primary defense system has not been developed yet, and it is difficult to access due to its sensitivity to the primary system.

And although there is a hardware router protection device (which is actually on the same line as the server firewall), it is expensive and not easy to update.

However, this software can be updated by introducing the Embeded method into the existing Router Memory, and can be shipped by entering the Firewall into the Memory when the new product is shipped, and the update method is also easy and easy by the Embeded method.

This will be a challenge that must be approached in a new way of crackers at this point when the war against the place crackers is being declared, and it can be applied to Settop Box, which is being put to practical use in the future, and can be used for all means of communication with memory chips. It will be an invention.

As shown in [Figure 1], the existing router method will be described as follows.

This indicates only the function of the existing router, explained the added Stealth Firewall module immediately, and compared the existing firewall method with the Stealth Firewall quantitatively.

`` Existing Router Method ''

1) Router Hardware Component

Represents the router hardware itself, regardless of model or characteristics. In practice, there may be models that apply the Embeded system, while others may not.

2) ISO (Internetwork Operating System)

Generally referring to operating systems such as Windows NT and Linux used in PC, it is the core core of router operating system. It mainly handles memory management, process schedule management, routing table processing, and I / O.

3) Process

It is the part that determines the operation of the router. It is the part that handles the packet or routing protocol.

4) Packet Buffer

The main memory buffer area caches frequently used data and stores switched packets for a while. This part can also be used to store logging information of the Embeded Firewall.

5) I / O Interface Layer

It is a movement path of actual packet information and is managed by I / O Prpcess.

6) Fast Switching S / W

Software module consisting of a library for processing packets at high speed in a process or IOS.

7) Device Driver Layer

Device module for I / O Interface allows hardware to be virtualized to communicate with kernel and I / O Process and to unify interface.

-------------------------- Embeded Stealth Firewall Part --------------------

8) Embedding PIPE Layer

Firmware for integrating with IOS Architecture, which can mainly include I / O Function or IOS Control Routine. It is a software module that can be accessed regardless of hardware as an intermediate configuration step between hardware and software.

9) Stealth Bridge Architecture

It is made by virtualizing the actual bridge role, which guarantees transparency between the gateway and the existing network through a simple connection. This part doesn't really have the concept of IP, and it does some filtering. In addition, the information of the internal network and the pseudo server is not exposed to the outside during the external scan, so it can escape from the risk of cracking. In other words, the presence of a firewall is not known.

10) Packet Filter Firewall Integrated Kernel Core System

The actual Firewall Core system is related to NAT, tunneling, encryption system, logging processing, IP filtering, Packet Filtering and other Proxy modules, and the IOS and real-time data exchange and packet tracking and monitoring. Filtering rules are executed according to the rules of the Update Filtering code Module, and server access and various port settings are made according to the information of the Information Module. The core system includes the kernel cores of Linux and FreeBSD and will act as the actual defense system.

11) Proxy Module

It is used to effectively protect the server with the firewall core system, and a strong security system through the proxy can be implemented. It is possible to implement services transparently through proxy, and prevent the emergence of unauthorized services.

12) Log / Auth Module

Real time logging and user authentication and control are available. In real systems, real-time logging information is automatically notified by administrator e-mail. User authentication cannot be used from external access at all. It applies only to the upgrade of internal system through private IP.

13) Update Filtering code Module

In addition to the data containing the filtering rules, it is a place that stores libraries necessary for filtering, and can be downloaded automatically through smart update, and can actively cope with new cracking. The filter code module works with the Firewall core and has the advantage of reducing the size of the Firewall core.

14) It contains various internal server related data, protocol and port information, and keeps network related data. It's more like a data store than a real module.

■ We compared the advantages and disadvantages of characteristics, performances and specifications of the same or similar technology in a modified or quantitative manner as follows.

[Modification]

[Quantitative]

Most firewall systems can be divided into hardware based firewall system and server based application based firewall system.

When comparing a hardware firewall system and a server-based system, it is hard to say which base system is superior, and it may depend on whether the security settings are properly understood and configured, rather than the performance of the firewall itself in actual service.

In general, hardware-based firewall systems are affected by processing speed and network load, and it is difficult to achieve 100% perfect security in practice.

The Embeded Stealth Firewall, the next-generation defense system to be used in the present invention, inserts a modular firewall core excluding IOS directly into an existing switching device (including a router), unlike a firewall that depends on a server or other hardware. It can improve the performance of the system, and has the advantages of the hardware firewall system and the server-based firewall system at the same time, it is economical because there is no need to change the existing switching device, and no additional server configuration is required.

It also prides itself on being a complete security solution that maintains the highest level of security through smart updates.

And more importantly, the defenseless router cannot block a large amount of packets, but the Embeded Stealth Firewall is installed in the router, which is also a strong advantage in that there is no problem in the packet attack.

The present invention is to supplement the function that the router can not do while the router performs the router function.

In the past, the firewall was used by installing software or hardware in the server, but this is limited to the function of the secondary defense.

Second and second security through the router, no matter how perfect, but the packet attack attacking the router is defenseless, only the first router security can be released from the packet attack, cracking techniques and cracking It is an invention that adorns the stroke of history that changes the history of tools.

There is a router hardware firewall that currently defends routers, but the technology is excellent, but there are disadvantages of upgrading and expensive.

However, the present invention has an emphasis on easy updating, low cost, and fast update by embedding technology on a memory chip into which an existing IOS is input.

The technology for inventing the present invention can be produced only by software, but sometimes hardware is also possible.

However, the present invention focused on Software as follows.

☞ Linux / UNIX Kernel Programming Enabled (C Lang Based)

-Device Driver Programming Enabled (C Lang Based)

Socket / Filter Programming Enabled (C Lang Based)

Router Configuration Enabled (CISCO Based)

Network Design Enabled

Web-based Programming

Low Level Programming (Assembler Based)

-H / W Design Support

-Embedding Technology

-OS Level dump Support

Referring to FIG. 1, the description of the existing router part at the top is omitted and only the Embeded Stealth Firewall Part is described as follows.

《Description of Embedded Stealth Firewall Part》

1) Embedding PIPE Layer

Firmware to be combined with IOS Architercture, which can mainly include I / O functions or IOS control routines. It is a software module that can be accessed regardless of hardware as an intermediate configuration step between hardware and software.

2) Packet Filter Firewall Core System

The actual firewall core system is related to NAT, tunneling, encryption system, logging processing, IP filtering, Packet Filtering, and other Proxy modules. It performs real-time data exchange and packet tracking and monitoring with IOS.

Server access and various port settings are made according to the information of Update Filtering code Module. The core system includes a kernel core based on Linux and UNIX, and acts as a real defense system.

3) Proxy Module

Used together with Firewall core system to protect server effectively, powerful security system through proxy can be implemented.

Through proxy, service can be implemented transparently, and unauthorized service can be prevented.

4) Log / Auth Module

Real time logging and user authentication and control are available.

In real systems, real-time logging information is automatically notified to administrator e-mail. User authentication cannot be used for external access at all. It applies only to the upgrade of internal system through private IP.

5) Update Filtering code Module

In addition to the data containing the filtering rules, the library keeps the libraries necessary for filtering, and can be downloaded automatically through smart update, and can actively cope with new cracking. The filter code module works with the Firewall core and has the advantage of reducing the size of the Firewall core.

6) Information Module

It contains various internal server related data, protocol and port information, and keeps network related data.

It's more of a data store than a real module.

Module Description

NAT module

It is in charge of various address translations and brings the efficiency of network address by using separate IP such as public IP: private IP or private IP: private IP.

2. Encode / Decode Module

It handles encrypted protocols such as MD5, RSA, IP_SEC, keboros5, etc., and if necessary, secure communication can be used.

3.Packet Transfer Exchanger

Although various packets formed by the router algorithm are directly sent to the network, the packet information can be modified and sent as necessary.

4. Filtering Analyzer

It is in charge of actual packet filtering and unnecessary packet information is dropped as it is.

5.Network Load Balancer

This keeps CPU occupancy constant by checking network load in real time and suppressing the use of unnecessary processes.

6. Self Testing Module

It is a routine to test your own firewall. It is executed at the same time as the router is powered on.

7.IPv4 / v6 Transfer

It adopts IPv6, the next generation Internet standard, to convert existing IPv4 → IPv6 or IPv6 → IPv4, and aims to maintain stable and compatibility with existing interface methods.

In the present invention, as mentioned in the above object, assuming that server security is a secondary defense, routing security may be referred to as a primary defense.

The reason is that the information through the router is blocked by the server firewall. However, if the router is paralyzed by the packet attack, the internal secondary security firewall is also useless.

So, as shown in [Fig. 7], it basically expresses the process of packet filtering in router.

★ [Drawing 7] Description

When the packet comes in, it is processed by filtering in the firewall because the packet is not processed.

And when the information of this server goes out, the information is hidden, and when it actually leaves, only the G / W is displayed and the rest of the information is not known, so the crackers do not even know whether or not there is a firewall, so they can get out of the target of cracking.

As shown in [Fig. 7], it is used only as a movement path of a simple packet and is used without an input / output (IP) address.

In other words, the external IP does not change packet information, so it can be easily filtered in the internal firewall. Since there is no IP, the external network cannot know the information of the internal network at all.

It simply passes through the Gateway. This allows the firewall to be completely hidden.

Stealth Bridge Description

It is difficult to accurately represent this technique. However, in a word, it is defined as invisible security technology, also known as stealth security.

This will change a significant part of the next generation of security systems and will revolutionize the firewall.

Recently, the number of worm viruses that attack servers and networks is increasing.

However, no matter how well defended with a firewall, building an intrusion prevention system is not a complete security.

No matter how perfect your security is, you will still be able to flow firewalls and network information. That is the problem.

Targeting crackers is always a security issue. The solution to this problem is stealth security.

That is, it should not send any information inside and should be blocked 100%.

See Figure 8 for reference.

Description of Drawing 8]

First, all packets from outside are allowed.

However, filtering is performed only for the direction from inside to outside. In the figure, the source path is allowed only for IP that does not take packet filtering, and all the rest are discarded.

So when you go from inside to outside, the problem is different.

This time, all internal IPs are designated as Block Inner IPs and cannot go out. In other words, Dest IP is blocked, but only Source IP is blocked, so it can be seen that Fateway is all outgoing passage.

This means that only some are allowed for incoming, but not for outgoing.

This way, scanning does not track the underlying network.

And the conclusion is as follows.

Stealth Bridge allows outside but not inside and firewall does not allow outside and only inside, so double shield is formed.

How it works ─

Packet information from outside passes through Stealth Bride, so no information is processed.

This raw information is passed to the firewall, which can identify routing information from various protocols and perform detailed packet filtering.

In addition, internal information is filtered through the firewall and through the Stealth Bridge.

This Stealth Bridge has no input / output (IP) address, so it maps to the outgoing address gateway.

In other words, only the G / W is used to exit and the internal information is protected.

Existing firewall system

Existing firewall system is a method of passing through internal / external network after going through direct firewall, and of course, it is protected by a firewall, but it can be considered as deadly because many firewalls expose the firewall to the outside.

Therefore, the existing firewall method is simply expressed as shown in [Fig. 9].

Usage

Development effect aimed at perfect external security with router and switching based network defense system

The present invention can be composed of a complete external security system and the advantages of the hardware firewall speed and stability, upgrade and fine access control that is the advantage of the server-based firewall system, and because it is a router and switching level defense system, it is impossible to configure a firewall server need.

In addition, the present invention uses the Embedding technique, which can maintain the highest level of security through smart update, which is a disadvantage of the router defense system with hardware, and does not need to change the existing router and switching equipment, and inserts the firewall core only by inserting the firewall core. By operating as a system, additional economic losses can be reduced.

And because you can take full advantage of embedding, you can apply it to any hardware.

In addition, the present invention can secure communication with the support of IP / SEC, can enhance the security when used in important services such as e-commerce, support for IPv6, the next generation Internet protocol, and efficient addressing and partitioning .

The firewall core is extensible and equipped with modules for the Intrusion Detection System (IDS) intrusion detection system, providing complete scalability that can also be used as an IDS.

In addition, the profitable part of developing the present invention is a firewall system based on Linux and free UNIX, which is not affected by the license and can apply the latest developed technology.

And it is emphasized that the present invention is the first router and switching-based embedded firewall system.

Claims (4)

Embedding Firewall and Firewall method using Memory (Ram, Global Range). Stealth Bridge method (Blocks all information about the firewall and the internal network inside-it doesn't even know if there is a network and firewall because virtually nothing is visible inside) Range using other chips besides memory Embedding Firewall method of Memory Chip such as Router, Switching, Settop Box, etc.