DIADEM FIREWALL    FP6 IST-2002-002154














MonAM 2006


[Abstract] [State-of-the-art] [Objectives] [Workpackages] [Impact]

Scientific and technological objectives of the project

The explosion of the Internet involves the search for value added infrastructures. For this reason, the security of the information systems is one of the major concerns today. The access control to an equipment, a network, or an administrative domain plays an essential part within such a heterogeneous environment.

Network security architectures consist of a number of dedicated components, such as filtering routers, and firewalls. The key of the traditional approach for network security is to separate the network into a safe and an insecure zone. Typically, the interface between both is composed of a single access point which enforces the security policy. The traditional approach has significant shortcomings, such as reduced flexibility and scalability. Moreover, conventional firewalls are only capable of observing a single point in the network, and therefore have only limited information on their environment available. Lastly, the emergence of attacks of huge scale such as the Distributed Denial of Service (DDoS) has demonstrated the limits and the weaknesses of this model. The valorization of the networks thus requires to pay a detailed attention on these problems. An effective architecture of security must answer these new challenges.

The vision of the project is to develop a novel and comprehensive security solution that solves the upcoming challenge of providing secure broadband services, by combining key know-how of a number of areas, in particular:

  • flexible implementation techniques for high-speed packet processing,
  • algorithms for intrusion detection, and
  • policy-based techniques for automated configuration and decision-handling.

The general goal of the project is the development and deployment of innovative network components that enable service providers to offer to their customers secure broadband services in an effective and cost-efficient way. In order to achieve this, the project pursues the following individual objectives:

  • Design and implement an innovative architecture for provider-controlled distributed high-speed edge devices, intended to become a new generation of distributed high-speed firewalls with policy-based control, and suitable for providing a comprehensive security solution meeting the needs of customers and service providers.
  • Develop and deploy enhanced techniques capable of detecting a wide range of security violations, in particular focused on DDOS (Distributed Denial of Service) attacks, but also suitable for detecting and identifying all types of malfunctioning, such as activities that cause unintended service interruptions. Achieve enhanced detection capabilities by designing and implementing flexible and effective solutions for distributed monitoring of application traffic.
  • Establish techniques for intelligent response to security violations, in particular providing an effective protection against DDOS attacks.
  • Ensure fair, coherent, and efficient enforcement of security policies by management and control of the distributed firewall components using policy-based techniques.
  • Develop applications for the new technology, deploy them in meaningful testbeds, and work on adoption of the new technologies, by disseminating know-how and training of target people.

To realize these objectives, the project will develop and demonstrate an architecture with the following unique combination of features:

  • Cooperating edge devices complement the traditional firewall approach by protecting not only the networks attached to a provider network against certain attacks, but that also protect key properties of the provider network, the previously unsecured interior network, against attacks.
  • The architecture ensures high performance in combination with functional flexibility by supporting high-performance algorithms for classification, filtering, sampling and measurements, and high-performance implementations using network processors and programmable hardware.
  • Distributed measurement technology allows to exploit a large overview on network activities for detection purposes.
  • Policy-based schemes perform management and control of the distributed solution, and can exploit the flexibility of the high-speed components within the data plane.
  • The project is committed to develop a Linux-based software solution that will be made available as open-source, thereby supporting wide adoption of the approach.