Evaluation of Data Center Network Security Based on Next-Generation Firewall

This study aims to create a network security system that can mitigate attacks carried out by internal users and reduce attacks from internal networks. Further, a network security system is expected to overcome the difficulty of mitigating attacks carried out by internal users. The goal of this research is to analyze the effectiveness of the Next-Generation Firewall implemented to improve network security. The method used in this research is the comparison method with a test of TCP SYN attack, UDP flood attack, ICMP smurf attack, and DHCP starvation attack on a company network. From the experiment results, it can be concluded that the Next-Generation Firewall has significantly better performance for protecting mitigating attacks carried out by internal users on a company network. It can increase the security of data communication networks against threats from the internal networks. Keywords—Network security; next-generation firewall; TCP SYN attack; UDP flood attack; ICMP smurf attack

In the existing network topology, coal companies currently still use traditional firewall devices to provide network security for the company's data center network infrastructure. Traditional firewalls that are currently implemented in the company have not been able to prevent attacks from attackers originating from the local area network, such as DHCP Starvation attacks, TCP Syn Attacks, UDP Flood Attacks and, ICMP Smurf Attacks, to the coal company's core network firewall because traditional firewalls are currently only able to block data/traffic that passes in the form of ip addresses, ports, and protocols and cannot block specific data or detect the contents of data packets that pass through the network [18] [19]. Traditional Firewall rules and policies are not able to block these attacks due to the limitations of features in general in traditional enterprise firewall devices or other traditional firewall devices. The design of the Next Generation Firewall implementation on the pfSense firewall device is expected to be able to prevent attacks originating from the local area network to the core network firewall. The advantage of Next Generation Firewall compared to traditional firewalls is that it is able to provide network security functions by implementing packet blocking and a deep packet inspection feature against a number of malicious packets passing through the network. The Next Generation Firewall will periodically protect against new types of attacks that have not been identified by traditional firewalls. In this study, the Next Generation Firewall was integrated with an existing firewall that functions only as a router that currently exists in the company's network infrastructure.
Based on previous research papers that have been reviewed, previous research only used firewall, Intrusion Prevention System (IPS) and Intrusion Detection System (IDS) devices to prevent SQL Injection attacks, OS Bash Injection Attacks, HTTP Traffic, DDoS attacks, Port Scanners, and Password Brute Force. There has been no research that focuses on preventing attacks from attackers on traditional firewalls, IPS and IDS such as DHCP Starvation attacks, TCP Syn Attacks, UDP Flood Attacks, and ICMP Smurf Attacks. So, our motivation in this research is to contribute by adding new methods of preventing or mitigating types of attacks, namely, DHCP Starvation attack, TCP Syn Attack, UDP Flood Attack, and ICMP Smurf Attack, from local area networks to firewall devices from the internal network.
In this study, a solution for preventing attacks from local area networks to the core network firewall infrastructure is the use of the Next Generation Firewall pfSense which is integrated with the existing firewall that functions as a router. In this study, it will be tested using Kali Linux (Nmap, Hping3) and Yersinia Tool as attackers and Next Generation Firewall pfSense along with its configuration as a prevention of these attacks. Erlacher and Dressler researched the implementation of Signature-based Network Intrusion Detection Systems using the Snort tool and in the research, they used Novel Flow-based Network Intrusion Detection Systems-Flow Information Export-based Signature-based Intrusion Detection System (NIDS FIXIDS). In the study, Tool Vermont (Versatile Monitoring Toolkit) served as a network monitoring toolkit and was combined with snort to prevent and detect attacks of massive HTTP traffic or high-speed traffic. The attack was tested using the Cisco Trex Traffic generator tool by sending high-speed HTTP traffic on a network that has been running NIDPS and FIXIDS. The test results improved methods for preventing and detecting a massive traffic attack on the network [5].

II. LITERATURE
Other research by Bul'ajoul, James, and Shaikh researched the implementation of a Network Intrusion detection prevention system (NIDPS) using the Snort tool as NIDPS with a new Novel NIDPS architecture method. In the study, the snort tool that functioned as NIDPS could not prevent and detect attacks optimally when it received a huge traffic attack or high-speed traffic. Testing was done from Wincap, Flooder Packet, and Transmission Control Protocol (TCP) replay tools as attackers transmit TCP and User Datagram Protocol (UDP) traffic attacks. Testing with Novel NIDPS method architecture and integrating with Cisco Layer 3 switch resulted in better attack prevention and detection methods despite massive traffic attacks or high-speed traffic to internal networks [6].
Other research, which was conducted by Kaur and Singh, examined Web-Based attacks or attacks on a website on a network using deep learning-based system methods as hybrid intrusion detection and signature generation to prevent and detect attacks on the web. The prevention and detection of such attacks using D-Sign Architecture consist of Misuse Detection Engine, Anomaly Detection Engine, and Signature Generation Engine. In the study, the attack was tested by experimenting with attacks to a web with various HTTP traffic attacks. The results of D-Sign Architecture Implementation combined with Deep Recurrent Neural Network-based anomaly detection can produce better prevention and detection in the event of a known attack or a new attack on HTTP [7].
Duppa and Surantha did review and comparison testing traditional Intrusion Prevention System and Next-Generation Intrusion Prevention System. In the study, testing Next-Generation IPS to protect the network from attacks that take advantage of traditional IPS weaknesses, namely exploitation to HTTP Port or layer 7. Testing was done using Kali Linux as an attacker from inline or internal network mode with SQL Injection attack and malicious site exploit. The device used as NGIPS is Cisco Fire Power. From the penetration testing results, it can be concluded that Next-Generation IPS using the Cisco Firepower device can prevent SQL Injection attacks and malicious site exploit better than traditional IPS [8].
Ring and Landes researched the implementation using two methods, namely Unsupervised Port Scan Detection (UPDS) and Supervised Port Scan Detection (SPDS) in the research, to prevention of port scanning TCP and UDP protocols in a traffic network, such as scanning ports that open on Switch, Router, and Firewall devices. The scanning port was done in the research with the Nmap tool combined with Open Stack and NetFlow. The research compared the port scanning test algorithm with several TFDS, TRQ-SYN, UPDS, SPDS, and Webster. The test results obtained the results that UPDS and SPDS algorithms on the network can reduce or prevent an attacker from being able to scan open ports on the network or the user client [9].
Three-Tier Novel Architecture for Intrusion Detection and Prevention System in Software Defined Network was for prevention of DDoS attacks on a network. The research compared and tested Novel Three-Tier architecture with Intrusion Detection and Prevention SDN-IoT method to prevent replay attack, Mima attack, forgery attack, DDoS attack, on SDN network. From the test results, from the test results, it can be concluded that using Novel Three-Tier architecture for Intrusion Detection Prevention System (IDPS) can be guided from attacks on the system rather than the old Intrusion Detection and Prevention SDN-IoT [2].

Research conducted by Rengaraju and Ramanan researched the implementation of Intrusion Prevention System on
Software Defined Networking network to secure Software-Defined Clouds (SDC) network as a controller for Denial-of-Service (DoS) and ICMP Flooding attack prevention. Attack testing was carried out with the hping3 tool. From the test results obtained, SDC Controller that serves as Access List (ACL) and IPS can prevent Denial-of-Service (DoS) and ICMP Flooding attacks with Signature-based method [10].
Research conducted by Karim and Handa researched Intrusion Detection System, which is increasingly a key element of system security that is used to identify the malicious activities in a computer network or system. Hybrid computing is one of the latest and an emerging area in the Information and Technology (IT) sector, which has given a different dimension to the organizations. Performance and security aspects and the major issues have to be addressed in Hybrid Computing. This research will attempt to give an overall idea about Hybrid computing, Intrusion, types of Intrusion Detection Systems, and earlier works done on Intrusion Detection System [11].
A global intrusion detection system composed by autonomous Internet-distributed detection systems was proposed. In our approach, distributed detection elements cooperate by sending information about a potential threatening flow that traverses its Autonomous System (AS). Distributed Intrusion Detection Systems (DIDS) use Border Gateway Protocol (BGP) updating capabilities in order to spread intrusion warning messages across Internet routing domain so as to notify the SIEM of the attack target. When an anomalous in-transit traffic is detected, the AS integrated IDS gathers all attributes of the anomalous flow in the extended BGP Network Layer Reachability Information (NLRI) field and advertises it www.ijacsa.thesai.org towards the AS target of the intrusion. Then, the SIEM of the target AS can use such information set to manage related protection countermeasures [12] [13].
Other research by Choi and Allison is in the form of a review paper related to the methods used Intrusion Prevention System and Intrusion Detection System. IPDS performs attack prevention and detection using 2 algorithms, namely signaturebased detection and anomaly detection. In the study, the authors emphasized the use of IDPS implementation in a small to Medium-size Enterprise in preventing and detecting attacks within computer networks [14].
This research was to analyze the effectiveness of the Next Generation Firewall that was implemented to secure IoT in smart house and company network. The method used in this research was the method of comparison with a test of DDoS attacks, phishing, and SQL Injection on both network, smart house network, and company network. From the results of experiment, it can be concluded that the Next Generation Firewall has significantly better performance for protecting smart house and company network and it can increase security of data communication networks against threats from the Internet [15].
Sri Lanka Institute of Information Technology Computing (Pvt) Ltd representatives presented research in 2016 on how to create a more secure network by integrating firewall capability and firewall technologies. The findings of the experiment prove that the suggested concept is capable of constructing a stable network. This study discussed how firewalls are used to shield infrastructure from outside intruders and how Virtual Private Networks (VPN) allow encrypted access to the corporate network over non secure public networks [16].
Other research by Kishan, Rami, and Lei researched the Traditional firewalls are incapable of coping with emerging threats such as targeted and data-focused attacks. This paper discusses a survey of the different types of current and nextgeneration firewalls, highlighting their potential functionalities. The different technologies implemented in Next-Generation Firewall (NGFW) for network security were highlighted. Additionally, the advantages of the next-generation firewalls were compared against the traditional firewalls. Also, in this paper, the primary network security goals, their recent emerging security threats, and their potential solutions to protect the network are discussed [17].
Most data centers still use traditional firewalls, Intrusion Prevention System (IPS), and Intrusion Detection System (IDS) to provide network security in data centers. Traditional firewalls, IPS, and IDS applied in this data center cannot detect attacks with different variants, such as TCP SYN attacks, UDP flood attacks, ICMP smurf attacks, and DHCP starvation attacks. By utilizing anomaly-based because traditional firewall, IPS, and IDS weaknesses only understand the identity of data passed based (IP address and port used) and unable to recognize deep packet inspection, unable to know what is in the data package of these attacks. No research focused on preventing attacks such as TCP SYN, UDP flood, ICMP smurf, and DHCP starvation attacks on firewall or router devices. Thus, the motivation of this research is to later contribute by adding prevention or mitigation with different variants types of attacks that currently often occur in network infrastructure in data centers that come from internal networks.
In this research, a solution was proposed to improve network security to prevent attacks on the company's infrastructure network and prevent attacks from internal networks to the company's core network infrastructure by using Next-Generation Firewall pfSense and Suricata tool.

A. System Design
As summarized in Table II, the Next-Generation firewall used in this research was open source tool security software, namely pfSense with OS 2.5.1 series. Next-Generation firewall has been connected between the traditional firewall and core switches. The Next-Generation firewall pfSense was integrated with the traditional firewall with all segments in the network infrastructure. Pfsense was able to communicate with a traditional firewall as a router to perform the expected integration according to the objectives in this study. Switch access connected directly to the user's pc using layer 2 switch. Computers used as attackers were Asus type with Kali Linux OS. Fig. 1 proposes a new topology using Next-Generation firewall pfSense connected to the network in inline mode. In this study, the device was integrated with the existing infrastructure. The integration done in this study was a physical and logical connection in which the traditional firewall as a router internet gateway and the Next-Generation firewall pfSense should be able to connect with existing infrastructure devices and then configure to integrate existing devices. Policy implementation and configuration will be carried out on the Next-Generation firewall pfSense to prevent TCP SYN attack, UDP flood attack, ICMP Smurf attack and DHCP Starvation Attack. To achieve the objectives in this study, a network security system that can reduce internal users who carry out attacks and reduce attacks from internal networks was created by using Next-Generation firewall pfSense.
In the existing network topology, the traditional firewall core network implemented as a router internet gateway, which runs Network Address Translation (NAT) service, Routing Default route, Domain Name System (DNS) Service, and service Dynamic Host Configuration Protocol (DHCP), aims to connect internal network clients to connect the internet safely and reliably. On the proposed added devices topology above, Next-Generation firewall devices implemented the Intrusion Prevention System (IPS) feature in inline mode to prevent attacks to the traditional firewall core network. On the access switch, VLAN and Port Security division are implemented to ensure that only clients' registered Media Access Control (MAC) address and VLAN in the switch can be connected to the network or the internet.

B. Implementation and Testing
In this research, implementation and testing were carried out to prove the solution given to overcome the existing problems. This implementation and testing were carried out using system design and infrastructure that has been integrated with the traditional firewall like a router internet gateway and Next-Generation firewall pfSense and Suricata as an Intrusion Prevention Systems. By configuring the traditional firewall and Next-Generation firewall pfSense, both systems can communicate and integrate to achieve the objectives of this research. Then, this test took place by trying to simulate an attack by connecting the user's laptop to the internal network. The attack operating system used the Kali Linux tool hping3 and additional tool Yersinia that acted as an attacker. In this study, the traditional firewall Mikrotik targeted the attack connected to the Next-Generation firewall pfSense. Then, the attacker would perform a TCP SYN attack, UDP flood attack, ICMP smurf attack, and DHCP starvation attack on the traditional firewall. Table V presents system specifications used for attack testing simulation and Fig. 3 is the attack testing topology used in this study.
In this test, the Next-Generation firewall pfsense was located in the middle of an inline configured network so that the traditional firewall could immediately decide on the package that has been checked. The package was analyzed by the Next-Generation firewall pfSense based on signatures or anomalies. If the package contains a crime or vulnerability, the Next-Generation firewall pfSense will immediately prevent it by blocking malicious packages. Then, the Next-Generation firewall pfSense can immediately prevent and quarantine the computer that is the source of the attack so that it no longer launched prolonged attacks on the network. In this test, a compliant user was an official network access condition with specific requirements. Attack testing employed several sample attacks, namely TCP SYN attack, UDP flood attack, ICMP smurf attack, and DHCP starvation attack, using tool Hping3 and Yersinia on Kali Linux OS.

IV. EVALUATION RESULT AND DISCUSSION
The Next-Generation firewall that was used in this study as Intrusion Prevention System was open-source pfSense and Suricata. Next-Generation firewall pfSense will connect traditional firewall Mikrotik device and cisco distribution switch. Integrating traditional firewall Mikrotik and Next-Generation firewall pfSense and Suricata as Intrusion Prevention System is expected to prevent an attack from an internal network to a traditional firewall core network.
Next-Generation firewall pfSense and Suricata will prevent attacks from internal networks to a traditional firewall core network as the purpose of this study expects. The following are the results of attack tests that have been done with the Next-Generation firewall pfSense and Suricata.

A. TCP Syn Attack
Based on the tests that have been done, users tried TCP SYN attacks using Kali Linux with the hping3 tool on the target traditional firewall Mikrotik. The first attacker performed a port scan that was available on target. The commonly used target is the 80/HTTP service, as shown in Fig. 4. Then, the attack used the command hping3 -c 20000 -d 120 -S -w 64 -p 80 --flood --rand-source 192.168.10.1, as shown in Fig. 5, which aims to send the targeted attackers a large number of TCP SYN packets. Using only the traditional firewall Mikrotik, these attack attempts succeeded by exhausting traditional firewall resources and impacting performance. As shown in Fig. 6, these attacks can be performed because the traditional firewall Mikrotik cannot detect the TCP SYN attack pattern. However, using the enhancements of the Next-Generation firewall pfSense in this study, TCP SYN attack attempts were detected and blocked by pfSense. PfSense detects attack patterns and then blocks or prevents them before getting to the traditional firewall Mikrotik so that network performance becomes regular and smooth. As shown in Fig. 7, TCP SYN attacks can be mitigated by pfSense.

B. UDP Flood Attack
Based on the results of the second test, the UDP flood attack was carried out on a traditional firewall Mikrotik as a target by still using the hping3 tool, starting to attack the UDP 53 (DNS) protocol port with hping3, as seen in Fig. 8 using the CLI --flood --rand-source --UDP -p 53 192.168.10.1 command. This attack aimed to create and send many UDP datagrams from the pampered IP to the targeted traditional firewall Mikrotik. When the firewall receives this type of traffic, it cannot process each request and consume its bandwidth by sending ICMP "unreachable destination" packets. Using only a traditional firewall Mikrotik, these attack attempts succeeded by exhausting firewall resources and impacting performance. As shown in Fig. 9, using an additional device that was the Next-Generation firewall Pfsense in this study, UDP flood attack attempts were detected and blocked by pfSense. PfSense can detect attack patterns and then block or prevent them from getting to the traditional firewall Mikrotik so that network performance becomes regular and smooth. As shown in Fig. 10, the TCP SYN attack can be mitigated by pfSense. www.ijacsa.thesai.org

C. ICMP Smurf Attack
The third test was an ICMP smurf attack. This type of attack uses a large number of Internet Control Message Protocol (ICMP) ping firewall that targeted internet broadcast addresses, e.g., 192.168.1.255, using the command hping3 --Icmp --flood --rand-source -c 20000 --spoof 192.168.10.1 192.168.10.255. as seen in Fig. 11. This attack is aimed at all replies sent to the victim instead of the IP used for pinging. Using only a traditional firewall Mikrotik, this attack exhausts firewall resources and impacts performance, as shown in Fig. 12, because the traditional firewall cannot detect the pattern of ICMP smurf attack. However, using an enhancement that is the Next-Generation firewall Pfsense in this test, ICMP smurf attack attempt was detected and blocked by pfSense. PfSense can detect attack patterns and then block or prevent them from entering traditional firewalls so that network performance becomes regular and smooth. As shown in Fig. 13, the ICMP smurf attack can be mitigated by pfSense.

D. DHCP Starvation Attack
The last attack test was a DHCP hunger attack performed on a traditional firewall Mikrotik as a target using the Yersinia tool. As seen in Fig. 14, using a Mikrotik firewall, this attack can be detected and recognized so that DHCP hunger attacks do not make the traditional firewall Mikrotik down. Similarly, by using the additional Next-Generation firewall in this test, DHCP hunger strike attempts were detected and blocked by pfSense. PfSense can detect attack patterns and then block or prevent them from getting to the traditional firewall Mikrotik. As seen in Fig. 15, starvation attacks can be mitigated by traditional firewall Mikrotik and pfSense. (IJACSA) International Journal of Advanced Computer Science and Applications, Vol. 12, No. 9, 2021 525 | P a g e www.ijacsa.thesai.org  Table VI summarizes the results based on the completed tests in this study. It shows significantly different results from using a traditional firewall only or integrating a traditional firewall with a Next-Generation firewall pfSense. The expected test results in this study can be achieved using the proposed solution. The proposed solution demonstrated that the Next-Generation firewall pfSense can prevent attacks from internal users and can reduce attacks from internal networks based on the test scenarios that have been done. With additional devices, Next-Generation firewall pfSense can improve network security compared to traditional firewall Mikrotik only. With the results of the tests that have been done in this research, the proposed solution is to integrate traditional firewall Mikrotik as a router with Next-Generation firewall pfSense that can mitigate against internal users who perform attacks from internal networks. Thus, network security with firewall system integration with a Next-Generation firewall can be increased compared to traditional firewall Mikrotik only.

V. CONCLUSION
Based on the test results conducted in this study, the proposed solution demonstrates that the Next-Generation firewall pfSense can prevent attacks from internal users and can reduce attacks from internal networks based on the test scenarios that have been done. With additional devices, the Next-Generation firewall pfSense can improve network security compared to traditional firewalls only. However, this study still has many limitations, especially on the type of attack tested. In this study, attack testing only targeted network devices with traditional firewall from internal networks only. It is recommended for further research to conduct attack testing from the public internet to the internal network in order to improve network security better.

ACKNOWLEDGMENT
The publication of this research is fully supported by Bina Nusantara University.