Open in app

Sign in

Write

Sign in

Firewall Rules automation with Smart Contracts

Introduction

In this article I will introduce you a new and innovative way to address some of the security issues that appear in blockchain networks. Please do not get me wrong, blockchain offers security, no one can manipulate the data; but the issues I mention are referred to security holes that appear when nodes are exposed without security considerations. To achieve that purpose it is possible to write smart contracts that maintain an updated state of allowed nodes to connect and utilize that information to automatically update our firewall rules almost in real time.

The approach to guide you in this path will go from particular to general. First I will show you the most basic implementation to automate firewall rules through smart contracts in a simple node. Finally you will have a general approach of how to raise security at an administration level (cloud providers/on premise). This approach does not pretend to replace current schemes utilized by organizations to secure their environments but it is a contribution to improve the safety by taking advantage of reliance that blockchain networks offer.

Although all what is mentioned up to this point is an almost general concept I will exemplify the automation of firewall rules through smart contracts written in Ethereum; I will also explain an intermediate component between the ethereum network and the firewall rules.

Permissioned networks in Ethereum

Lets delimit our journey by focusing on Ethereum networks. Permissioned networks add a security layer at an application level. It allows control over who can join the network.

Ethereum client implementations like Parity and Hyperledger Besu have two ways how a permissioned network can be created:

  • Using files on each node to specify which other nodes are able to communicate with that node.
  • Another interesting approach to accomplish the same purpose is the use of smart contracts. This implementation is known as onchain permissioning. Basically in this approach all nodes which obey the permissioning smart contract form a permissioned network. The contract decides to which nodes to connect. It is worth to say that this approach is more dynamic; as soon as the list of nodes are updated in the smart contract, the nodes start accepting the new permissioned node.

Pain Points

Analyzing current permissioned networks shows that nodes are reachable at an application level so any other node, even when it is not in the smart contract, can reach the P2P node ports and try to attack the node. Even when the node does not accept connections other than the registered in the smart contract, bad actors can still deliver spam attacks on the P2P exposed ports.

exposed node at an application level

In order to protect the access to our nodes people could opt for using firewall rules. This approach adds a security layer so only authorized nodes can reach our ethereum nodes.

Firewall rules can be applied in:

  • The hosting machine where the node lives
Protected node by Firewall Rules applied at the hosting machine level
  • Cloud/on premise infrastructure
Stronger, protected node by Firewall Rules applied at cloud/on-premise level

Firewall rules adds more security but also more complexity to our configuration because those have to be manually updated.

Controlling the firewall rules manually can lead to lose synchronization under some consensus protocols, for example IBFT2.0 requires a minimum number of active validators (>=2/3 of listed validators) in order to continue adding blocks​. The communication between those validators must be guaranteed. In this scenario if new validators are added to the network and the firewall rules of other validators have not been updated in order to allow connection with the new validators, then the network could halt because of communication failure between between validators.

Analysis

From my view, having permissioned networks is not enough in terms of security. On the other hand using firewall rules manually have its own troubles.

Nodes should have a way to protect themselves from a variety of attacks​ that could be performed when malicious actors reach our nodes through security holes. It could be useful to have a dynamic way to handle the firewall rules.

Onchain Firewall rules

So far we have analyzed permissioned networks and firewall rules. In this section I am going to show you how to utilize permissioning smart contracts to increase the security at a system admin level to guarantee alleviation of the ethereum service and increase the protection to our node. To achieve that purpose it is possible to automate firewall rules through smart contracts, in this scenario nodes can use the smart contract as a source of trust when modifying the rules.​ In the next section I am going to apply smart contracts (by way of emitted events) to automatically update firewall rules.

Implementation

The following diagram shows how the administrators of a permissioned network can update the allowed nodes to join a network.

seq-1
Sequence 1
  • The Node.x can be your node which is used to interact with the network.
  • In the following diagram you can see a daemon service which is listening to the permissioning smart contract through your Node.x. Once the daemon realizes a new event has been emitted it updates the firewall rules. Lets take a look at the following diagram:
Sequence 2

Up to this point we have seen general diagrams, lets now check a particular implementation. In this diagram the daemon service gets notified by way of events emitted by the permissioning smart contract. As soon as those events arrive the daemon service updates the firewall rules on the hosting machine where the Node.x lives. If you are curious about how this particular implementation has been implemented please find the code here

Onchain Firewall rules applied to a hosting machine

The previous diagram can be extended. For example instead of only updating local hosting machine firewall rules, the daemon service can update directly the cloud/on-premise firewall rules. In this way you make sure your node is connected to trusted nodes in the network. Any malicious actor wont be able to reach your ethereum nodes because the nodes are protected at a higher levels.

Onchain Firewall rules applied to a cloud/on-premise level

Conclusion

One of the main features of blockchain technologies is trust, in this article I have shown you how it is possible to automate firewall rules by taking advantage of the blockchain technologies and smart contracts as a source of trust for security purposes.

You have also seen how we can have secured nodes and still being able to interact with other trusted nodes(other organizations).

Finally you do not need to worry anymore about firewall rules because those can be automatically updated by the blockchain network.

Author: Erick Pacheco — Researcher at Innovation & Labs Blockchain/DLT Peru in everis

Security
Firewall Rule
Blockchain
Smart Contracts

--

--

Erick PACHECO PEDRAZA
NTT DATA Blockchain & DLT & Web3 & Quantum Computing

Written by Erick PACHECO PEDRAZA

10 Followers
Editor for

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams