53 research outputs found
Extending Firewall Session Table to Accelerate NAT, QoS Classification and Routing
security and QoS are the two most precious objectives for network systems to
be attained. Unfortunately, they are in conflict, while QoS tries to minimize
processing delay, strong security protection requires more processing time and
cause packet delay. This article is a step towards resolving this conflict by
extending the firewall session table to accelerate NAT, QoS classification, and
routing processing time while providing the same level of security protection.
Index Terms ? stateful packet filtering; firewall; session/state table; QoS;
NAT; Routing
Efficient data structures for local inconsistency detection in firewall ACL updates
Filtering is a very important issue in next generation networks. These networks consist of a relatively high
number of resource constrained devices and have special features, such as management of frequent topology
changes. At each topology change, the access control policy of all nodes of the network must be
automatically modified. In order to manage these access control requirements, Firewalls have been proposed
by several researchers. However, many of the problems of traditional firewalls are aggravated due to these
networks particularities, as is the case of ACL consistency. A firewall ACL with inconsistencies implies in
general design errors, and indicates that the firewall is accepting traffic that should be denied or vice versa.
This can result in severe problems such as unwanted accesses to services, denial of service, overflows, etc.
Detecting inconsistencies is of extreme importance in the context of highly sensitive applications (e.g.
health care). We propose a local inconsistency detection algorithm and data structures to prevent automatic
rule updates that can cause inconsistencies. The proposal has very low computational complexity as both
theoretical and experimental results will show, and thus can be used in real time environments.Ministerio de Educación y Ciencia DPI2006-15476-C02-0
Real Time Packet Classification and Analysis based on Bloom Filter for Longest Prefix Matching
Packet classification is an enabling function in network and security systems; hence, hardware-based solutions, such as TCAM (Ternary Content Addressable Memory), have been extensively adopted for high-performance systems. With the expeditious improvement of hardware architectures and burgeoning popularity of multi-core multi-threaded processors, decision-tree based packet classification algorithms such as HiCuts and HyperCuts are grabbing considerable attention, outstanding to their flexibility in satisfying miscellaneous industrial requirements for network and security systems. For high classification speed, these algorithms internally use decision trees, whose size increases exponentially with the ruleset size; consequently, they cannot be used with a large rulesets. However, these decision tree algorithms involve complicated heuristics for concluding the number of cuts and fields. Moreover, ?xed interval-based cutting not depicting the actual space that each rule covers is defeasible and terminates in a huge storage requirement. We propose a new packet classification that simultaneously supports high scalability and fast classification performance by using Bloom Filter. Bloom uses hash table as a data structure which is an efficient data structure for membership queries to avoid lookup in some subsets which contain no matching rules and to sustain high throughput by using Longest Prefix Matching (LPM) algorithm. Hash table data structure which improves the performance by providing better boundaries on the hash collisions and memory accesses per search. The proposed classification algorithm also shows good scalability, high classification speed, irrespective of the number of rules. Performance analysis results show that the proposed algorithm enables network and security systems to support heavy traffic in the most effective manner
Fast algorithms for consistency-based diagnosis of firewall rule sets
Firewalls provide the first line of defence of nearly
all networked institutions today. However, Firewall
ACL management suffer some problems that need to be
addressed in order to be effective. The most studied
one is rule set consistency. There is an inconsistency if
different actions can be taken on the same traffic,
depending on the ordering of the rules. In this paper a
new algorithm to diagnose inconsistencies in firewall
rule sets is presented. Although many algorithms have
been proposed to address this problem, the presented
one is a big improvement over them, due to its low
algorithmic and memory complexity, even in worst
case. In addition, there is no need to pre-process in
any way the rule set previous to the application of the
algorithms. We also present experimental results with
real rule sets that validate our proposal.Ministerio de Educación y Ciencia DPI2006-15476-C02-0
Range-enhanced packet classification to improve computational performance on field programmable gate array
Multi-filed packet classification is a powerful classification engine that classifies input packets into different fields based on predefined rules. As the demand for the internet increases, efficient network routers can support many network features like quality of services (QoS), firewalls, security, multimedia communications, and virtual private networks. However, the traditional packet classification methods do not fulfill today’s network functionality and requirements efficiently. In this article, an efficient range enhanced packet classification (REPC) module is designed using a range bit-vector encoding method, which provides a unique design to store the precomputed values in memory. In addition, the REPC supports range to prefix features to match the packets to the corresponding header fields. The synthesis and implementation results of REPC are analyzed and tabulated in detail. The REPC module utilizes 3% slices on Artix-7 field programmable gate array (FPGA), works at 99.87 Gbps throughput with a latency of 3 clock cycles. The proposed REPC is compared with existing packet classification approaches with better hardware constraints improvements
AFPL2, An Abstract Language for Firewall ACLs with NAT support
The design and management of firewall ACLs is a
very hard and error-prone task. Part of this complexity comes
from the fact that each firewall platform has its own low-level
language with a different functionality, syntax, and development
environment. Although high-level languages have been proposed
to model firewall ACLs, none of them has been widely adopted by
the industry due to a combination of factors: high complexity, no
support of important features of firewalls, etc. In this paper the
most important access control policy languages are reviewed,
with special focus on the development of firewall ACLs. Based on
this analysis, a new domain specific language for firewall ACLs
(AFPL2) is proposed, supporting more features that other
languages do not cover (e.g. NAT). As the result of our design
methodology, AFPL2 is very lightweight and easy to use. AFPL2
can be translated to existing low-level firewall languages, or be
directly interpreted by firewall platforms, and is an extension to a
previously developed language.Ministerio de Eduación y Ciencia DPI2006-15476-C02-0
Polynomial Heuristic Algorithms for Inconsistency Characterization in Firewall Rule Sets
Firewalls provide the first line of defence of nearly
all networked institutions today. However, Firewall
ACLs could have inconsistencies, allowing traffic that
should be denied or vice versa. In this paper, we
analyze the inconsistency characterization problem as
a separate problem of the diagnosis one, and propose
formal definitions in order to characterize one-to-many
inconsistencies. We identify the combinatorial part of
the problem that generates exponential complexities in
combined diagnosis and characterization algorithms
proposed by other authors. Then we propose a
decomposition of the combinatorial problem in several
smaller combinatorial ones, which can effectively
reduce the complexity of the problem. Finally, we
propose an approximate heuristic and algorithms to
solve the problem in worst case polynomial time.
Although many algorithms have been proposed to
address this problem, all of them are combinatorial.
The presented algorithms are an heuristic way to solve
the problem with polynomial complexity. There are no
constraints on how rule field ranges are expressed.Ministerio de Educación y Ciencia DPI2006-15476-C02-0
Packet Filtering in Computer Networks
Tato bakalářská práce se zabývá problematikou klasifikace paketů v počítačových sítích. Práce obsahuje popis jednotlivých klasifikačních algoritmů implementovaných v experimentálním frameworku Netbench. K některým jsou uvedeny příklady jejich datových struktur a vyhledávání v nich. Součástí této práce je implementace algoritmu pro modulární vyhledávání. Dále jsou součástí práce experimenty provedené na tomto algoritmu za účelem zjištění vhodných parametrů a experimenty provedené na algoritmech knihovny Netbench za účelem porovnání jejich paměťové a výpočetní složitosti.This bachelor's thesis deals with packet classification in computer networks. It describes algorithms which are implemented in experimental Netbench framework. For some of them, there are examples of data structures and searching methods. Part of this thesis is implementation of modular packet classification algorithm. Another part of this thesis describes experiments with this algorithm to find its suitable parameters and experiments with Netbench algorithms for comparison of their space and computational complexity.
- …