embest firewall

Architecture and Applications for a Distributed Embedded Firewall Research and implement the Embedded Firewall based on ARM HE Xiangbin, ZHOU Cong ( School of Information Engineering, Nanchang University, Nanchang 330031, China) Abstract Embedded Firewall ,also known as distributed firewall, is deployed in each host which is in the internal network and the network boundary. Network security policy does not depend on network technology, which overcomes the disadvantage of the traditional boundary network firework relying on the network topology and the disadvantage of impacting on network performance greatly. Each host does not trust any other host, and all of the data stream flowings will be filtered and encrypted, which overcomes the problems those the traditional boundary network firework can not protect against internal attacks and the single point of failure.In this paper, we have implemented an embeded firewall which based on ARM.This embeded firewall overcom the disadvantages of the traditional boundary network firework . 1. Introduction With the rapid development of network, the network security is becoming more and more important, all kinds of network security technology have been developed greatly. As one of the most earliest network security technologies,network firewok has been developed greatly too, which has made great achievement on network security. But the traditional boundary network firework only works on the network boundary, which can not protect the communication in the inside network, and the whole inside netwok will be exposed once the traditional boundary network firework fails[1]. Embedded Firewall ,also known as distributed firewall, is deployed in each host which is in the internal network and the network boundary. Network security policy does not depend on network technology, which overcomes the disadvantage of the traditional boundary network firework relying on the network topology and the disadvantage of impacting on network performance greatly[1]. Each host does not trust any other host, and all of the data stream flowings will be filtered and encrypted, which overcomes the problems those the the traditional boundary network firework can not protect against internal attacks and the single point of failure. 2. Design and implement hardware The design of the embedded firewall is illustrated in Figure 1. From Figure1, we can see that the embedded firewall system uses ARM7 processor of Samsung S3C44B0X as the central processor;uses two ethernet controller chips RTL8019AS to connect the host and the outside network, each RTL8019AS can receive and send the packets in and out the network;uses one SST39VF160 chip as the Flash to store the Boot-loader、uClinux OS and Netfilter/iptables etc;uses one HY57V65160B chip as the SDRAM to ensure the embedded firewall work in efficient while filtering packets;uses UART0 as the debug I/O and use the JTAG as not only the debug I/O but also the write Flash I/O[2]. Figure 1. Overall Framework of Embedded Firewall hardware 3. Design and implement software There are two modules in the software of the embeded firewall. One of modules is softare of embedded firewal based on ARM, on the other is firewall configurator running on the windows operating system.The first module include Bootloader, Embedded 0S, driver of NIC and the applications to implement the function of packet filtering and encryption.In this paper, transplant the U-Boot as the Bootloader,transplant the uClinux as the Embedded OS, transplant Netfilter/iptables to filter the packets,and tranplat Freeswan to encrypt.Figure 2 illustrates the overall framework of the embedded firewall software. Figure 2. Overall Framework of Embedded Firewall software The configurator of the embedded firewall is programmed in VC6.0 and run in windows.There are two major functions in the configurator of the embedded firewall, one of functions is analysis the connection of the network, the other is configure the embedded firewall.The main interface is illustrated in Figure 3. Figure 3. Main Interface of embedded firewall configurator 4. Test The environment of testing is illustrated in Figure 4.There are 5 host in my testing, PC0:192.168.10.145,PC1:192.168.10.220,PC2:192.168.10.200,PC3:192.168.10.111,PC4:192.168.10.73.There are 2 NICs in the embedded firewall,eth0:192.168.10.186 connecting the ethernet,eth0:192.168.10.186 connecting the host PC0.Windows7 is installed in the 5 PCs,the configuration is installed in the PC0. Figure 4. Enviroment of Testing Embedded Firewall We test the configurator of Embedded firewall first.Have run the configurator for 30 minutes when the embedded firewall do not wok.,the result is illustrated in figure 5. Figure 5. Configurator capture packets And then, we test the embedded firewall. We ping 192.168.10.220 when we start and stop the embedded firewall.The results is illustrated as Figure 6 and Figure 7. From the results, we know that the embedded firework wok very well. Figure 6. PC0 Connect PC1 when firewall stop Figure 7. PC0 Connect PC1 when firewall start 5.Summary We have described a embedded firewall that is implemented on the host’s network interface card. In addition, we have discussed several useful and unique applications for the embedded firewall. the embedded firewall can be used to lock down critical assets, such as corporate web servers,databases and administrative workstations, and it can be used to lock down critical services, such as DHCP, DNS and so forth. It lets the administrator easily control unnecessary capabilities on the network. Together with the perimeter firewall, it forms a strong line of network defense. References [1] Bellovin. Distributed Fireall. IEEE， 1999：37~39 [2] Samsung Electronics Co,Ltd.S3C44BOX Datasheet Revision 1.21，2001,12 [3] KeithE.Strassberg，etal.FirewallS:The Complete Referenee，China Machine Press, 2003.3 [4] Victor R. Garza, The host security with the most, August 22, 2003 [5] Thomas Dubendorfer, Matthias Bossardt, Adaptive Distributed Traffic Control Service for DDoS Attack Mitigation, 2005