DIADEM FIREWALL    FP6 IST-2002-002154














MonAM 2006

Project documents and deliverables

D2 - Initial Interfaces Specification

    Executive summary
    This document gives a detailed specification of all provided application programming interfaces (API) within the DIADEM distributed firewall. Particularly the APIs for the firewall element and high-speed classification are explained and descriptions of the response API, notify API, monitor API and service API are presented. In addition, the dependencies between the system elements and the specified APIs are visualized. To emphasize the need of the APIs in the overall architecture, this document illustrates two example use cases, TCP Syn flood and Web-server overloading, including according attack detection and attack response mechanisms. Finally an analysis of commercially available and current open source firewalls is included.

    Y. Carlinet, P. Sagmeister, O. Paul, S. Yusuf, M. Sloman, F. Dressler, T. Koloszyk, M. Kowalczyk, L. Sketa, "Initial Interface Specification," DIADEM Firewall Technical Report D2, July 2004.
    (Download: PDF [1368kB])

D3 - Attack Requirements Specification

    Executive summary
    This document provides a state of the art of existing DoS detection schemes. It includes a taxonomy of existing attacks and attack tools as well as a taxonomy of existing detection methods. It also provides an analysis of existing tools and products available. This document analyses existing work in the field of DoS detection techniques and provides requirements for the DIADEM architecture.

    Y. Carlinet, O. Cherkaoui, F. Dressler, C. Ehinger, A. Fadlallah, G. Münz, M. Mussner, O. Paul, A. Serhrouchni, M. Sloman, S. Yusuf, "Attack Requirements Specification," DIADEM Firewall Technical Report D3, July 2004.
    (Download: PDF [1253kB])

D4 - Response Requirements Specification

    Executive summary
    This document details the requirements specification for the proposed DIADEM distributed firewall. The document discusses techniques and methods that can be employed in response to distributed denial of service attacks. We outline the required procedure of carrying out an automated response, then, discuss specific techniques that will be used in this project. The techniques will take advantage of our distributed firewall architecture to combat the deficiencies of current practices to responding to distributed denial of service attacks.

    Y. Carlinet, D. Chalmers, F. Dressler, N. Dulay, W. Luk, E. Lupu, O. Paul, M. Sloman, S. Yusuf, "Response Requirements Specification," DIADEM Firewall Technical Report D4, July 2004.
    (Download: PDF [309kB])

D5 - Architecture Specifications

    Executive summary
    This document presents the architecture of the DIADEM Firewall system as a whole. There are five high-level components: Devices, Monitoring Element, Firewall Element, Violation Detection, and System Manager. Devices are network equipments of the data plane which can be controlled by a component of the DIADEM Firewall architecture. Monitoring Elements configure the monitoring functions of the Devices (e.g. Netflow for a Cisco router device) and collect the monitoring data issued by these devices. They aggregate the collected data and send it to the Violation Detection for analysis. Monitoring Elements are themselves configured by the Violation Detection (VD). The VD contains the attack detection logic. When an attack is detected, the VD sends a report to the System Manager. The System Manager analyses these reports and issues response policies to the Firewall Elements. The latter then interpret the response policies and convert them into configuration rules that are enforced on the appropriate Devices, in order to mitigate the attack.

    P. Sagmeister, R. Wehage, G. Dittmann, J. van Lunteren, O. Paul, S. Yusuf, M. Sloman, V. Thing, G. Münz, F. Dressler, T. Koloszczyk, M. Kowalczyk, D. Gabrijelcic, Y. Carlinet, "Architecture Specifications," DIADEM Firewall Technical Report D5, January 2005.
    (Download: PDF [494kB])

D6 - Revised Interfaces Specification

    Executive summary
    This document describes the DIADEM Firewall application programming interfaces (APIs) between the system elements defined by the DIADEM Firewall architecture to support the operations and tasks defined in deliverable D5. The Monitoring API interfaces between Monitoring Element (ME) and Violation Detection (VD) to enable the VD to access monitored data and control its collection, exportation and aggregation in unified manner. The interface abstracts the hardware details of the specific Monitoring Device. The Notify API enables exchange of events in the system. The events are either notifications about the attacks or events that trigger the policies on the system elements. The System Manager can use the Service API to disseminate the policies to appropriate system elements. To counter the attacks, the System Manager can use events to trigger the policies on Firewall Elements (FE) or access their response mechanisms directly through Response API. The response mechanisms are based on response capabilities of Firewall Devices (FD) and the firewall API provides a device independent abstraction of the details of specific FDs. The response mechanisms are not always sufficient to mitigate new attacks. The Service API exported by the FE can be used to deploy code modules in the FDs to be able to mitigate them. On high-speed broadband connections, classification of the network traffic can be a major system bottleneck. The Classifier API enables the Firewall API to perform high speed classification in hardware and therefore achieve better performance. Each API is described with examples of usage that together support "Initial Demonstrator Specification" presented in deliverable D7.

    D. Gabrijelcic, Y. Carlinet, G. Münz, F. Dressler, R. Wehage, S. Yusuf, P. Sagmeister, G. Dittmann, "Revised Interfaces Specification," DIADEM Firewall Technical Report D6, January 2005.
    (Download: PDF [629kB])

D7 - Initial Demonstrator Specification

    Executive summary
    This document gives a description of the two selected use-cases: TCP SYN flood and Web Server Overloading. In particular, it describes how the different components of the architecture interact with each other during the execution of the use-cases. The document also contains a general introduction on the basics of firewall testing and traffic generation tools. It also gives a preliminary description of the testbed that will be setup and used in the project.

    P. Piotrowski, Y. Carlinet, O. Paul, P. Tobis, "Initial Demonstrator Specification," DIADEM Firewall Technical Report D7, January 2005.
    (Download: PDF [771kB])

D8 - Initial Firewall Element Prototype

    Executive summary
    This document describes the current implementation status of the DIADEM Firewall Element. What has been achieved are initial, operational prototypes of the Service API, the Capabilities Module, the Firewall API, a configuration interface to a commercial firewall, the Classifier API, and the Classifier Engine. Furthermore, we have started to investigate an alternative implementation of the Classifier Engine, integrating it directly with a network-interface card. The goal of this integration is to reduce the number of PCI transactions for higher system performance. The status of the Policy Management Agent and the Response Module are described in deliverable D10. Our next steps will be to implement the Code Module, to extend the functionality of the initial prototypes to their final scope, and to integrate the entire system.

    G. Dittmann, D. Gabrijelcic, S. Yusuf, A. Fessi, R. Sasnauskas, Y. Carlinet, J. van Lunteren, "Initial Firewall Element Prototype," DIADEM Firewall Technical Report D8, July 2005.
    (Download: PDF [1.86MB])

D9 - Initial Violation Detection Prototype

    Executive summary
    This deliverable presents the current state of the prototype implementation of the Monitoring Elements and the Violation Detection. Apart from giving implementation details, we sketch a functional demonstration of the implementation that took place at the Ljubljana meeting on May, 31. Furthermore, we discuss the current achievements with respect to the specifications and point out what efforts still have to be made for the final demonstrator. Special focus is put on integration and testing issues.

    G. Münz, O. Paul, F. Dressler, "Initial Violation Detection Prototype," DIADEM Firewall Technical Report D9, July 2005.
    (Download: PDF [1.37MB])

D10 - Initial Response Management Prototype

    Executive summary
    This report describes the current state of the Initial Response Prototype. An initial version of the Policy Management Agent is working which support loading, unloading, enabling and disabling policies. Notifications can be sent and received, but only limited response actions have been implemented. Work is continuing on IP traceback as well as attack redirection and throttling. An initial scenario for TCP SYN flooding has been implemented. Work is still needed to integrate the response with the attack detection mechanisms.

    S. Yusuf, M. Sloman, V. Thing, Y. Carlinet "Initial Response Management Prototype," DIADEM Firewall Technical Report D10, July 2005.
    (Download: PDF [1.35MB])

D11 - Integrated Prototype

    Executive summary
    This document describes the integration work performed during period 4 (July-December 2005) of the project. For each high-level component, namely the Monitoring Element, the Violation Detection, the System Manager and the Firewall Element, the document describes how their sub-components work with each-other, and how they work with the other high-level components. The desciptions are given with an implementation viewpoint.

    Y. Carlinet, O. Paul, S. Yusuf, V. Thing, M. Sloman, D. Gabrijelcic, G. Münz, A. Fessi, R. Sasnauskas, G. Dittmann, P. Piotrowski, P. Tobis, "Integrated Prototype," DIADEM Firewall Technical Report D11, January 2006.
    (Download: PDF [534kB])

D12 - Testbed Specification

    Executive summary
    This document contains the specifications of the various testbeds that will be used to evaluate implementation. It covers both an overlay network as a general purpose testbed platform and specific configurations which will be used to test selected uses-cases and DIADEM components. It also describes the test traffic models for selected use-cases and test scenarios with examples of performance and functional tests and procedure.

    P. Piotrowski, A. Fessi, Y. Carlinet, O. Paul, V. Thing, P. Tobis, "Testbed Specification," DIADEM Firewall Technical Report D12, January 2006.
    (Download: PDF [3.57MB])

D13 - Plan for Exploitation of Results

    Executive summary
    This document describes the plan for exploitation of the results of the DIADEM Firewall project. It presents the different strategies put in place, for exploitation in collaborative projects, academic projects, operators' internal projects, partnerships with industrials, and in standardization bodies.

    Y. Carlinet, G. Münz, P. Sagmeister, J. van Lunteren, M. Sloman, P. Tobis, O. Paul, D. Gabrijelcic, "Plan for Exploitation of Results," DIADEM Firewall Technical Report D13, September 2006.
    (Download: PDF [222kB])

D14 - Evaluation Report

    Executive summary
    This document describes an extensive evaluation of the DIADEM Firewall. The evaluation starts with reports on functional as well as performance tests of the DIADEM Firewall. Afterwards, an analysis of the limitations of the DIADEM Firewall and the security threats related to it is provided. Finally a revised state-of-the-art analysis compares the DIADEM Firewall with existing products and system in the market as well as in the research community.

    A. Fessi, S. Yusuf, Y. Carlinet, O. Paul, P. Sagmeister, J. van Lunteren, V. Thing, M. Sloman, D. Thomas, D. Gabrijelcic, P. Tobis, G. Münz, D. Haage, R. Sasnauskas, K. Dragicevic, "Evaluation Report," DIADEM Firewall Technical Report D14, September 2006.
    (Download: PDF [1.79MB])