Secure flow design can control Internet threats

Today, there are many service markets, such as power, gas, and water service providers, oil refineries, and delivery systems that need to expand their services to stay competitive. They need to provide convenience for their customers to pay bills and interrogate accounts, track and modify services, and more, all from the convenience of their home or office.

Both the Web and Internet provide a cost-effective vehicle for service providers to offer modern conveniences to their customers. This is a win/win situation, as service providers reduce customer service costs, and consumers receive 7/24 on-demand servicing.

In addition to providing enhanced connectivity and convenience for customers, the Web and Internet provide paths for hackers to gain access to the service provider's corporate networks and resources. The service providers need security equipment that allows their customers access while preventing the bad guys from entering the corporate network. The security equipment needs fine-grained traffic analysis that leaves no packet unclassified, in order to protect the corporate network from sophisticated, complex attacks. Furthermore, if hackers do penetrate the access control, there needs to be a way to track their movements and determine their source.

Firewalls protect organizations on the Internet by providing secure access: ensuring that only valid users and applications can access the network resources they need. The primary firewall function is managing and enforcing an ACL (access control list) policy-based system. Firewalls may also provide intrusion detection (IDS), prevent of denial of service (DoS) attacks, and provide virus detection services.

Intrusion Detection Systems expose potentially dangerous packets within the data stream to identify threats from authorized and unauthorized users, back-door attacks, and hackers who have thwarted control systems. Traffic is categorized as "good" or "potentially bad" traffic. Most traffic is detected; however, some traffic may traverse undetected. Secure flow processing assists the IDS to maximize the detection of malicious traffic, while reducing false positives.

In order to provide these security services efficiently and effectively, security devices need a deep granular understanding of all underlying protocols and applications traveling on the network. This is commonly referred as "stateful analysis" or stateful flow processing.

It is no longer sufficient to inspect packet headers, one packet at a time, as the coarseness of this packet processing approach creates too many security holes. Nor is it efficient or cost-effective to proxy an application in a gateway. SFP's all-in-one result per packet allows security equipment to extend SFP's protocol analysis to all security functions: firewall, IDS, DoS, virus detection, NAT/PAT, and VPN all in one pass.

To address the diametrically opposed constraints of increasing customer service demands while defending growing perceived threats, security technology must become more efficient and robust. Secure flow processing provides this enhanced security.

To secure a device connected to the outside network and protect the network inside, a security flow processor is used in conjunction with a policy engine to assist in traffic analysis in order perform the policy. If a packet classifier were used instead of the secure flow processor, complex protocols that cannot be classified must be proxied in the application-level gateway, requiring a control processor to perform TCP (or UDP) termination for the outside network and the inside network. Source: HiFn

Such secure flow processors track and fully decode protocols and application flows, and identify the application of every packet. The breadth of protocol coverage enhances the discrimination between detection of potentially bad traffic and permission of authorized traffic. This assists security devices in exposing potentially dangerous network packets and revealing whether they may or may not be suspected threats, while allowing traversal of authorized traffic. Specifically, this feature helps the firewall to pinpoint authorized traffic for traversal, and discriminates benign traffic from IDS attack signature analysis and response execution.

Flows are a collection of one or more packet streams. In addition to classifying a packet, secure flow processors perform stateful analysis of packets within the packet streams. Secure flow processors track the protocol state of each connection as the application develops. This allows tracking of control connections on well-known ports that create data connections on ephemeral (dynamically assigned) ports.

It is important, since many protocols establish connections and negotiate services on well-known Transmission Control Protocol (TCP) ports, and then establish another dynamic (ephemeral) port to transfer the data for the network session.

Security levels

There are three major categories of policy engine technologies available: packet-filtering, application-level gateway, and secure flow processing. Packet filtering provides the lowest security at the highest performance and lowest cost. Application-level proxy is more secure but costly in performance requirements and cost of goods. Secure flow processing combines high security of an application-level proxy and the high performance of a packet filter.

Policy engines utilize policy tables in order to apply criteria to traffic entering and leaving the protected network. For example, a policy engine could contain a list of rules specifying which packets are permitted or denied to traverse a firewall, IDS attack signatures specifying what bad traffic may look like, criteria for a DoS attack or pattern matches describing what traffic should be inspected further for potential virus content. The security device chooses the matching policy for every packet that it observes, using information it was able to extract from the packet, and possibly from prior related packets. The hard part, with today's diverse and complex media-rich applications, is for the packet-filtering policy engine to extract enough information about network traffic for secure and robust policy tables to be implemented.

A better alterntive is to use a secure flow processor (SFP) in the policy engine to classify all packets belonging to all protocols, which may obviate the need for application-level gateway. The SFP also partitions the traffic analysis in the data path from policy engine's analysis and response applications, which provides a more robust efficient implementation, while enabling enhanced security.

The power of secure flow processing is best illustrated in policy table inbound and outbound Rule #2 which selectively permits only related traffic for inbound and outbound TCP connections and UDP streams dynamically created during the course of each 'User System' H.323 session. This obviates the need to open up inbound and outbound firewall holes for TCP and UDP traffic on all ports above 1024, or proxy the H.323 application. With secure flow processing the policy table can rely on Parent_Flow_ID flag instead to indicate that the packet belongs to a TCP connection or UDP stream, which is specifically related to a prior connection or stream in the 'User System' H.323 session.

To secure packets in a particular video data flow stream with a secure flow processor, inbound and outbound rule No. 1 permits the 'User System' to initiate and participate in Q.931 calls while preventing the user from receiving any potentially malicious Q.931 calls from outside. Policy table inbound and outbound rule No. 2, which selectively permits only related traffic for inbound and outbound TCP connections and UDP streams, is dynamically created during the course of each 'User System' H.323 session. Source: HiFn

When the SFP specifies non-zero Parent_Flow_ID in its result, it indicates that the packet belongs to a TCP connection or UDP stream which is related to a prior connection or stream. In this case, the Q.931 protocol of H.323 dynamically creates an H.245 TCP connection, and RTP and RTCP (audio and video) streams at UDP destination ports all above 1024. The SFP analyzes Q.931 messages, which negotiate ports for the H.245 dynamic connection. This allows the SFP to recognize the packets belonging this specific H.245 connection and to produce results with non-zero Parent_Flow_ID, which contains the Flow_ID of the related Q.931 connection. The policy engine uses the packet's application and state information to better assign the correct policy to all related H.323 packets.

Furthermore, the SFP recognizes when the H.323 control connections (Q.931 and H.245) close via TCP handshakes, TCP resets, or TCP timeouts and removes any state related to these connections and all related connections and streams. Thus, any 'replayed' packets will now be denied by the policy table's inbound and outbound Rule #3, since the policy entries for the H.323 session are no longer in the policy table. The audio and video streams of RTP/RTCP are particularly noteworthy, as they do not explicitly close, because UDP is connectionless. The RTP and RTCP packets are implicitly denied after their parent flows (Q.931 and H.245) are closed.

While traditional packet filtering offers higher throughput at lower cost, it is susceptible to holes in order to support dynamic protocols. Holes open conduits for hackers to steal information from, inject viruses into, or deny service with the host behind the firewall by misusing permitted protocols to this host, or possibly establishing illegitimate protocols undetected by the stateless firewall. In some cases, the holes could be static and rather large, and pose a security risk.

Ensuring security

It is impossible for a traditional policy table, which lacks secure flow processing technology, to predict which ephemeral port any dynamic connection is going to use. There are two alternatives for traditional policy engines to avoid opening holes and to ensure that protected network is secure. One is to forbid 'User System' from using H.323 application at all, which is not useful. The other is to proxy the application, meaning in this example the policy engine performs the H.323 application for the 'User System', which degrades performance and increases cost in order to provide higher security.

Thus, the policy engine with SFP enhancement achieves transparent passage of all valid H.323 traffic through the firewall without sacrificing security or performance, nor increasing costs. Traversal of ephemeral port numbers is dynamically permitted as the protocols emerge and then denied as protocols close.

SFP also enhances firewalls, IDS, and other security technologies in the following ways. First, SFP can help identify all potentially dangerous traffic related to an application, which may assists the processing of that traffic through the IDS heuristic algorithms. Second, secure flow processing also detects protocols that act unexpectedly. This can be used by the IDS to identify potentially dangerous traffic. Since the SFP tracks all properly operating protocols, unclassified packets and unknown states can be used to alert the IDS to analyze all traffic related to this flow.

Because SFP knows applications, it can be used to time-out on idle applications or detect illegitimate applications. Similarly, SFP can be used to identify incomplete TCP connections, and signal DoS alarms after some limit of incomplete TCP connections.

SFP recognizes the application, identifies the packet, and locates where in the payload to detect the presence of a potential virus. SFP identifies protocols that use dynamic port assignments as well as email attachments or URLs. Again, discriminating benign stateful traffic from virus detection (VDS) analysis.