Roedig, Utz (2002) Firewall-Architekturen für Multimedia-Applikationen. PhD thesis, UNSPECIFIED.
Full text not available from this repository.Abstract
In this thesis on Firewall Architectures for Multimedia Applications solutions are developed and discussed that enable the usage of multimedia applications in network environments where firewalls are employed. The provided solutions cover optimizations of existing firewall architectures as well as the development of new mechanisms to implement firewall architectures. Within a global networked environment, security aspects become more and more important and access control at network borders is considered to be essential. For this purpose firewalls which provide access control and auditing at the border between open and private networks or administrative domains are used. As integral part of the network infrastructure they are strongly affected by the development and deployment of new communication paradigms and applications. Currently we experience a very fast rise in the use of multimedia applications which differ in many aspects from "traditional" applications. Existing firewalls are not able to support this new types of applications in an efficient and secure manner. This thesis identifies and classifies the existing problem areas. It can be deduced from this classification that a modification and extension of existing firewall architectures are suitable methods to solve these problems. In the thesis it is shown that an appropriate firewall architecture has to apply the design pattern "Separation of Signalling and Media Flows". A new architectural model is introduced which can be used to structure firewall architectures regarding the criterias necessary to support multimedia applications. Thus, it is possible to investigate different categories of architectures and it is shown that the category of distributed firewalls fits best to support multimedia applications. This model also allows to identify which elements are missing or have to be optimized to build distributed firewalls. An important element of a distributed firewall is the communication between the different firewall components. Instead of developing a new protocol - as currently proposed in the standardization bodies - it is shown that the existing and approved Resource Reservation Protocol (RSVP) can be used for this purpose. It is shown by an implementation that RSVP can be used in practice. Another important element used in firewall architectures is the signalling element. State of the art methods used for integration of the signalling element within a scenario cannot be used in multimedia scenarios. It is shown in the thesis that the necessary integration mechanisms have to be deduced from integration mechanisms used for multimedia infrastructure components. On the basis of an implementation it is shown that this approach is also feasible in practice. Within the thesis the performance of firewall architectures is investigated. The parameters which limit the performance of a multimedia firewall are identified. It is shown how these parameters have to be taken into account to optimize a firewall for specific performance requirements. Measurements are performed to show that the proposed changes in firewall architectures are optimal regarding the performance. Distributed firewalls that use the design pattern "Separation of Signalling and Media Flows" have to be used to optimize the performance of a multimedia firewall. Within the thesis several tools had been developed to show the feasibility of the given statements which can also be used for other purposes not regarded in this thesis. The tool KOMtraffgen can be used for performance measurements as well as to determine performance values of components used in the communication path of multimedia applications. The tool KOMproxyd can be used to build firewall architectures for multimedia applications. It is currently used within the video conference service of the Deutsches Forschungsnetz (DFN).