Security Mechanisms for a Cooperative Firewall

Abstract

The growing number of mobile users and mobile broadband subscriptions around the world calls for support of mobility in the Internet and also demands more addresses from the already depleting IP address space. The deployment of Network Address Translation (NAT) at network edges to extend the lifetime of IPv4 address space introduced the reachability problem in the Internet. While various NAT traversal proposals have attempted to solve the reachability problem, no perfect solution for mobile devices has been proposed.

A solution is proposed at COMNET department of Aalto University, which is called Customer Edge Switching and it has resulted in a prototype called Customer Edge Switches (CES). While it addresses many of the current Internet issues i.e. reachability problem, IPv4 address space depletion, so far security has generally been considered out of scope.

This thesis aims at identifying the security vulnerabilities present within the CES architecture. The architecture is secured against various network attacks by presenting a set of security models. The evaluation and performance analysis of these security models proves that the CES architecture is secured against various network attacks only by introducing minimal delay in connection establishment. The delay introduced does not affect the normal communication pattern and the sending host does not notice a difference compared to the current situation.

For legacy interworking a CES can have the Private Realm Gateway (PRGW) function. The security mechanisms for PRGW also generate promising results in terms of security. The thesis further contributes towards security by discussing a set of deployment models for PRGW and CES-to-CES communication.