We have challenges to achieving our goal to perform

Info icon This preview shows pages 3–5. Sign up to view the full content.

View Full Document Right Arrow Icon
We have challenges to achieving our goal. To perform the owner test, a firewall must know what application has sent or will receive the packet under scrutiny. However, packets generally do not convey the information about their source/destination applications. Almost every firewall uses port number to bind packets to an owner application . For example, packets with port 80 are considered be Web traffic. However, a port number is at most a hint to an application’s identity because it is a shared resource used by any application with the appropriate privileges. It is extremely difficult to bind packets to owner applications without help from applications themselves. The second challenge is that applications are not aware of state changes in stateful firewalls they need to traverse. For instance, if a TCP connection is inactive for a while, it may become stale because a firewall flushes its state without any notification to the application. False negative errors occur in this case. Therefore, applications need notification from firewalls.
Image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
3. Architecture To handle challenges and achieve our goal, CODO uses extensive cooperation between firewalls and applications. In CODO, connections into or out of a network are enabled through the cooperation of stateful firewalls, firewall agents (FAs), and client libraries (CLs) linked with the application. Figure 2 shows a typical CODO topology. Figure 2: CODO topology With CODO, a firewall can start with a configuration that allows no application to traverse. It also need not allow outbound communications. However, it may still have other rules for application- neutral or auxiliary tests. The FA running on the firewall machine dynamically adds and deletes rules for owner tests. During the initialization, it adds a few firewall rules to allow CODO commands to be delivered to it. The FA has a list of applications that can traverse the firewall. Since the list must be part of the firewall policy, we may think of the FA as a part of the firewall or an entity that enforces a part of the policy delegated from the firewall. Through a secure TCP connection established using a certificate given to an application, the CL interacts with the FA on behalf of the application. It informs the FA of application activities such as binding a socket to an address, closing a socket, and trying to connect to a server. Using this information, the FA adds and deletes firewall rules for the application. The FA also informs the CL of necessary information such as how often a connection state will be flushed by the firewall. The CL uses this information to help the application communicate over the firewall. The application uses CODO services by calling CODO socket functions that the CL provides.
Image of page 4
Image of page 5
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern