Beyond the firewall

Computer science professor Errin Fulp envisions the next generation of network security.

hink, as Errin Fulp does, of a computer network’s security system as an airport’s international point of entry. With one counter, the line of passengers backs up quickly when volume builds, no matter how efficiently passports are checked. Additional counters help some, but those lines build rapidly during peak periods as well.

Now imagine the operation as a pyramidal hierarchy. All passengers check in first at one primary counter whose only function is to determine their general status and direct them to one of several other, more specialized tertiary counters. Those counters, in turn, send them on to other counters with even more narrowly defined responsibilities, and so on to other still more specialized counters until processing is finished. The whole process would take a fraction of the time required in a parallel system.

Fulp, an assistant professor of computer science at Wake Forest, envisions this kind of system as ideal for the next generation of network firewalls. Under a three-year, $160,000 grant from the U.S. Department of Energy, he, along with an undergraduate and a graduate student, will investigate a firewall architecture that could perform data packet inspections under increasing traffic loads, higher traffic speeds, and stricter security requirements.

The architecture would consist of multiple firewalls configured in a hierarchy that collectively would enforce a security policy. The system would quickly divide traffic across the hierarchy based on perceived threat, resulting in shorter delays, faster throughput, and less susceptibility to hostile attacks.

Fulp, who is in his fourth year at Wake Forest, explains that today’s Internet is what is called a “best-effort” system. It makes no speed or accessibility guarantees, he notes, and users can encounter delays in transmitting data or be unable to log on during peak volume periods.

“The next generation of networks five or 10 years down the road provide these kinds of [speed and volume] guarantees,” says Fulp, a Raleigh native who earned his doctorate in computer science at N.C. State University. “Given that climate, users will rely on network guarantees to accomplish real-time [time-sensitive] tasks. Hackers who could slow or disrupt network services would be a significant threat.”

Fulp says that, like passport counters, today’s network firewalls typically process all incoming data indiscriminately with one or perhaps a couple of servers, each performing precisely the same function as the others: determining whether a data packet is legitimate or otherwise and either blocking or admitting it. Like passport lines, they can slow down and back up when traffic gets heavy—perilous, since many hackers can now easily disrupt a company, school, or government agency by overloading their firewalls with illegitimate transmissions.

Fulp’s theory would establish a hierarchy of unduplicated, highly specialized firewall functions dispersed over many servers. “A security policy is nothing more than a set of rules,” he observes. “All a firewall does is ask questions [of an incoming data packet] to determine if the rules are being conformed with or broken. The key [to enhanced firewall efficiency] is to break up the rules into smaller and smaller components.”

In his vision, a lead server would perform no other function than to ask each incoming data packet a question and forward it to another server assigned to process that general category. The second server would further refine the data packet’s profile and pass it to an even more specialized server, which would pass it on to another, then to another, and so on until it was authorized or denied entry.

Fulp, whose family hails from Forsyth County, is especially enthused about involving undergraduates in the study. Assisting him this year is Jeff Shirley (’04), a computer science major who helped work out certain aspects of the project on Linux routers this summer. Along with a graduate student he is recruiting, Fulp will concentrate this year on refining certain theoretical aspects of the concept and next year on buying equipment and conducting tests. By the final year of the study, he hopes to have a firewall prototype up and running.

Fulp’s idea sounds so simple and logical that it’s a wonder it hasn’t been thought of before. But, like standing on your head or digging a ditch, it may be simple in principle, but not easy in its execution. “How do you create the structure of a hierarchy and distribute the rules?” he asks. “That’s a very hard question to answer.”
--David Fyten

» WOWF Home
» WOWF Links
	University Calendar Arts, Etc. Hours, Etc. Faculty Focus Staff News Archives
» WOWF Search
» Campus Links
	Alumni Athletics Babcock School Calloway School Campus Safety Divinity School Graduate School Human Resources News Service Parents' Page School of Law School of Medicine Undergraduate College WFDD WIN
» WOWF Xtras
	Deacon Merchandise Desktop Backgrounds Purchase Photos Send Us Story Ideas