A Rule Based interface to the kernel for selective packet relaying

K N Gopinath, Sumit Ganguly
Novell Products Group Bangalore / Department of Computer Science and Engineering, IIT Kanpur

<kngopinath@novell.com> - <sganguly@cse.iitk.ac.in>

Traditionally, the firewalls have been classified as packet filters and application proxies. Packet filters are fast but typically do not provide sophisticated security policies. But application proxies can give enhanced security but suffer from the performance bottleneck. Our work is an attempt to develop a firewalling architecture that provides fine-grain access policies without requiring the overhead of a full fledged application proxy. We discuss the design and a prototype implementation of our scheme which helps us to achieve the above for TCP based applications by effectively splitting the job of maintaining the firewalling state between the kernel and certain user space daemons. In our scheme, an application daemon implementing site/application specific security policies can make use of the rules interface to indicate to the kernel to selectively redirect the packets to the daemon for further examination. We will see how we can use this to provide fairly complex security policies, for example, in case of an FTP proxy, "allow user X from machine Y ftp GET but not PUT", without the need for a full fledged application level relay. Further, we will present some of the improvements/extensions that we are planning to incorporate into the scheme.

INTENDED AUDIENCE:

Anybody interested in practical network security, firewalls and a bit of linux kernel hacking.

 Gopinath completed his MTech(Master of Technology), Computer Science and Engineering, from the Indian Institute of Technology, Kanpur, India, in the year 1999. Interests include operating systems (Unix internals), networking and practical network security. This work was done as a part of the Thesis work required for the completion of the MTech Programme under the supervision of Dr. Sumit Ganguly. Currently, working in the Network Management team at Novell Products Group Bangalore, India.

Prof. Sumit Ganguly is a faculty at the Department of Computer Science and Engineering, IIT Kanpur, India, with research interests including Databases, operating systems and security.

Last modified: December 27, 1999 (mk)