Academia.eduAcademia.edu

Outline

Title
Abstract
Figures
Introduction
Firewall Packet Filtering Background
Statistical Computation of Rule Recency
Related Work
Conclusion
References
All Topics
Computer Science
Cybersecurity

On autonomic optimization of firewall policy organization

Profile image of Ehab Al-ShaerEhab Al-Shaer

2006, Journal of High Speed Networks

Abstract

Security policies play a critical role in many of the current network security technologies such as firewalls, IPSec and IDS devices. The configuration of these policies not only determines the functionality of such devices, but also substantially affects their performance. The optimization of filtering policy configuration is critically important to provide high performance packet filtering particularly for high speed network security.

Figures (13)
Fig. 1. An example of a typical firewall packet filtering policy showing relation between rules 2, 3 and 4, and between rules 5 and 6. H. Hamed and E. Al-Shaer / On autonomic optimization of firewall policy organizatior
Fig. 1. An example of a typical firewall packet filtering policy showing relation between rules 2, 3 and 4, and between rules 5 and 6. H. Hamed and E. Al-Shaer / On autonomic optimization of firewall policy organizatior
Fig. 2. CCDF distribution of (a) flow size, and (b) flow duration for Internet traces at the University of Auckland. H. Hamed and E. Al-Shaer / On autonomic optimization of firewall policy organization Since all packets of a flow generally match the same filtering rule, our observations clearly indicate that few of the firewall policy rules are actually used for matching a significant portion of the traffic throughout considerable intervals of time. We call this property the locality of matching in firewall filtering. Previous studies [4] also support our conclusion as they show that about 90% of the packets match as little as 25% of the filtering rules in a large number of ingress routers/firewalls. This emphasizes that the idea of considering the contribution of rule matching in filtering policy optimization is useful and practical for improving the overall matching performance in firewalls.
Fig. 2. CCDF distribution of (a) flow size, and (b) flow duration for Internet traces at the University of Auckland. H. Hamed and E. Al-Shaer / On autonomic optimization of firewall policy organization Since all packets of a flow generally match the same filtering rule, our observations clearly indicate that few of the firewall policy rules are actually used for matching a significant portion of the traffic throughout considerable intervals of time. We call this property the locality of matching in firewall filtering. Previous studies [4] also support our conclusion as they show that about 90% of the packets match as little as 25% of the filtering rules in a large number of ingress routers/firewalls. This emphasizes that the idea of considering the contribution of rule matching in filtering policy optimization is useful and practical for improving the overall matching performance in firewalls.
where x; is a binary variable such that x; = 1 if rule R; is positioned at location / in the policy, and x;, = 0 otherwise. The minimization objective function (2) resembles the optimization problem described in | where the depth d; of rule R; is given by the expression )7/_, kaj, and w; is the rule weight. The computation of rule weights is described later is Section 5.1. Constraint (3) guarantees that every rule is positioned at exactly one location, while Constraint (4) ensures that any specific location is occupied by exactly one rule. Constraint (5) preserves the ordering precedence between dependent rules by ensuring that if rule R; has higher precedence over rule R; (R; — R;), then the order of R; in the policy should come before that of R,;.
where x; is a binary variable such that x; = 1 if rule R; is positioned at location / in the policy, and x;, = 0 otherwise. The minimization objective function (2) resembles the optimization problem described in | where the depth d; of rule R; is given by the expression )7/_, kaj, and w; is the rule weight. The computation of rule weights is described later is Section 5.1. Constraint (3) guarantees that every rule is positioned at exactly one location, while Constraint (4) ensures that any specific location is occupied by exactly one rule. Constraint (5) preserves the ordering precedence between dependent rules by ensuring that if rule R; has higher precedence over rule R; (R; — R;), then the order of R; in the policy should come before that of R,;.
Algorithm | describes the details of our heuristic. The algorithm takes as an input the rule list to be optimized and an optimization limit that represents an upper bound on the total weight of the selected rules in the optimization process, these are called the active rules. It first creates a Max-Heap [12] of filtering rules based on their weights (Line 2). The Max-Heap data structure stores the item with the maximum weight on the top, such that it can be retrieved in constant time. Rules (also called base rules) are sequentially picked from the heap in descending order
Algorithm | describes the details of our heuristic. The algorithm takes as an input the rule list to be optimized and an optimization limit that represents an upper bound on the total weight of the selected rules in the optimization process, these are called the active rules. It first creates a Max-Heap [12] of filtering rules based on their weights (Line 2). The Max-Heap data structure stores the item with the maximum weight on the top, such that it can be retrieved in constant time. Rules (also called base rules) are sequentially picked from the heap in descending order
Packet matching algorithm. Algorithm 2 describes the integration of the adaptive rule order optimization in a typical firewall packet matching module. The algorithm performs the standard packet matching procedure by matching the packet header against the rule list and performing the corresponding filtering action (Lines 2-15). As packets are received, the global packet counter is incremented, the local packet counter and virtual time register of the triggered rule are updated (Lines 1, 6, 7), and the current average number of matches and the performance deviation are computed using Eqs (17) and (18) (Line 17). If the current deviation exceeds the allowable threshold or the last periodic update interval expires, the rule order optimization algorithm in invoked after calculating the new rule weights (Lines 19, 21). Then, the global packet counter as well as the counter/register of every rule are reset to zero (Lines 22-26). H. Hamed and E. Al-Shaer / On autonomic optimization of firewall policy organization
Packet matching algorithm. Algorithm 2 describes the integration of the adaptive rule order optimization in a typical firewall packet matching module. The algorithm performs the standard packet matching procedure by matching the packet header against the rule list and performing the corresponding filtering action (Lines 2-15). As packets are received, the global packet counter is incremented, the local packet counter and virtual time register of the triggered rule are updated (Lines 1, 6, 7), and the current average number of matches and the performance deviation are computed using Eqs (17) and (18) (Line 17). If the current deviation exceeds the allowable threshold or the last periodic update interval expires, the rule order optimization algorithm in invoked after calculating the new rule weights (Lines 19, 21). Then, the global packet counter as well as the counter/register of every rule are reset to zero (Lines 22-26). H. Hamed and E. Al-Shaer / On autonomic optimization of firewall policy organization
Fig. 3. The effect of the total number of rules in the policy on rule order optimization: (a) average packet matching reduction, (b) deviatior from optimal solution. The second set of experiments study the impact of the number of active rules included in the optimization on the accuracy of our solution. The set of active rules is chosen from a policy composed of 200 filtering rules with 20% dependency ratio and 3 average dependency depth. The experiment is repeated for different values of the skewness factor s used to calculate the rule weights based on Zipf distribution. Figure 4(a) shows that for all values of s, the reduction in matching increases rapidly as the number of active rules increases up to 25% of the total number of rules. The experiment results also indicate that increasing the number of active rules beyond this point produces much less improvement, and the rate of improvement is significantly impacted by the skewness of the Zipf distribution. For example, for high skewness values (1.0—1.5), the matching reduction improves only by 10% when all the rules are included in the optimization. This indicates that even for a large number of firewall rules,
Fig. 3. The effect of the total number of rules in the policy on rule order optimization: (a) average packet matching reduction, (b) deviatior from optimal solution. The second set of experiments study the impact of the number of active rules included in the optimization on the accuracy of our solution. The set of active rules is chosen from a policy composed of 200 filtering rules with 20% dependency ratio and 3 average dependency depth. The experiment is repeated for different values of the skewness factor s used to calculate the rule weights based on Zipf distribution. Figure 4(a) shows that for all values of s, the reduction in matching increases rapidly as the number of active rules increases up to 25% of the total number of rules. The experiment results also indicate that increasing the number of active rules beyond this point produces much less improvement, and the rate of improvement is significantly impacted by the skewness of the Zipf distribution. For example, for high skewness values (1.0—1.5), the matching reduction improves only by 10% when all the rules are included in the optimization. This indicates that even for a large number of firewall rules,
Fig. 4. The effect of the number of active rules in the policy on rule order optimization: (a) average packet matching reduction, (b) deviation from optimal solution. H. Hamed and E. Al-Shaer / On autonomic optimization of firewall policy organization
Fig. 4. The effect of the number of active rules in the policy on rule order optimization: (a) average packet matching reduction, (b) deviation from optimal solution. H. Hamed and E. Al-Shaer / On autonomic optimization of firewall policy organization
Fig. 5. The effect of the average number of dependent rules on rule order optimization: (a) average packet matching reduction, (b) deviation from optimal solution.
Fig. 5. The effect of the average number of dependent rules on rule order optimization: (a) average packet matching reduction, (b) deviation from optimal solution.
Fig. 6. The effect of the average ratio of dependent rules on rule order optimization: (a) average packet matching reduction, (b) deviation from optimal solution. H. Hamed and E. Al-Shaer / On autonomic optimization of firewall policy organization
Fig. 6. The effect of the average ratio of dependent rules on rule order optimization: (a) average packet matching reduction, (b) deviation from optimal solution. H. Hamed and E. Al-Shaer / On autonomic optimization of firewall policy organization
Fig. 8. The effect of the recency decay factor on average matching reduction when packet filtering is applied to (a) simulated traffic, (b) real Internet traffic. Fig. 7. The effect of rule recency factor on average matching reduction when packet filtering is applied to (a) simulated traffic, (b) real Internet traffic.
Fig. 8. The effect of the recency decay factor on average matching reduction when packet filtering is applied to (a) simulated traffic, (b) real Internet traffic. Fig. 7. The effect of rule recency factor on average matching reduction when packet filtering is applied to (a) simulated traffic, (b) real Internet traffic.
H. Hamed and E. Al-Shaer / On autonomic optimization of firewall policy organization
H. Hamed and E. Al-Shaer / On autonomic optimization of firewall policy organization
Fig. 9. The effect of optimization weight limit on average matching reduction when packet filtering is applied to (a) simulated traffic, (b) real Internet traffic. H. Hamed and E. Al-Shaer / On autonomic optimization of firewall policy organization
Fig. 9. The effect of optimization weight limit on average matching reduction when packet filtering is applied to (a) simulated traffic, (b) real Internet traffic. H. Hamed and E. Al-Shaer / On autonomic optimization of firewall policy organization
Fig. 10. Dynamics of rule order optimization: (a) deviation from optimal performance during a rush hour, (b) hourly-average matching reduction throughout a weekday.
Fig. 10. Dynamics of rule order optimization: (a) deviation from optimal performance during a rush hour, (b) hourly-average matching reduction throughout a weekday.

Related papers

Design and implementation of firewall policy advisor tools
Ehab Al-Shaer

DePaul University, CTI, Tech. Rep, 2002

Firewalls are core elements in network security. However, managing firewall rules, especially for enterprise networks, has become complex and error-prone. Firewall filtering rules have to be carefully written and organized in order to correctly implement the security policy. In ...

View PDFchevron_right
Dynamic rule and rule-field optimisation for improving firewall performance and security
Zouheir Trabelsi

This paper presents a novel approach to improve firewall packet filtering through optimizing the order of firewall rules for early packet acceptance as well as the order of rule-fields for early packet rejection. The proposed approach is based on the calculation of the histograms of packet matching rules and of packet not matching rule-fields. These histograms are able to effectively monitor firewall performance in real-time and to predict the patterns of packet filtering in terms of rules order and rule-fields order. Furthermore, the proposed approach becomes even more significant when firewall is heavily loaded with burst traffic. A comparison of the proposed approach and the other conventional approaches, including static rule order approach and dynamic rule order approach is presented. The numerical results obtained by simulations demonstrate that the proposed approach is able to significantly improve the firewall efficiency in terms of cumulative processing time compared to other conventional approaches. Furthermore, the proposed scheme also has capability to significantly reduce the effect of many common network attacks on firewall performance.

View PDFchevron_right
An Automated Framework for Validating Firewall Policy Enforcement
Ehab Al-Shaer

2007

The implementation of network security devices such as firewalls and IDSs are constantly being improved to accommodate higher security and performance standards. Using reliable and yet practical techniques for testing the functionality of firewall devices particularly after new filtering implementation or optimization becomes necessary to assure proven security. Generating random traffic to test the functionality of firewall matching is inefficient and inaccurate as it requires an exponential number of test cases for a reasonable coverage. In addition, in most cases the policies used during testing are limited and manually generated representing fixed policy profiles.

View PDFchevron_right
A History and Survey of Network Firewalls
jeffrey pardillo

Firewalls are network devices which enforce an organization's security policy. Since their development, various methods have been used to implement firewalls. These methods filter network traffic at one or more of the seven layers of the ISO network model, most commonly at the application, transport, and network, and data-link levels. In addition, researchers have developed some newer methods, such as protocol normalization and distributed firewalls, which have not yet been widely adopted. Firewalls involve more than the technology to implement them. Specifying a set of filtering rules, known as a policy, is typically complicated and error-prone. High-level languages have been developed to simplify the task of correctly defining a firewall's policy. Once a policy has been specified, the firewall needs to be tested to determine if it actually implements the policy correctly. Little work exists in the area of firewall theory; however, this article summarizes what exists. Because some data must be able to pass in and out of a firewall, in order for the protected network to be useful, not all attacks can be stopped by firewalls. Some emerging technologies, such as Virtual Private Networks (VPN) and peer-to-peer networking pose new challenges for firewalls.

View PDFchevron_right
On the Security of Firewall Policy Deployment
A. Kartit

Due to the sensitive nature of information transmitted during a policy deployment, the communication between management tool and firewall should be confidential. Confidentiality can be achieved by using encrypted communication protocols such as SSH, SSL and IPSec. Much research has already addressed the specification of policies, conflict detection and optimization, but very little research is devoted to the security of policy deployment. In the previous article [1], we proposed an exact algorithm for the deployment of security policies but in this paper, we will propose an effective solution that will allow us to secure the deployment process of a political target. This solution has the objective to create secure tunnels between the different entities (firewalls).

View PDFchevron_right
Optimization of Firewall Rules
Predrag Pale

2007 29th International Conference on Information Technology Interfaces, 2007

Network performance highly depends on efficiency of the firewall because for each network packet which enters or leaves the network a decision has to be made whether to accept it or reject it. This paper presents one approach to rule optimization solutions for improving firewall performance. The new software solution has been developed based on relations between rules. Its main purpose is to remove anomalies in ordering of Linux firewall rules and to merge similar rules.

View PDFchevron_right
Development framework for firewall processors
Yusuf William

2002

ci-easing size, speed aitdjle.ribiliry of advanced reconfrgirrnble hardware. Howevez direcr rranslation of convem tionalfirewall rides in a rotaer-based rule set ofen leads to iireflciem liardware iiiipleiiie,itario,i. Moreovez such lowlevel desci-iprioii of firewall rides teiids to be difficult f o ,nariage mid to exrerid. We describe a frariiework, based on rhr high-level policy speclfcation language Pondec for crii~tiii-iitSfirei,,nll rides as aurkorizatioii policies with userdefiiloble coiistraiias. Oiir framework supports opriinisarioits to achieve efficient u~ilisation ofhardware resources. A pipeliiied firewall impleineittarion developed using this approach riritiiiiig af IOMHz is capable ofprocessing 2.5 niillioii packers per secoiid, which provides similar perforiiiniice ro a versioii withotit optimisarion and is about 50 rimes fuster than n mufmure implemerzmrion running on a 7OOMHz PI11 processor:

View PDFchevron_right
Conflict classification and analysis of distributed firewall policies
Ehab Al-Shaer

IEEE Journal on Selected Areas in Communications, 2005

Firewalls are core elements in network security. However, managing firewall rules, particularly, in multifirewall enterprise networks, has become a complex and error-prone task. Firewall filtering rules have to be written, ordered, and distributed carefully in order to avoid firewall policy anomalies that might cause network vulnerability. Therefore, inserting or modifying filtering rules in any firewall requires thorough intrafirewall and interfirewall analysis to determine the proper rule placement and ordering in the firewalls. In this paper, we identify all anomalies that could exist in a single-or multifirewall environment. We also present a set of techniques and algorithms to automatically discover policy anomalies in centralized and distributed firewalls. These techniques are implemented in a software tool called the "Firewall Policy Advisor" that simplifies the management of filtering rules and maintains the security of next-generation firewalls.

View PDFchevron_right
On the Correctness of Firewall Policy Deployment
A. Kartit

Firewall policies can contain several thousand rules due to the large size and complex structure of modern networks. The size and complexity of these policies require automated tools providing a user-friendly environment to specify, configure and safely deploy a target policy. In this paper, we show that naïve deployment approaches can easily create a temporary security hole by permitting illegal traffic or interrupt service by rejecting legal traffic during the deployment. We make some contributions to the correctness of firewall policy deployments and we show that the category of type I policy editing is wrong and could lead to security vulnerabilities. We then provide a correct algorithm for publishing political class type I. Our algorithm can be used even for the deployment of policies whose size is very important.

View PDFchevron_right
Firewall design: Consistency, completeness, and compactness
Yonara Da Costa

Distributed Computing Systems, 2004. …, 2004

A firewall is often placed at the entrance of each private network in the Internet. The function of a firewall is to examine each packet that passes through the entrance and decide whether to accept the packet and allow it to proceed or to discard the packet. A firewall is usually designed as a sequence of rules. To make a decision concerning some packets, the firewall rules are compared, one by one, with the packet until one rule is found to be satisfied by the packet: this rule determines the fate of the packet. In this paper, we present the first ever method for designing the sequence of rules in a firewall to be consistent, complete, and compact. Consistency means that the rules are ordered correctly, completeness means that every packet satisfies at least one rule in the firewall, and compactness means that the firewall has no redundant rules. Our method starts by designing a firewall decision diagram (FDD, for short) whose consistency and completeness can be checked systematically (by an algorithm). We then apply a sequence of five algorithms to this FDD to generate, reduce and simplify the target firewall rules while maintaining the consistency and completeness of the original FDD.

View PDFchevron_right

References (30)

  1. E. Al-Shaer and H. Hamed, Modeling and management of firewall policies. IEEE Transactions on Network and Service Management 1(1) (2004), 2-10.
  2. D. Bertsimas and J. Tsitsiklis, Introduction to Linear Optimization, Athena Scientific, 1997.
  3. D. Chapman and E. Zwicky, Building Internet Firewalls, 2nd edn, Orielly & Associates Inc., 2000.
  4. E. Cohen and C. Lund, Packet classification in large ISPs: Design and evaluation of decision tree classifiers, ACM SIGMETRICS Perfor- mance Evaluation Review 33(1) (2005), 73-84.
  5. A. Feldmann and S. Muthukrishnan, Tradeoffs for packet classification, in: IEEE INFOCOM'00, 2000, pp. 1193-1202.
  6. R. Graham, E. Lawler, J. Lenstra and A. Kan, Optimization and approximation in deterministic sequencing and scheduling: A surevey, Annals of Discrete Mathematics 5 (1979), 287-326.
  7. P. Gupta and N. McKeown, Algorithms for packet classification, IEEE Network 15(2) (2001), 24-32.
  8. P. Gupta and N. McKeown, Packet classification using hierarchical intelligent cuttings, in: ACM SIGCOMM, 1999, pp. 147-160.
  9. P. Gupta, B. Prabhakar and S. Boyd, Near optimal routing lookups with bounded worst case performance, in: IEEE INFOCOM'00, 2000, pp. 1184-1192.
  10. H. Hamed and E. Al-Shaer, Dynamic rule-ordering optimization for high-speed firewall filtering, in: ACM AsiaCCS'06, 2006.
  11. H. Hamed, A. El-Atawy and E. Al-Shaer, Adaptive statistical optimization techniques for firewall packet filtering, Technical Report CTI-TR-05-012, DePaul University, 2005.
  12. D. Knuth, Fundamental Algorithms, Volume 1 of The Art of Computer Programming, 3rd edn, Addison-Wesley, Reading, MA, 1997.
  13. K. Lan and J. Heidemann, On the correlation of Internet flow characteristics, Technical Report ISI-TR-574, USC/ISI, 2003.
  14. E. Lawler, Sequencing jobs to minimize total weighted completion time subject to precedence constraints, Annals of Discrete Mathematics 2 (1978), 75-90.
  15. J. Lenstra and A. Kan, Complexity of scheduling under precendence constraints, Operations Research 26(1) (1978).
  16. D. MacKay, Information Theory, Inference, and Learning Algorithms, 2nd edn, University of Cambridge, 2003.
  17. A.J. McAulay and P. Francis, Fast routing table lookup using CAMs, in: IEEE INFOCOM'93, 1993, pp. 1382-1391.
  18. J. Qian, S. Hinrichs and K. Nahrstedt, ACLA: A framework for access control list (ACL) analysis and optimization, in: IFIP Communi- cations and Multimedia Security, 2001, p. 4.
  19. R. Rivest, On self-organizing sequential search heuristics, Communications of the ACM 19(2) (1976), 63-67.
  20. A. Schulz, Scheduling to minimize total weighted completion time: Performance guarantees of LP-based heuristics and lower bounds, in: The 5th International IPCO Conference, 1996, pp. 301-315.
  21. V. Srinivasan, S. Suri and G. Varghese, Packet classification using tuple space search, in: ACM SIGCOMM Communication Review, 1999, pp. 135-146.
  22. Cisco Systems, Optimizing ACLs. User Guide for ACL Manager 1.4, CiscoWorks2000, 2002.
  23. Cisco Systems, Netflow services solutions guide, October 2004.
  24. D. Taylor and J. Turner, Scalable packet classification using distributed crossproducting of field labels, in: IEEE INFOCOM, 2005, pp. 1-12.
  25. SimJava v2.0, Process based discrete event simulation package for java, http://www.dcs.ed.ac.uk/home/hase/simjava/, 2002.
  26. J. Wallerich, H. Dreger, A. Feldmann, B. Krishnamurthy and W. Willinger, A methodology for studying persistency aspects of Internet flows, ACM SIGCOMM Computer Communication Review 35 (2005), 23-36.
  27. T.Y.C. Woo, A modular approach to packet classification: Algorithms and results, in: IEEE INFOCOM'00, 2000, pp. 1213-1222.
  28. A. Wool, A quantitative study of firewall configuration errors, IEEE Computer 37(6) (2004), 62-67.
  29. L. Zhang, Virtual clock: A new traffic control algorithm for packet switching networks, in: The ACM symposium on Communications Architectures and Protocols, 1990, pp. 101-124.
  30. G. Zipf, Human Behaviour and the Principle of Least-Effort, Addison-Wesley, 1949.

Related papers

A heuristic approach for firewall policy optimization
el-sayed el-alfy

2007

⎯ A primary goal of this paper is to develop a heuristic approach based on genetic algorithms to enhance the firewall performance. Typical firewall policies may have thousands of rules and determining an optimal rule order that minimizes the average number of rule comparisons while maintaining the policy integrity is proven to be NP-hard. This problem is formulated as a binary integer program for which an optimal solution is obtained using the branch-and-bound technique. Then an alternative solution approach is devised based on genetic algorithms. Several experiments are conducted to evaluate the effectiveness of the proposed approach as compared to other rule-ordering techniques. Empirical results show the potential and flexibility of the proposed approach.

View PDFchevron_right
Modeling and Management of Firewall Policies
Ehab Al-Shaer

IEEE Transactions on Network and Service Management, 2004

Firewalls are core elements in network security. However, managing firewall rules, especially for enterprize networks, has become complex and error-prone. Firewall filtering rules have to be carefully written and organized in order to correctly implement the security policy. In addition, inserting or modifying a filtering rule requires thorough analysis of the relationship between this rule and other rules in order to determine the proper order of this rule and commit the updates. In this paper, we present a set of techniques and algorithms that provide (1) automatic discovery of firewall policy anomalies to reveal rule conflicts and potential problems in legacy firewalls, and (2) anomaly-free policy editing for rule insertion, removal and modification. This is implemented in a user-friendly tool called "Firewall Policy Advisor." The Firewall Policy Advisor significantly simplifies the management of any generic firewall policy written as filtering rules, while minimizing network vulnerability due to firewall rule misconfiguration.

View PDFchevron_right
A policy-based approach to firewall management
Edmundo Monteiro

2002

Abstract: This paper describes a policy-based approach to firewall management. The Policy-Based Networking (PBN) architecture proposed by the Policy Framework Group of IETF is analysed, together with the communication protocols, policy specification languages, and the necessary information models. The paper continues with a description of an application of the PBN architecture to firewall management. The proposed architecture is presented and its implementation issues are analysed with some usage examples.

View PDFchevron_right
Towards a New Algorithm More Efficient for Updating Firewall Policies 1
A. Kartit

2014

Firewall is one of the most widely utilized compone nt on any network architecture, since that a deploy ment is a very important step to turn the initial policy to a target policy. This policy requires automated tools in order to create a suitable environment for configur ing or deploying safely a policy target. Most resea rchers are interested in detection of conflicts or the pro blem of optimization of policies firewall while few of them have proposed deployment strategies for two importa nt types of edition policies. We have already propo sed a correct algorithm for the deployment type I [0]. In this work we study one of these strategies that falls within the type II edition policies. We show that t he proposed solution of type II edition [1] is not fully correct and lead to security vulnerabilities, and t hen we offer a few corrections and improvements for this type of editing.

View PDFchevron_right
Adaptive optimization of packet filtering devices performance ensuring a conflict-free network configuration
G. Maiolini, Andrea Baiocchi

IEEE INFOCOM 2008 - IEEE Conference on Computer Communications Workshops, 2008

Security rules management in firewall and security gateway is a hard and error prone task as administrators must correctly implement and update a large amount of policies especially when rapid changing occurs due to new security needs. The challenge to address in multi-firewall and security gateway environment is to implement conflict-free policies, necessary to avoid security inconsistency, and to optimize, at the same time, performances in term of average filtering time, in order to make firewalls stronger against DoS and DDoS attacks. Additionally the approach should be real time, based on the characteristics of network traffic. There is a vast amount of literature on security policy conflict detection and resolution and on device rule set shaping to improve policy implementation performance. Our work defines an algorithm to find conflict free optimized device rule sets in real time, by relying on information gathered from traffic analysis. We show results obtained from our test environment confirming that operational costs of devices could be improved based on traffic analysis via log files of the security device. We demonstrate computational power savings up to 24% with fully conflict free device policies.

View PDFchevron_right

Related topics

  • Dynamic Optimization
  • Security Requirements
  • High speed networks
  • Packet filtering
  • Electrical and Electronic Engine...
    • 580 California St., Suite 400
    San Francisco, CA, 94104
    © 2025 Academia. All rights reserved