NEXT GENERATION FIREWALLS AND

INTELLIGENT NETWORKING

MSCS Research Proposal

Student Name : XYZ

Roll Number : Abc
Session of Admission : Fall2016-Spring2018
Faculty : Computing
Study Program : Master of Science in Computer Science (MSCS)

Main Supervisor : ABC

Co-Supervisor : XYZ

Riphah College of Computing, Riphah International University

Faisalabad Campus, Pakistan

 NEXT GENERATION FIREWALLS AND
INTELLIGENT NETWORKING

Abstract
This research will described about the necessity, deployment considerations, performance evaluation
and the possible outcomes of using the next-generation firewalls (NGFW) in an enterprise
network environment. A firewall is the most important component for any system considering their
information security because it’s the first line of defense against every known and unknown security
attacks. Security threats come with a big deal to any enterprise network, these threats always try to
penetrate into system’s confidentiality, integrity, and availability. Firewalls are designed to provide
security against these threats, however, it will be more effective by timely implementation and fine-
tuning of the configurations according to the network requirement. In this thesis, we will describe,
how the security threats are vulnerable to systems with their possible impacts. We also differentiated
between different types of firewalls based on their features and capacities which could help anyone to
choose the optimal one for any network environment. And, finally we have also showed how to better
handle these firewalls to mitigate the impact of latest security attacks without considering network
performance using Next- Generation firewall technologies. Our proposed network model using
NGFW improved a lot of segments of an existing network which was previously running without a
firewall. Our experimental results will give a clear idea about how much improvement would be
gained in network performance and security by using our recommended Next-generation firewalls.

1. Overview
In this modern era of technology, the use of computer systems in personal and commercial
sectors makes it possible together and share information with each other using the internet.
Thoughts are not hidden inside now, it’s global on the internet world. Now, we can do many
banking operations, academic activities or shopping via the internet. Many companies are
presenting themselves on the internet where their data should keep safe from any type of
attack. Here comes the concept of network security.

TCP/IP was primarily developed to ensure reliable communications between different networks. At
that time, security was not a concern at all. The internet was not so vast covering very specific small
networks. In that sense, the base technologies behind this network contained many insecurities, most
of which continue to exist today. A decent number of well-reputed attacks already take place on
sensitive private networks originated from the internet. Finally, security is the biggest concern
nowadays. Organizations need to conduct their business in such a secure manner to protect their data
and resources from internal, or external attacks.

To secure a private network the organization first needs to deploy some security policies based on a
business strategy and their privacy requirements. For example, any financial organization like a bank
cannot consider their security policies as a publicly accessible network like social sites. A network
security policy defines which connections are allowed between the privates and external networks
and the actions to take in the event of any security breach. A firewall has a great role to perform
this task here. A firewall placed between the private network and the Internet enforces the security
policy by controlling what connections can be established between the two networks in a secure
manner. All network traffic must pass through the firewall, which ensures that only permitted traffic
passes based on applied policies. The primary objective of using a firewall is to protect unwanted
access to or from any private network.

2. Problem Background
Connectionless trustworthiness, information beginning confirmation, guarantee against
replays, and confidentiality are the protection administrations offered by IPsec. IPsec,
discretionary in IPv4, is mandatory for any IPv6 use. When IPv6 is widely distributed, it will
be possible for IPsec to be used by any client wanting to use protection capabilities. The basic
framework of IPsec is defined by RFC2401, and all execution strategies are based on the
premise. It gave the sense of IPsec security administrations, how to use them and where to
use them, how datagrams are generated and processed, and how similar approaches are
organized, etc... Several RFCs have been characterized by IPsec working gathering of the
IETF, these RFC characterized IPsec from all angles: the structure, security key
administration, the necessary convention and compulsory transformation code in order to
achieve the basic convention. The security benefits IPsec can provide include power,
connectionless trustworthiness, and confirmation of the source of information, dismissal of
replayed packages, safety, and classification of restricted traffic streams. Since these
administrations are provided at the IP layer, any higher layer convention, such as UDP, TCP,
BGP, ICMP, and many others, can be used. (Rituet al.,2010).

VPNs can use various forms of encryption. Asymmetric Cryptography and Symmetric
Cryptography are two of the key encryption techniques. With symmetric cryptography, the
use of both scrambling and unscrambling messages is equivalent to a key. Then again, two
keys for decoding and encryption are implemented with deviated cryptography. In the
majority of instances, deviated encryption is used to validate one another, whereas symmetric
encryption is linked to provide information classification. Some well-known calculations of
symmetric encryption contain DES, AES, 3DES, etc. Some famous calculations of deviations
include, for example, RSA, DSA, etc. In order to provide a sheltered data trade over the
system layer, IPsec is a set of some exceptional web shows No protection mechanism is
provided by the standard IP (Internet Protocol) when it is instantly doled out. Some new
shows were produced for the framework layer, for example, AH, ESP, and so on, with the
expanding requests for web security. IPsec is the name of the social gathering for both of
these series. IPsec can be used along these lines for security purposes in different
applications. For instance, it is possible to ensure the mystery and reliability of data traded
over the system, to understand the approval of data senders, and to maintain a strategic
distance from the hand-off and analysis of data traded over the open web. (Twanet al., 2005).

Year Paper Algorithm Parameters Dataset Results

Used
2021 A suggested test- An Efficient test-bed is An Efficient test-bed is Suggested test-bed is NGFWs can be used as
bed to evaluate suggested to test and suggested to test and practically used on both rendezvous points in Layer 3
multicast network benchmark NGFW benchmark NGFW five different most and bridge mode in Layer 2 in
and threat multicast network common NGFWs.
threat prevention multicast networks successfully.
prevention performance for
performance of functions. different network Moreover, proposed testbed
Next Generation design scenarios. allows testing the security
Firewalls functions of NGFWs and
benchmark them in terms of threat
prevention performance.
2020 Applications and It focuses on analyzing Applied various levels Tested on three It groups the classification
use Cases of the entire network of classification different network granularity into a systematic
Multilevel traffic classification granularity and their environments. multilevel taxonomy to assist in
Granularity for use cases which allow
process with emphasis attaining a deeper understanding
Network Traffic for more optimized
Classification. on the classification traffic classification. of their applications.
IEEE techniques.

2020 Bio-Inspired, Applied on the By applying cellular Build both It was working host-based,
Host-based viability of using a membrane concepts supervised and supervised machine learning
Firewall biologically-inspired such as endocytosis unsupervised driven, next generation firewall
IEEE and ligandreceptor prototype that demonstrated very
design to develop a machine learning
interactions along with promising results, nearly 100% of
host-based next machine learning, we models, optimized normal connections were passed
generation firewall. created a feasible next their results, then and 77% of zero-day malicious
generation firewall exported the models, connections were blocked.
prototype capable of and tested the
defending against exported models on
zero-day threats even zero-day malicious
within encrypted
network traffic.
traffic.

Base Paper:
Göksel Uçtu, Mustafa Alkan, İbrahim Alper Doğru, Murat Dörterler, A suggested testbed to
evaluate multicast network and threat prevention performance of Next Generation Firewalls,
Future Generation Computer Systems, Volume 124, 2021, Pages 56-67.

3. Problem Statement
Theoretical analysis of current threats and attacks gives an answer to define the requirement behind
the firewall into a network system. Understanding of network requirements to ensure the best
possible information security can take place during the selection of firewalls from available
suppliers. Firewall’s features and a detail comparison chart always helps to select the best- desired
device for any network. Need a physical or VM based Fortinet device to experiment with the
outputs by varying different configuration parameters.

4. Research Question(s)
1. What is the significance of performance and security features that can be delivered by
firewalls in any enterprise network?

5. Research Objective(s)
i. To examine the pattern and impact of different network security threats and attacks

ii. To acquire sound knowledge for designing an better handling of enterprise level
networks

iii. To explore firewall technology and their advanced security features

6. Research Methodology
The First, we put firewall concepts into a network system, the necessity of firewalls,
describes how they work and how to classify their types. Looking closer to a typical
firewall configuration gives us more ideas on how the components work together
simultaneously to provide the desired level of data security.

To choose from several vendors, a comparison table gives us an overview which gets best
matched with our requirements. Feedback from the managers of enterprise systems and
international security forums gives us confirmation on our selection.

In the second part, we will describe the deployment considerations along with network
configurations. Fine-tuning of network configurations resulting best possible performance
which enhanced overall network security.

Figure: Proposed Network Traffic Diagram inspected by NGF

7. Research Aim
Our main target is to implement secured enterprise level network to ensure data security
without considering network performance. To defend against latest network threats &
attacks and to mitigate the existing solution vulnerabilities, we are introducing Next-
Generation firewall technologies to be incorporated with the existing system.

8. Research Significance
Enterprise network Includes different kind of service and server. In this service there
are both public and private access. For example, web-based services could be accessed
by different clients from various networks, they can also get into other services like
database services. Users from Internet, internal network, and branches networks can
access their e-mail and FTP accounts. For security purpose, access to database servers
is restricted from internal network, it should not be obtain from public network. EN
contains various networks, each network has its function, users, devices, and
technology.
 References

[1] Göksel Uçtu, Mustafa Alkan, İbrahim Alper Doğru, Murat Dörterler, A suggested
testbed to evaluate multicast network and threat prevention performance of Next
Generation Firewalls, Future Generation Computer Systems, Volume 124, 2021,
Pages 56-67.

[2] F. Zaki, A. Gani and N. B. Anuar, "Applications and use Cases of Multilevel
Granularity for Network Traffic Classification," 2020 16th IEEE International
Colloquium on Signal Processing & Its Applications (CSPA), 2020, pp. 75-79, doi:
10.1109/CSPA48992.2020.9068697.

[3] L. Watkins, J. Ballard, K. Hamilton, J. Chow, A. Rubin, W. H. Robinson and C. Davis

"Bio-Inspired, Host-based Firewall," 2020 IEEE 23rd International Conference on
Computational Science and Engineering (CSE), 2020, pp. 86-91, doi:
10.1109/CSE50738.2020.00022.

[4] Wang G, Zhao Y, Huang J, Wu Y. An effective approach to controller placement in
software defined wide area networks. IEEE Trans Netw Serv
Manag. 2018; 15(1): 344- 355.

[5] Sukhveer Kaur, Krishan Kumar, Naveen Aggarwal, DDoS Defense Mechanisms for

SDN Control Plane, Computer Networks and Inventive Communication
Technologies, 10.1007/978-981-15-9647-6_83, (1045-1058), (2021)..

[6] Tasnuva Mahjabin, Yang Xiao, Guang Sun “A survey of distributed denial-of-
service attack, prevention, and mitigation techniques” Available:
https://journals.sagepub.com/doi/full/10.1177/1550147717741463

[7] Jesús Galeano-Brajones, Javier Carmona-Murillo, Juan F. Valenzuela-

Valdés, Francisco Luna-Valero, Detection and Mitigation of DoS and DDoS
Attacks in IoT-Based Stateful SDN: An Experimental
Approach, Sensors, 10.3390/s20030816, 20, 3, (816), (2020).
[8] Yulei Wu, Zheng Yan, Zhiwei Zhao, Ahmed Al, Dubai, Editorial: Special issue on
SDN based wireless network virtualization, Concurrency and Computation:
Practice and Experience, 10.1002/cpe.5444, 32, 16, (2019).

[9] Suchismita Rout, Kshira Sagar Sahoo, Sudhansu Sekhar Patra, Bibhudatta

Sahoo, Deepak Puthal, Energy Efficiency in Software Defined Networking: A
Survey, SN Computer Science, 10.1007/s42979-021-00659-9, 2, 4, (2021).

[10] Monali S. Gaigole,Prof. M. A. Kalyankar"The Study of Network Security with Its

Penetrating Attacks and Possible Security Mechanisms"IJCSMC, Vol. 4, Issue. 5,
May 2019, pg.728 – 735.

[11] Jan MA, Usman M, He X, Rehman AU. SAMS: a seamless and authorized

multimedia streaming framework for WMSN-based IoMT. IEEE Internet Things
J. 2018