Carnegie Mellon University Technical Report CMU-CS-00-173, May 2001.
David Friedman and David Nagle
Dept. Electrical & Computer Engineering
School of Computer Science
Carnegie Mellon University
Pittsburgh, PA 15213
The primary method for protecting networks today is to use a firewall: a boundary separating the protected network from the untrusted Internet. However, these firewalls offer no protection from internal attacks, scale poorly due to limited firewall processing capacity, and do not support mobile computing. Distributing a firewall to each network host avoids many of these problems, but weakens the security guarantees of the network since it places the firewall under the control of the host OS. Leveraging the increasing capability of embedded-VLSI, including network-specific processors, we propose a Network Interface Card (NIC) based distributed firewall. Supporting the same (and more) functions as a centralized firewall, NIC-based firewalls provide significant benefits including: scalability, easier client customization, sharing application/OS state to enable application-level filtering, and the ability to block misbehaving hosts at the source, the host itself. We describe the architecture of a Network Interface Card-based distributed firewall and our implementation, which uses an i960-based NIC and IPsec for management and policy distribution. The firewall currently supports basic packet filtering and some application policies as well as secure policy distribution.
FULL PAPER: pdf / postscript