<<Taikichiro Mori Memorial Research Fund>>
Graduate Student Researcher Development Grant
Report
Building a
small firewall based on Linux Embedded System
Nguyen Anh Duc, e-mail:
ducna80@sfc.keio.ac.jp
I. Introduction
Security has become a critical issue in the ubiquitous world. With the dramatically increasing number of ubiquitous devices such as sensor nodes, gateways ... and applications, security for such kind of networks is definitely unavoidable. Since most of ubiquitous systems are developed based on TCP-IP based network due to its superior advantages, there is one trend to modify conventional computer-based security models to be suitable with sensor networks which come with highly challenged characteristics for both hardware and software implementations. In my research, I am going to analyze and implement a small, simple-to-manage firewall based on linux embedded system for sensor networks. The hardware platform is the low cost ATNGW100 Network Gateway Kit, it meets most of hardware requirements in sensor network, and software, the firewall, is built on the Linux embedded Operating System to get the most of the currently available variety of proved high-quality firewall applications.
ATNGW100 Network Gateway Kit, Atmel
II. Strategies and Implementation
Strategies are used in this firewall system
1. Packet Filtering
This strategy is used to monitor the Network Layer and Transport Layer, analyze and validate data of each packet according to firewall filter rules, such as the header, the protocol (UDP/TCP), and the source, destination address, port number etc.... If a packet is considered to be denied, then the firewall will drop it. This strategy works at the network layer and function more efficiently because they only look at the header part of a packet. However, pure packet filters have no concept of state and can not prevent spoofing attacks and other exploits.
2. Stateful Inspection or stateful packet inspection (SPI)
This strategy keeps track of the state of network connections (such as TCP streams, UDP communication) traveling across it. It is responsible for recognizing legitimate packets for different types of connections. Only packets matching a known connection state will be allowed by the firewall; others will be rejected. Stateful Inspection monitors incoming and outgoing packets to determine not only source and destination, but also context. By ensuring that only requested information is allowed, Stateful Inspection helps protect against hacker techniques such as IP spoofing and port scanning.
3. Intrusion detection system (IDS) and Intrusion Prevention System (IPS)
IDS is used to detect several types of malicious behaviors that can harm computer system. This includes network attacks against vulnerable services, host based attacks such as privilege escalation, unauthorized logins and access to sensitive files. IPS is used to monitor network malicious or unwanted behavior and can react, in real-time, to block or prevent those activities. When an attack is detected, it can drop the offending packets while still allowing all other traffic to pass.
For given strategies, there is one way is to use Iptables tools for setting up and configuring netfilter rules in the Linux kernel. Moreover, Snort is also a good choice to be implemented/integrated into ATNGW100 Network Gateway Kit with Linux embedded OS as it is a lightweight, free and open source network intrusion prevention system (NIPS) and network intrusion detection system (NIDS), it can well perform packet logging and real-time traffic analysis on IP networks.
III. Future Works
After taking control the ATNGW100 Network Gateway Kit, hardware platform, development tools and implementing some main parts of Snort as design requirements, in the next stage of research, I will be trying to improve and focus on some following aspects:
1. Continue to try implement and analyze the performance of Snort on the ATNGW100 Network Gateway Kit
2. Consider challenged issues/characteristics of sensor networks [8], and optimize the performance of application.
3. Expand and provide some other services
DHCP (Dynamic Host Configuration Protocol)
NAT (Network Address Translation)
Encryption/authentication
4. Make application easy to use: setting up and configuring via Serial, Telnet, SSH terminals and friendly web interface.
IV. Conclusion
In my research, I have analyzed and implemented a small firewall based on Linux Embedded System in which the hardware platform is ATNGW100 Network Gateway Kit and software is developed based on ip table tool and Snort, a free lightweight network intrusion detection system. For this configuration, both hardware and software, this application is capable of performing more efficiently in the sensor networks which require highly challenged characteristics especially the very limited resource of being use, such as memory size, power consumption, computational capacity, physical dimensions. Also for this software architecture (a well-known open source operating system and application with a huge number of developer and supporters), it is easy to shift software from this hardware platform to others; the software development, maintenance and upgrade are less tough than the normal way and it is a big advantage to reduce the time to market of products.
References
[1] Takefuji, “Rule-based DoS attacks prevention shell script”, Linux Gazette, #137, april 2007, http://linuxgazette.net/137/takefuji.html
[2] Nguyen Thanh Hoa, and Yoshiyasu Takefuji, “Security for micro server “, Proceedings of world academy of science, engineering and technology volume 35 November 2008 ISSN 2070-3740
[3] Xiao Long Dou; Jia Chun Li; Ling Zhang; Shou Bin Dong, “The research and implementation of transplanting the Iptables/Netfilter to an IXP2400 based firewall system”, Embedded Software and Systems, 2005. IEEE Second International Conference on Volume , Issue , 16-18 Dec. 2005 Page(s): 5 pp.
[4] Jenq-Muh Hsu; Chian-Fei Hsu; Chung-Ming Huang, “Design of an IPv6 SOHO router based on embedded Linux system”, Advanced Information Networking and Applications, 2005. AINA 2005. IEEE 19th International Conference on Volume 2, Issue , 28-30 March 2005 Page(s): 827 - 832 vol.2
[5] ATNGW100 Network Gateway Kit, AVR32 AT32AP7000
http://www.atmel.com/dyn/products/tools_card.asp?tool_id=4102
[6] This page lists Linux and BSD-based firewalls and broadband routers in active development
http://distrowatch.com/dwres.php?resource=firewalls
[7] SNORT - an open source network intrusion prevention and detection system
http://www.snort.org/
[8] K. Fall, “A Delay Tolerant Network Architecture for Challenged Internets”, In Proc. of SIGCOMM’03, pp. 27‐34, Aug. 2003