SlideShare uma empresa Scribd logo

Towards Universitas Indonesia Next Generation Firewall Service - Tonny | GNOME.Asia

Estu Fardani
Estu Fardani

University of Indonesia is one of the largest state owned University in Indonesia with more than 40.000 students. As one of the university which support Free/Open Source movements (especially providing F/OSS content mirror), we also adopt F/OSS in our infrastructure development. Most of our own information systems are build using F/OSS stack by our in house developer team. In 2012, we were starting to experiment with next generation firewall to support our staff and students internet access. Current firewall cannot longer support dynamic nature of nowadays internet apps because its only filter based on port, ip addresses and communication protocol state. Meanwhile on today internet apps, we can access variety of apps using just only HTTP protocol for example. A next generation firewall is able to detect and filter by using L7 protocol pattern, means its done on application layer.During the presentation, I will share our experience on developing and integrating Next Generation Firewall using F/OSS stack. I will also share about open opportunities on further research and development in this topics.

Tecnologia
1 de 28
Baixar para ler offline
Towards Universitas Indonesia Next Generation Firewall Service Tonny Adhi Sabastian, M. Kom (tonny.adhi@ui.ac.id) Gnome Asia Summit 2015 - Universitas Indonesia 7th - 9th May 2015
Introduction Research & Development Team ● Gladhi Guarddin , M. Kom (adin@ui.ac.id) ■ Researcher - Lecturer, Pervasive Computing Lab, Faculty of Computer Science ■ Division Head of Information System Development, Office of Information System Development and Services ● Tonny Adhi Sabastian, M. Kom (tonny.adhi@ui.ac.id) ■ Research Assistant - Lecturer, Pervasive Computing Lab, Faculty of Computer Science ■ ICT Network Coordinator,
Introduction Research & Development Team ● Alfan Presekal (alfanpresekal@gmail.com) ■ Student, Faculty of Engineering ● Harrish M. Nazief (harishmuhammadnazief44@gmail.com) ■ Student, Faculty of Computer Science ● Raden Rheza (rheza.raden@ui.ac.id) ■ Staff, Network Infrastructure Service, Office of Information System Development and Services
Presentation Overview ❏ Introduction to Our Research Lab ❏ Next Generation Firewall (NGFW) Concept ❏ Experiments on NGFW at Universitas Indonesia ❏ NGFW Prototype at Universitas Indonesia
Pervasive Computing Research Lab. : What we do ? Smart Space Research
Outcome 2013 - 2014 2013 Location Extractor
Outcome 2013 - 2014 2014 Zigbee REST Gateway API Zigbee Lighting using ZLL
Next Generation Firewall Concept “Next Generation Firewalls are Deep Packet Inspection Firewalls that move beyond port / protocol inspection and blocking to add application level inspection, intrusion prevention, and bringing intelligence from outside the firewall” Ali Kapucu, Kent State University “Making a Firewall to become Content Aware and Context Aware”
Next Generation Firewall Concept A Legacy Firewall
Next Generation Firewall Concept Current Internet Condition
Next Generation Firewall Concept Deep Packet Inspection
Next Generation Firewall Concept Deep Packet Inspection
Next Generation Firewall Concept What NGFW can do ?
Next Generation Firewall Concept Challenges on NGFW : ● Performance on DPI Techniques ○ Regular Expression and String Matching (Aho- Corasick Algorithm) ○ Machine Learning ● User Privacy
Next Generation Firewall Experiments on UI ● Started on 2012 ● Using Free/Open Source Software Stock ○ Debian GNU/Linux 7 ○ IPTables & IPSet ○ JASIG CAS (Common Authentication System) for Single Sign On Authentication [http://jasig.github. io/cas/4.0.0/index.html] ○ One Production Environment and One Prototyping Environment
Next Generation Firewall Experiments on UI Production Environment ● Using Linux Kernel 2.6.32.x, unsupported for kernel 3.x ● IPSet for list of authenticated IP from UI SSO ● IPtables L7-Netfilter [http://l7-filter. clearfoundation.com/] ○ L7-Netfilter is not developed since 2013 ○ Static regex pattern per protocol ○ In kernel regex library
Next Generation Firewall Experiments on UI Prototyping Environment ● Using Linux Kernel 3.2.x ● Active development state ● IPSet for list of authenticated IP from UI SSO ● IPtables nDPI-Netfilter [http://www.ntop. org/products/ndpi/] [https://github.com/ewildgoose/ndpi-netfilter/] ○ Per protocol pattern search - Aho-Corasick algorithm ○ Buggy netfilter conntrack ● Published at International Conference on Advance Computer Science & Information System, 2014
Next Generation Firewall Experiments on UI Buggy Netfilter Patch
Next Generation Firewall Experiments on UI Typical Deployment Architecture
Next Generation Firewall Experiments on UI Rules Example #iptables -A INSPEKSI -m ndpi --twitter -j ACCEPT #iptables -A INSPEKSI -m ndpi --yahoo -j STD_PROTO #iptables -A INSPEKSI -m ndpi --steam -j REJECTED_PROTO #iptables -A INSPEKSI -m ndpi --dropbox -j STD_PROTO #iptables -A INSPEKSI -m ndpi --h323 -j STD_PROTO
Next Generation Firewall Experiments on UI Authorization Portal*
Next Generation Firewall Experiments on UI SSO Portal
Deployment Result Legacy implementation, we don’t know if somebody tunneled Bittorrent packets DPI implementation is able to capture and filtered a target protocol
Next Plan ● Traffic Classifier (using machine learning) ● DPI Technique (also using machine learning) ● Automatic provisioning on Firewall and Bandwidth Management
References Acharya, H. B., Joshi, A., & Gouda, M. G. (2010). Firewall Modules and Modular Firewalls. 2010 18th IEEE International Conference on Network Protocols (pp. 174-182). Kyoto: IEEE. Alcock, S., & Nelson, R. (2013). Measuring the Accuracy of Open-Source Payload-Based Traffic Classifiers Using Popular Internet Applications. IEEE Workshop on Network Measurements (pp. 956-963). Sydney: IEEE. Allot Communications. (2007). Digging Deeper into DPI. Allot Communications. Al-Shaer, E. S., & Hamed, H. H. (2002). Design and Implementation of Firewall Advisor Tools. Chicago: DePaul University. Ou, G. (2009, October 27). Understanding Deep Packet Inspection (DPI) Technology. Retrieved from Digital Society: http://www.digitalsociety.org/2009/10/understanding-deep-packet-inspection-technology/ Papatheodoulou, N., & Sklavos, N. (2009). Architecture & System Design Authentication, Authorization, & Accounting Services. IEEE, 1831-1837. Parsons, C. (2008). Deep Packet Inspection in Perspective: Tracing its lineage and surveilance potentials. The New Transparency Surveilance and Social Sorting, 1-16.
References Harish Muhammad Nazief, Tonny Adhi Sabastian, Alfan Presekal, Gladhi Guarddin (2014). Development of University of Indonesia Next Generation Firewall Prototype and Access Control With Deep Packet Inspection. 2014 IEEE International Conference on Advance Computer Science and Information System. Jakarta: IEEE. Thomason, S. (2012). Improving Network Security: Next Generation Firewallas and Advanced Packet Inspection Devices. Global Journal of Computer Science and Technology Network, Web & Security, 47-49. Wang, C. (2009, June 4). Forrester: Deep Packet Inspection as an Enabling Technology. Retrieved from CSO Online: http://www.csoonline.com/article/2124061/network-security/forrester--deep-packet-inspection-as-an-enabling- technology.html
Q & A
Thank You

Recomendados

Towards universitas indonesia_next_generation_firewall_service
Towards universitas indonesia_next_generation_firewall_serviceTowards universitas indonesia_next_generation_firewall_service
Towards universitas indonesia_next_generation_firewall_service
Tonny Adhi Sabastian
 
Video Analysis in Autonomous Systems: Data Analytics Challenges
Video Analysis in Autonomous Systems: Data Analytics ChallengesVideo Analysis in Autonomous Systems: Data Analytics Challenges
Video Analysis in Autonomous Systems: Data Analytics Challenges
krishna_dubba
 
Firewall di GNU/Linux
Firewall di GNU/LinuxFirewall di GNU/Linux
Firewall di GNU/Linux
Estu Fardani
 
raspi - Tonny | GNOME.Asia
raspi - Tonny | GNOME.Asiaraspi - Tonny | GNOME.Asia
raspi - Tonny | GNOME.Asia
Estu Fardani
 
Manage Virtual Machines with WebVirtMgr on openSUSE
Manage Virtual Machines with WebVirtMgr on openSUSEManage Virtual Machines with WebVirtMgr on openSUSE
Manage Virtual Machines with WebVirtMgr on openSUSE
Dendy P. Delly
 
Trends on Data Graphs & Security for the Internet of Things
Trends on Data Graphs & Security for the Internet of ThingsTrends on Data Graphs & Security for the Internet of Things
Trends on Data Graphs & Security for the Internet of Things
Ghislain Atemezing
 
Naveen_Toppo
Naveen_ToppoNaveen_Toppo
Naveen_Toppo
Naveen Toppo
 
manoj resume new version
manoj resume new versionmanoj resume new version
manoj resume new version
Oswalt Manoj
 

Recomendados

Towards universitas indonesia_next_generation_firewall_service
Towards universitas indonesia_next_generation_firewall_serviceTowards universitas indonesia_next_generation_firewall_service
Towards universitas indonesia_next_generation_firewall_service
Tonny Adhi Sabastian
 
Video Analysis in Autonomous Systems: Data Analytics Challenges
Video Analysis in Autonomous Systems: Data Analytics ChallengesVideo Analysis in Autonomous Systems: Data Analytics Challenges
Video Analysis in Autonomous Systems: Data Analytics Challenges
krishna_dubba
 
Firewall di GNU/Linux
Firewall di GNU/LinuxFirewall di GNU/Linux
Firewall di GNU/Linux
Estu Fardani
 
raspi - Tonny | GNOME.Asia
raspi - Tonny | GNOME.Asiaraspi - Tonny | GNOME.Asia
raspi - Tonny | GNOME.Asia
Estu Fardani
 
Manage Virtual Machines with WebVirtMgr on openSUSE
Manage Virtual Machines with WebVirtMgr on openSUSEManage Virtual Machines with WebVirtMgr on openSUSE
Manage Virtual Machines with WebVirtMgr on openSUSE
Dendy P. Delly
 
Trends on Data Graphs & Security for the Internet of Things
Trends on Data Graphs & Security for the Internet of ThingsTrends on Data Graphs & Security for the Internet of Things
Trends on Data Graphs & Security for the Internet of Things
Ghislain Atemezing
 
Naveen_Toppo
Naveen_ToppoNaveen_Toppo
Naveen_Toppo
Naveen Toppo
 
manoj resume new version
manoj resume new versionmanoj resume new version
manoj resume new version
Oswalt Manoj
 
Nagaraju_curriculum vitae
Nagaraju_curriculum vitaeNagaraju_curriculum vitae
Nagaraju_curriculum vitae
U. Nagaraju
 
Bhavin Shah 1.10
Bhavin Shah 1.10Bhavin Shah 1.10
Bhavin Shah 1.10
Bhavin Shah
 
edil19
edil19edil19
edil19
Antonio Cañas Vargas
 
Resume-Vishnu Monn Baskaran_v3
Resume-Vishnu Monn Baskaran_v3Resume-Vishnu Monn Baskaran_v3
Resume-Vishnu Monn Baskaran_v3
Vishnu Monn Baskaran
 
Data Science in Production: Technologies That Drive Adoption of Data Science ...
Data Science in Production: Technologies That Drive Adoption of Data Science ...Data Science in Production: Technologies That Drive Adoption of Data Science ...
Data Science in Production: Technologies That Drive Adoption of Data Science ...
Nir Yungster
 
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...
Amélie Gyrard
 
Information Technology in Industry(ITII) - November Issue 2018
Information Technology in Industry(ITII) - November Issue 2018Information Technology in Industry(ITII) - November Issue 2018
Information Technology in Industry(ITII) - November Issue 2018
ITIIIndustries
 
Are Distributed Ledger Technologies Ready for Smart Transportation Systems?
Are Distributed Ledger Technologies Ready for Smart Transportation Systems?Are Distributed Ledger Technologies Ready for Smart Transportation Systems?
Are Distributed Ledger Technologies Ready for Smart Transportation Systems?
steachsf
 
Resume: Research Engineer
Resume: Research Engineer Resume: Research Engineer
Resume: Research Engineer
Abhishek Singh
 
From network beginner to network programmer.v2
From network beginner to network programmer.v2From network beginner to network programmer.v2
From network beginner to network programmer.v2
Telematika Open Session
 
Lichang Wang_CV
Lichang Wang_CVLichang Wang_CV
Lichang Wang_CV
lichang wang
 
Academic
AcademicAcademic
Academic
Nezer Zaidenberg
 
IOT-2016 7-9 Septermber, 2016, Stuttgart, Germany
IOT-2016 7-9 Septermber, 2016, Stuttgart, GermanyIOT-2016 7-9 Septermber, 2016, Stuttgart, Germany
IOT-2016 7-9 Septermber, 2016, Stuttgart, Germany
Charith Perera
 
Session 33 - Production Grids
Session 33 - Production GridsSession 33 - Production Grids
Session 33 - Production Grids
ISSGC Summer School
 
Security in Cloud-based Cyber-physical Systems
Security in Cloud-based Cyber-physical SystemsSecurity in Cloud-based Cyber-physical Systems
Security in Cloud-based Cyber-physical Systems
FAST-Lab. Factory Automation Systems and Technologies Laboratory, Tampere University of Technology
 
An Ad-hoc Smart Gateway Platform for the Web of Things (IEEE iThings 2013 Bes...
An Ad-hoc Smart Gateway Platform for the Web of Things (IEEE iThings 2013 Bes...An Ad-hoc Smart Gateway Platform for the Web of Things (IEEE iThings 2013 Bes...
An Ad-hoc Smart Gateway Platform for the Web of Things (IEEE iThings 2013 Bes...
Darren Carlson
 
Top Software Engineering & Applications Research articles of 2019
Top Software Engineering & Applications Research articles of 2019Top Software Engineering & Applications Research articles of 2019
Top Software Engineering & Applications Research articles of 2019
ijseajournal
 
Phoenix Data Conference - Big Data Analytics for IoT 11/4/17
Phoenix Data Conference - Big Data Analytics for IoT 11/4/17Phoenix Data Conference - Big Data Analytics for IoT 11/4/17
Phoenix Data Conference - Big Data Analytics for IoT 11/4/17
Mark Goldstein
 
Introduction to ICST 2017
Introduction to ICST 2017Introduction to ICST 2017
Introduction to ICST 2017
Keizo Tatsumi
 
OntoSoft: A Distributed Semantic Registry for Scientific Software
OntoSoft: A Distributed Semantic Registry for Scientific SoftwareOntoSoft: A Distributed Semantic Registry for Scientific Software
OntoSoft: A Distributed Semantic Registry for Scientific Software
dgarijo
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
jfdjdjcjdnsjd
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 

Mais conteúdo relacionado

Semelhante a Towards Universitas Indonesia Next Generation Firewall Service - Tonny | GNOME.Asia

Bhavin Shah 1.10
Bhavin Shah 1.10Bhavin Shah 1.10
Bhavin Shah 1.10
Bhavin Shah
 
An Ad-hoc Smart Gateway Platform for the Web of Things (IEEE iThings 2013 Bes...
An Ad-hoc Smart Gateway Platform for the Web of Things (IEEE iThings 2013 Bes...An Ad-hoc Smart Gateway Platform for the Web of Things (IEEE iThings 2013 Bes...
An Ad-hoc Smart Gateway Platform for the Web of Things (IEEE iThings 2013 Bes...
Darren Carlson
 
OntoSoft: A Distributed Semantic Registry for Scientific Software
OntoSoft: A Distributed Semantic Registry for Scientific SoftwareOntoSoft: A Distributed Semantic Registry for Scientific Software
OntoSoft: A Distributed Semantic Registry for Scientific Software
dgarijo
 

Semelhante a Towards Universitas Indonesia Next Generation Firewall Service - Tonny | GNOME.Asia (20)

Nagaraju_curriculum vitae
Nagaraju_curriculum vitaeNagaraju_curriculum vitae
Nagaraju_curriculum vitae
 
Bhavin Shah 1.10
Bhavin Shah 1.10Bhavin Shah 1.10
Bhavin Shah 1.10
 
edil19
edil19edil19
edil19
 
Resume-Vishnu Monn Baskaran_v3
Resume-Vishnu Monn Baskaran_v3Resume-Vishnu Monn Baskaran_v3
Resume-Vishnu Monn Baskaran_v3
 
Data Science in Production: Technologies That Drive Adoption of Data Science ...
Data Science in Production: Technologies That Drive Adoption of Data Science ...Data Science in Production: Technologies That Drive Adoption of Data Science ...
Data Science in Production: Technologies That Drive Adoption of Data Science ...
 
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...
 
Information Technology in Industry(ITII) - November Issue 2018
Information Technology in Industry(ITII) - November Issue 2018Information Technology in Industry(ITII) - November Issue 2018
Information Technology in Industry(ITII) - November Issue 2018
 
Are Distributed Ledger Technologies Ready for Smart Transportation Systems?
Are Distributed Ledger Technologies Ready for Smart Transportation Systems?Are Distributed Ledger Technologies Ready for Smart Transportation Systems?
Are Distributed Ledger Technologies Ready for Smart Transportation Systems?
 
Resume: Research Engineer
Resume: Research Engineer Resume: Research Engineer
Resume: Research Engineer
 
From network beginner to network programmer.v2
From network beginner to network programmer.v2From network beginner to network programmer.v2
From network beginner to network programmer.v2
 
Lichang Wang_CV
Lichang Wang_CVLichang Wang_CV
Lichang Wang_CV
 
Academic
AcademicAcademic
Academic
 
IOT-2016 7-9 Septermber, 2016, Stuttgart, Germany
IOT-2016 7-9 Septermber, 2016, Stuttgart, GermanyIOT-2016 7-9 Septermber, 2016, Stuttgart, Germany
IOT-2016 7-9 Septermber, 2016, Stuttgart, Germany
 
Session 33 - Production Grids
Session 33 - Production GridsSession 33 - Production Grids
Session 33 - Production Grids
 
Security in Cloud-based Cyber-physical Systems
Security in Cloud-based Cyber-physical SystemsSecurity in Cloud-based Cyber-physical Systems
Security in Cloud-based Cyber-physical Systems
 
An Ad-hoc Smart Gateway Platform for the Web of Things (IEEE iThings 2013 Bes...
An Ad-hoc Smart Gateway Platform for the Web of Things (IEEE iThings 2013 Bes...An Ad-hoc Smart Gateway Platform for the Web of Things (IEEE iThings 2013 Bes...
An Ad-hoc Smart Gateway Platform for the Web of Things (IEEE iThings 2013 Bes...
 
Top Software Engineering & Applications Research articles of 2019
Top Software Engineering & Applications Research articles of 2019Top Software Engineering & Applications Research articles of 2019
Top Software Engineering & Applications Research articles of 2019
 
Phoenix Data Conference - Big Data Analytics for IoT 11/4/17
Phoenix Data Conference - Big Data Analytics for IoT 11/4/17Phoenix Data Conference - Big Data Analytics for IoT 11/4/17
Phoenix Data Conference - Big Data Analytics for IoT 11/4/17
 
Introduction to ICST 2017
Introduction to ICST 2017Introduction to ICST 2017
Introduction to ICST 2017
 
OntoSoft: A Distributed Semantic Registry for Scientific Software
OntoSoft: A Distributed Semantic Registry for Scientific SoftwareOntoSoft: A Distributed Semantic Registry for Scientific Software
OntoSoft: A Distributed Semantic Registry for Scientific Software
 

Último

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 

Último (20)

presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 

Towards Universitas Indonesia Next Generation Firewall Service - Tonny | GNOME.Asia

  • 1. Towards Universitas Indonesia Next Generation Firewall Service Tonny Adhi Sabastian, M. Kom (tonny.adhi@ui.ac.id) Gnome Asia Summit 2015 - Universitas Indonesia 7th - 9th May 2015
  • 2. Introduction Research & Development Team ● Gladhi Guarddin , M. Kom (adin@ui.ac.id) ■ Researcher - Lecturer, Pervasive Computing Lab, Faculty of Computer Science ■ Division Head of Information System Development, Office of Information System Development and Services ● Tonny Adhi Sabastian, M. Kom (tonny.adhi@ui.ac.id) ■ Research Assistant - Lecturer, Pervasive Computing Lab, Faculty of Computer Science ■ ICT Network Coordinator,
  • 3. Introduction Research & Development Team ● Alfan Presekal (alfanpresekal@gmail.com) ■ Student, Faculty of Engineering ● Harrish M. Nazief (harishmuhammadnazief44@gmail.com) ■ Student, Faculty of Computer Science ● Raden Rheza (rheza.raden@ui.ac.id) ■ Staff, Network Infrastructure Service, Office of Information System Development and Services
  • 4. Presentation Overview ❏ Introduction to Our Research Lab ❏ Next Generation Firewall (NGFW) Concept ❏ Experiments on NGFW at Universitas Indonesia ❏ NGFW Prototype at Universitas Indonesia
  • 5. Pervasive Computing Research Lab. : What we do ? Smart Space Research
  • 6. Outcome 2013 - 2014 2013 Location Extractor
  • 7. Outcome 2013 - 2014 2014 Zigbee REST Gateway API Zigbee Lighting using ZLL
  • 8. Next Generation Firewall Concept “Next Generation Firewalls are Deep Packet Inspection Firewalls that move beyond port / protocol inspection and blocking to add application level inspection, intrusion prevention, and bringing intelligence from outside the firewall” Ali Kapucu, Kent State University “Making a Firewall to become Content Aware and Context Aware”
  • 9. Next Generation Firewall Concept A Legacy Firewall
  • 10. Next Generation Firewall Concept Current Internet Condition
  • 11. Next Generation Firewall Concept Deep Packet Inspection
  • 12. Next Generation Firewall Concept Deep Packet Inspection
  • 13. Next Generation Firewall Concept What NGFW can do ?
  • 14. Next Generation Firewall Concept Challenges on NGFW : ● Performance on DPI Techniques ○ Regular Expression and String Matching (Aho- Corasick Algorithm) ○ Machine Learning ● User Privacy
  • 15. Next Generation Firewall Experiments on UI ● Started on 2012 ● Using Free/Open Source Software Stock ○ Debian GNU/Linux 7 ○ IPTables & IPSet ○ JASIG CAS (Common Authentication System) for Single Sign On Authentication [http://jasig.github. io/cas/4.0.0/index.html] ○ One Production Environment and One Prototyping Environment
  • 16. Next Generation Firewall Experiments on UI Production Environment ● Using Linux Kernel 2.6.32.x, unsupported for kernel 3.x ● IPSet for list of authenticated IP from UI SSO ● IPtables L7-Netfilter [http://l7-filter. clearfoundation.com/] ○ L7-Netfilter is not developed since 2013 ○ Static regex pattern per protocol ○ In kernel regex library
  • 17. Next Generation Firewall Experiments on UI Prototyping Environment ● Using Linux Kernel 3.2.x ● Active development state ● IPSet for list of authenticated IP from UI SSO ● IPtables nDPI-Netfilter [http://www.ntop. org/products/ndpi/] [https://github.com/ewildgoose/ndpi-netfilter/] ○ Per protocol pattern search - Aho-Corasick algorithm ○ Buggy netfilter conntrack ● Published at International Conference on Advance Computer Science & Information System, 2014
  • 18. Next Generation Firewall Experiments on UI Buggy Netfilter Patch
  • 19. Next Generation Firewall Experiments on UI Typical Deployment Architecture
  • 20. Next Generation Firewall Experiments on UI Rules Example #iptables -A INSPEKSI -m ndpi --twitter -j ACCEPT #iptables -A INSPEKSI -m ndpi --yahoo -j STD_PROTO #iptables -A INSPEKSI -m ndpi --steam -j REJECTED_PROTO #iptables -A INSPEKSI -m ndpi --dropbox -j STD_PROTO #iptables -A INSPEKSI -m ndpi --h323 -j STD_PROTO
  • 21. Next Generation Firewall Experiments on UI Authorization Portal*
  • 22. Next Generation Firewall Experiments on UI SSO Portal
  • 23. Deployment Result Legacy implementation, we don’t know if somebody tunneled Bittorrent packets DPI implementation is able to capture and filtered a target protocol
  • 24. Next Plan ● Traffic Classifier (using machine learning) ● DPI Technique (also using machine learning) ● Automatic provisioning on Firewall and Bandwidth Management
  • 25. References Acharya, H. B., Joshi, A., & Gouda, M. G. (2010). Firewall Modules and Modular Firewalls. 2010 18th IEEE International Conference on Network Protocols (pp. 174-182). Kyoto: IEEE. Alcock, S., & Nelson, R. (2013). Measuring the Accuracy of Open-Source Payload-Based Traffic Classifiers Using Popular Internet Applications. IEEE Workshop on Network Measurements (pp. 956-963). Sydney: IEEE. Allot Communications. (2007). Digging Deeper into DPI. Allot Communications. Al-Shaer, E. S., & Hamed, H. H. (2002). Design and Implementation of Firewall Advisor Tools. Chicago: DePaul University. Ou, G. (2009, October 27). Understanding Deep Packet Inspection (DPI) Technology. Retrieved from Digital Society: http://www.digitalsociety.org/2009/10/understanding-deep-packet-inspection-technology/ Papatheodoulou, N., & Sklavos, N. (2009). Architecture & System Design Authentication, Authorization, & Accounting Services. IEEE, 1831-1837. Parsons, C. (2008). Deep Packet Inspection in Perspective: Tracing its lineage and surveilance potentials. The New Transparency Surveilance and Social Sorting, 1-16.
  • 26. References Harish Muhammad Nazief, Tonny Adhi Sabastian, Alfan Presekal, Gladhi Guarddin (2014). Development of University of Indonesia Next Generation Firewall Prototype and Access Control With Deep Packet Inspection. 2014 IEEE International Conference on Advance Computer Science and Information System. Jakarta: IEEE. Thomason, S. (2012). Improving Network Security: Next Generation Firewallas and Advanced Packet Inspection Devices. Global Journal of Computer Science and Technology Network, Web & Security, 47-49. Wang, C. (2009, June 4). Forrester: Deep Packet Inspection as an Enabling Technology. Retrieved from CSO Online: http://www.csoonline.com/article/2124061/network-security/forrester--deep-packet-inspection-as-an-enabling- technology.html
  • 27. Q & A