The use and usability of direction-based filtering in firewalls

Abstract

The common match fields in firewall rules refer to a packet's source and destination IP addresses, protocol, and source and destination port numbers. However, most firewalls are also capable of filtering based on a packet's direction: which network interface card the packet is crossing, and whether the packet is crossing the interface from the network into the firewall (“inbound”) or vice versa (“outbound”). Taking a packet's direction into account in the firewall's rules is extremely useful: it lets the firewall administrator protect against source address spoofing, write effective egress-filtering rules, and avoid unpleasant side-effects when referring to subnets that span the firewall. Unfortunately, the firewall's definition of a packet's direction is different from what users normally assume. If interface eth0 connects the firewall to the internal network, then, from a user's perspective, “inbound on eth0” is actually “Outbound” traffic. This discrepancy makes it very confusing for firewall administrators to use the packet direction correctly, and creates a significant usability problem. In this paper we review the usefulness of direction-based filtering, identify the usability problem, and critically review the approaches taken by several major firewall vendors. Most vendors expose the raw and confusing functionality to the firewall administrators, while one vendor (Check Point) hides the functionality entirely. Both approaches leave much to be desired. However, recent advances in firewall research show that better alternatives exist: the Firmato prototype demonstrates that the firewall management software can compute the directions algorithmically for a perimeter firewall.