University of Indonesia is one of the largest state owned University in Indonesia with more than 40.000 students. As one of the university which support Free/Open Source movements (especially providing F/OSS content mirror), we also adopt F/OSS in our infrastructure development. Most of our own information systems are build using F/OSS stack by our in house developer team. In 2012, we were starting to experiment with next generation firewall to support our staff and students internet access. Current firewall cannot longer support dynamic nature of nowadays internet apps because its only filter based on port, ip addresses and communication protocol state. Meanwhile on today internet apps, we can access variety of apps using just only HTTP protocol for example. A next generation firewall is able to detect and filter by using L7 protocol pattern, means its done on application layer.During the presentation, I will share our experience on developing and integrating Next Generation Firewall using F/OSS stack. I will also share about open opportunities on further research and development in this topics.
Driving Behavioral Change for Information Management through Data-Driven Gree...
Towards Universitas Indonesia Next Generation Firewall Service - Tonny | GNOME.Asia
1. Towards Universitas Indonesia
Next Generation Firewall Service
Tonny Adhi Sabastian, M. Kom
(tonny.adhi@ui.ac.id)
Gnome Asia Summit 2015 - Universitas Indonesia
7th - 9th May 2015
2. Introduction
Research & Development Team
● Gladhi Guarddin , M. Kom (adin@ui.ac.id)
■ Researcher - Lecturer, Pervasive Computing Lab,
Faculty of Computer Science
■ Division Head of Information System Development,
Office of Information System Development and
Services
● Tonny Adhi Sabastian, M. Kom (tonny.adhi@ui.ac.id)
■ Research Assistant - Lecturer, Pervasive Computing
Lab, Faculty of Computer Science
■ ICT Network Coordinator,
3. Introduction
Research & Development Team
● Alfan Presekal (alfanpresekal@gmail.com)
■ Student, Faculty of Engineering
● Harrish M. Nazief (harishmuhammadnazief44@gmail.com)
■ Student, Faculty of Computer Science
● Raden Rheza (rheza.raden@ui.ac.id)
■ Staff, Network Infrastructure Service, Office of Information
System Development and Services
4. Presentation Overview
❏ Introduction to Our Research Lab
❏ Next Generation Firewall (NGFW) Concept
❏ Experiments on NGFW at Universitas
Indonesia
❏ NGFW Prototype at Universitas Indonesia
7. Outcome 2013 - 2014
2014
Zigbee REST Gateway
API
Zigbee Lighting using ZLL
8. Next Generation Firewall Concept
“Next Generation Firewalls are Deep Packet Inspection
Firewalls that move beyond port / protocol inspection
and blocking to add application level inspection,
intrusion prevention, and bringing intelligence from
outside the firewall”
Ali Kapucu,
Kent State University
“Making a Firewall to become Content Aware and
Context Aware”
14. Next Generation Firewall Concept
Challenges on NGFW :
● Performance on DPI Techniques
○ Regular Expression and String Matching (Aho-
Corasick Algorithm)
○ Machine Learning
● User Privacy
15. Next Generation Firewall Experiments on UI
● Started on 2012
● Using Free/Open Source Software Stock
○ Debian GNU/Linux 7
○ IPTables & IPSet
○ JASIG CAS (Common Authentication System) for
Single Sign On Authentication [http://jasig.github.
io/cas/4.0.0/index.html]
○ One Production Environment and One Prototyping
Environment
16. Next Generation Firewall Experiments on UI
Production Environment
● Using Linux Kernel 2.6.32.x, unsupported for
kernel 3.x
● IPSet for list of authenticated IP from UI SSO
● IPtables L7-Netfilter [http://l7-filter.
clearfoundation.com/]
○ L7-Netfilter is not developed since 2013
○ Static regex pattern per protocol
○ In kernel regex library
17. Next Generation Firewall Experiments on UI
Prototyping Environment
● Using Linux Kernel 3.2.x
● Active development state
● IPSet for list of authenticated IP from UI SSO
● IPtables nDPI-Netfilter [http://www.ntop.
org/products/ndpi/]
[https://github.com/ewildgoose/ndpi-netfilter/]
○ Per protocol pattern search - Aho-Corasick
algorithm
○ Buggy netfilter conntrack
● Published at International Conference on Advance
Computer Science & Information System, 2014
23. Deployment Result
Legacy implementation, we don’t know if
somebody tunneled Bittorrent packets
DPI implementation is able to capture and
filtered a target protocol
24. Next Plan
● Traffic Classifier (using machine learning)
● DPI Technique (also using machine learning)
● Automatic provisioning on Firewall and
Bandwidth Management
25. References
Acharya, H. B., Joshi, A., & Gouda, M. G. (2010). Firewall Modules and Modular Firewalls. 2010 18th IEEE
International Conference on Network Protocols (pp. 174-182). Kyoto: IEEE.
Alcock, S., & Nelson, R. (2013). Measuring the Accuracy of Open-Source Payload-Based Traffic Classifiers Using
Popular Internet Applications. IEEE Workshop on Network Measurements (pp. 956-963). Sydney: IEEE.
Allot Communications. (2007). Digging Deeper into DPI. Allot Communications.
Al-Shaer, E. S., & Hamed, H. H. (2002). Design and Implementation of Firewall Advisor Tools. Chicago: DePaul
University.
Ou, G. (2009, October 27). Understanding Deep Packet Inspection (DPI) Technology. Retrieved from Digital Society:
http://www.digitalsociety.org/2009/10/understanding-deep-packet-inspection-technology/
Papatheodoulou, N., & Sklavos, N. (2009). Architecture & System Design Authentication, Authorization, &
Accounting Services. IEEE, 1831-1837.
Parsons, C. (2008). Deep Packet Inspection in Perspective: Tracing its lineage and surveilance potentials. The New
Transparency Surveilance and Social Sorting, 1-16.
26. References
Harish Muhammad Nazief, Tonny Adhi Sabastian, Alfan Presekal, Gladhi Guarddin (2014). Development of
University of Indonesia Next Generation Firewall Prototype and Access Control With Deep Packet
Inspection. 2014 IEEE International Conference on Advance Computer Science and Information System.
Jakarta: IEEE.
Thomason, S. (2012). Improving Network Security: Next Generation Firewallas and Advanced Packet Inspection
Devices. Global Journal of Computer Science and Technology Network, Web & Security, 47-49.
Wang, C. (2009, June 4). Forrester: Deep Packet Inspection as an Enabling Technology. Retrieved from CSO Online:
http://www.csoonline.com/article/2124061/network-security/forrester--deep-packet-inspection-as-an-enabling-
technology.html