1,164 research outputs found
Towards a Packet Classification Benchmark
Packet classiïŹcation is the enabling technology for next generation network services and often the primary bottleneck in high-performance routers. Due to the importance and complexity of the problem, a myriad of algorithms and resulting implementations exist. The performance and capacity of many algorithms and classiïŹcation devices, including TCAMs, depend upon properties of the ïŹlter set and query patterns. Unlike microprocessors in the ïŹeld of computer architecture, there are no standard performance evaluation tools or techniques available to evaluate packet classiïŹcation algorithms and products. Network service providers are reluctant to distribute copies of real ïŹlter databases for security and conïŹdentiality reasons, hence realistic test vectors are a scarce commodity. The small subset of the research community who obtain real databases either limit performance evaluation to the small sample space or employ ad hoc methods of modifying those databases. We present a tool for creating synthetic ïŹlter databases that retain characteristics of a seed database and provide systematic mechanisms for varying the number and composition of the ïŹlters. We propose a benchmarking methodology based on this tool that provides a mechanism for evaluating packet classiïŹcation performance on a uniform scale. We seek to initiate a broader discussion within the community that will result in a standard packet classiïŹcation benchmark
ClassBench: A Packet Classification Benchmark
Due to the importance and complexity of the packet classiïŹcation problem, a myriad of algorithms and re-sulting implementations exist. The performance and capacity of many algorithms and classiïŹcation devices, including TCAMs, depend upon properties of the ïŹlter set and query patterns. Unlike microprocessors in the ïŹeld of computer architecture, there are no standard performance evaluation tools or techniques avail-able to evaluate packet classiïŹcation algorithms and products. Network service providers are reluctant to distribute copies of real ïŹlter sets for security and conïŹdentiality reasons, hence realistic test vectors are a scarce commodity. The small subset of the research community who obtain real ïŹlter sets either limit performance evaluation to the small sample space or employ ad hoc methods of modifying those ïŹlter sets. In response to this problem, we present ClassBench, a suite of tools for benchmarking packet classiïŹcation algorithms and devices. ClassBench includes a Filter Set Generator that produces synthetic ïŹlter sets that accurately model the characteristics of real ïŹlter sets. Along with varying the size of the ïŹlter sets, we provide high-level control over the composition of the ïŹlters in the resulting ïŹlter set. The tools suite also includes a Trace Generator that produces a sequence of packet headers to exercise the synthetic ïŹlter set. Along with specifying the relative size of the trace, we provide a simple mechanism for controlling locality of reference in the trace. While we have already found ClassBench to be very useful in our own research, we seek to initiate a broader discussion and solicit input from the community to guide the reïŹnement of the tools and codiïŹcation of a formal benchmarking methodology
An SDN-based firewall shunt for data-intensive science applications
A dissertation submitted to the Faculty of Engineering and the Built Environment, University of the Witwatersrand, Johannesburg, in fulfilment of the requirements for the degree of Master of Science in Engineering, 2016Data-intensive research computing requires the capability to transfer les over
long distances at high throughput. Stateful rewalls introduce su cient packet loss
to prevent researchers from fully exploiting high bandwidth-delay network links [25].
To work around this challenge, the science DMZ design [19] trades o stateful packet
ltering capability for loss-free forwarding via an ordinary Ethernet switch. We propose
a novel extension to the science DMZ design, which uses an SDN-based rewall.
This report introduces NFShunt, a rewall based on Linux's Net lter combined
with OpenFlow switching. Implemented as an OpenFlow 1.0 controller coupled to
Net lter's connection tracking, NFShunt allows the bypass-switching policy to be
expressed as part of an iptables rewall rule-set. Our implementation is described
in detail, and latency of the control-plane mechanism is reported. TCP throughput
and packet loss is shown at various round-trip latencies, with comparisons to
pure switching, as well as to a high-end Cisco rewall. Cost, as well as operations
and maintenance aspects, are compared and analysed. The results support reported
observations regarding rewall introduced packet-loss, and indicate that the SDN
design of NFShunt is a technically viable and cost-e ective approach to enhancing
a traditional rewall to meet the performance needs of data-intensive researchersGS201
Adaptive conflict-free optimization of rule sets for network security packet filtering devices
Packet filtering and processing rules management in firewalls and security gateways has become commonplace in increasingly complex networks. On one side there is a need to maintain the logic of high level policies, which requires administrators to implement and update a large amount of filtering rules while keeping them conflict-free, that is, avoiding security inconsistencies. On the other side, traffic adaptive optimization of large rule lists is useful for general purpose computers used as filtering devices, without specific designed hardware, to face growing link speeds and to harden filtering devices against DoS and DDoS attacks. Our work joins the two issues in an innovative way and defines a traffic adaptive algorithm to find conflict-free optimized rule sets, by relying on information gathered with traffic logs. The proposed approach suits current technology architectures and exploits available features, like traffic log databases, to minimize the impact of ACO development on the packet filtering devices. We demonstrate the benefit entailed by the proposed algorithm through measurements on a test bed made up of real-life, commercial packet filtering devices
Evaluation of Embedded Firewall System
The performance aspect and security capabilities of the Embedded Firewall (EFW) system are studied in this thesis. EFW is a host-based, centrally controlled firewall system consisting of network interface cards and the "Policy Server" software. A network consisting of EFW clients and a Policy Server is set up in the Advanced Network Laboratory at the Naval Postgraduate School. The Smartbits packet generator is used to simulate realistic data transfer environment. The evaluation is performed centered on two main categories: performance analysis and security capability tests. TTCP program and a script written in TCL are used to perform throughput and packet loss tests respectively. The penetration and vulnerability tests are conducted in order to analyze the security capabilities of EFW. Symantec Personal Firewall is used as a representative application firewall for comparing test results. Our study shows that EFW has better performance especially in connections with high amounts of encrypted packets and more effective in preventing insider attacks. However, current implementation of EFW has some weaknesses such as not allowing sophisticated rules that application firewalls usually do. We recommend that EFW be used as one of the protection mechanisms in a system based on the defense-in-depth concept that consists of application firewalls, intrusion detection systems and gateway protocols.http://archive.org/details/evaluationofembe109452241Approved for public release; distribution is unlimited
Recommended from our members
Generating citizen trust in e-government using a trust verification agent: A research note
Generating Citizen Trust in e-Government using a Trust Verification AgentThis is an eGISE network paper. It is motivated by a concern about the extent to which trust issues inhibit a citizenâs take-up of online public sector services or engagement with public decision and
policy making. A citizenâs decision to use online systems is influenced by their willingness to trust the environment and agency involved. This project addresses one aspect of individual âtrustâ decisions by
providing support for citizens trying to evaluate the implications of the security infrastructure provided by the agency. Based on studies of the way both groups (citizens and agencies) express their concerns and concepts in the security area, the project will develop a software tool â a trust
verification agent (TVA) - that can take an agencyâs security statements (or security audit) and infer how effectively this meets the security concerns of a particular citizen. This will enable citizens to state
their concerns and obtain an evaluation of the agencyâs provision in appropriate âcitizen friendlyâ language. Further, by employing rule-based expert systems techniques the TVA will also be able to explain its evaluation.Engineering and Physical Sciences Research Council, UK (grant GR/T27020/01
Recommended from our members
Generating citizen trust in e-government using a trust verification agent: A research note
Generating Citizen Trust in e-Government using a Trust Verification AgentThis is an eGISE network paper. It is motivated by a concern about the extent to which trust issues inhibit a citizenâs take-up of online public sector services or engagement with public decision and policy making. A citizenâs decision to use online systems is influenced by their willingness to trust the environment and agency involved. This project addresses one aspect of individual âtrustâ decisions by
providing support for citizens trying to evaluate the implications of the security infrastructure provided by the agency. Based on studies of the way both groups (citizens and agencies) express their concerns and concepts in the security area, the project will develop a software tool â a trust
verification agent (TVA) - that can take an agencyâs security statements (or security audit) and infer how effectively this meets the security concerns of a particular citizen. This will enable citizens to state
their concerns and obtain an evaluation of the agencyâs provision in appropriate âcitizen friendlyâ
language. Further, by employing rule-based expert systems techniques the TVA will also be able to explain its evaluation.Engineering and Physical Sciences Research Council-UK (grant GR/T27020/01
- âŠ