Presentation is loading. Please wait.

Presentation is loading. Please wait.

Presented by Group 2: Presented by Group 2: Shan Gao (3412192) Shan Gao (3412192) Dayang Yu (3441202) Dayang Yu (3441202) Jiayu Zhou (3405232) Jiayu Zhou.

Published byEustacia Goodwin Modified over 9 years ago

Similar presentations

Presentation on theme: "Presented by Group 2: Presented by Group 2: Shan Gao (3412192) Shan Gao (3412192) Dayang Yu (3441202) Dayang Yu (3441202) Jiayu Zhou (3405232) Jiayu Zhou."— Presentation transcript:

1 Presented by Group 2: Presented by Group 2: Shan Gao (3412192) Shan Gao (3412192) Dayang Yu (3441202) Dayang Yu (3441202) Jiayu Zhou (3405232) Jiayu Zhou (3405232) 1

2 Introduction Main Techniques  Matching Optimization Techniques  Early Rejection Optimization Techniques Comparative Study Conclusion References (23 slides in total) Outline 2

3 Firewall: permit or deny network traffic based on a firewall policy Firewall policy: a list of ordered rules  specifies what types of packets should be allowed from/into the protected network Rule: filtering fields & an action field. The packet is accepted or denied by a specific rule if the packet header information matches all the network fields of this rule Firewall policy rule management: 1. To reduce the filtering overhead (FCAPS) 2. Security (FCAPS) Introduction 3

4 Figure 1 Classification of traffic-aware firewall policy techniques Main Techniques 4

5 Objectives: try to minimize the matching time of normal network traffic: Static techniques (not traffic-aware)  Algorithmic techniques: 1) hardware-based solutions; 2) specialized data structures; 3) heuristics  improve the search time Adaptive techniques (traffic-aware)  Rule-based optimization: 1) common branch tree; 2) offline statistical-based rule generation; 3) dynamic rule ordering;  Field-based optimization: 1) multifield alphabetic tree; 2) huffman-tree-based filtering; 3) segment-list-based filtering Matching Optimization 5

6 1) Common Branch Tree  Number of rules & number of fields  build common branch decision trees  good average case performance:  Less memory than binary decision trees  Limitation: decision tree needs to be rebuilt every time the traffic pattern changes Adaptive traffic-aware —— Rule-based optimization 6

7 2) Offline Statistical-Based Rule Generation  Traffic-aware firewall optimizer (TFO):  Step 1: pre-optimization (removes redundancies)  Step 2: a rule-set-based optimizer & a traffic-based optimizer  The rule-set-based optimizer: Disjoint Set Creator (DSC) & Disjoint Set Merger (DSM) algorithms  The traffic-based optimizer: hot caching, default proxy, total re-ordering, online adaptation Adaptive traffic-aware —— Rule-based optimization 7

8 3) Dynamic Rule Ordering  The optimal rule ordering (ORO) problem is NP-hard  a heuristic approximation algorithm  achieves near- optimal results  Compute filtering rule weights based on: matching frequency & matching recency  Limitation: it is not good for policies with a large number of overlapping rules. Adaptive traffic-aware —— Rule-based optimization 8

9 1) Multifield Alphabetic Tree  Calculates the field value frequency  build the alphabetic search tree  adaptive packet searching  The alphabetic search tree: improve the overall average filtering  Limitation: the overhead of updating the tree can be significant Adaptive traffic-aware —— Field-based optimization 9

10 2) Huffman-Tree-Based Filtering  The Huffman tree: represent the segmentation of traffic address space in the firewall policy  Number of rules & number of segments  build a Huffman tree  enhance the performance of searching & good for policies with a large number of rules  Limitation: the Huffman tree needs to be rebuilt periodically to reflect changes in network flows. Adaptive traffic-aware —— Field-based optimization 10

11 3) Segment-List-Based Filtering  Number of rules & number of segments  build a policy- segment-based search list  get rid of the maintenance cost of the Huffman tree  A heuristic algorithm  minimize the average search time  Limitation: it has transient behavior until a good order of segments is obtained Adaptive traffic-aware —— Field-based optimization 11

12 Early Rejection Optimization  Importance Protect firewalls from DoS attacks that target the default deny rule. Minimize the filtering overhead.  Classification Online early rejection Field value cover-based early rejection BDD-based relaxed policy Blacklist blocking Longest common prefix(LCP)-based blacklist blocking 12

13 Online Early Rejection—— Field value cover-based early rejection  Objective Filter out as many discarded packets as possible with the lowest overhead.  Basic idea The early rejection rules can be formed as a combination of the common field values that cover all rules in the policy. A typical early rejection rule(RR) The limitation of the technique is that it is not suitable for large number of rules. 13

14 Online Early Rejection —— BDD-Based Relaxed Policy  Basic idea Approximate the current policy with another new policy. Provided a packet, the technique evaluates it against the policy, and reaches one of three options: accepted, rejected or more filtering is needed by the original policy. Efficient Boolean expression can be used to represent and approximate the policy Each Boolean expression represents the different packets that match a specific rule, and the variables used for this expression correspond to the bits of individual packet header fields 14

15 Online Early Rejection —— BDD-Based Relaxed Policy The limitation of the technique is that the overhead to build the BDD is usually significant. 15

16 Longest Common Prefix (LCP)-Based Blacklist Blocking  Objective Minimize the impact of malicious sources in the network using the available network resources.  Basic idea Addresses with certain prefixes should be blocked.  Data structure LCP tree ----a kind of binary tree. 16

17 Example of LCP tree The limitation of this technique is that all the malicious IP addresses must be known before the computation of the optimal solution. The limitation of this technique is that all the malicious IP addresses must be known before the computation of the optimal solution. Longest Common Prefix (LCP)-Based Blacklist Blocking 17 Leaves of the tree represent the malicious IP addresses. All the other nodes represent the longest common prefixes between any pair of IPs in the tree.

18 Comparative Study Table 1. Comparison of the algorithms, data structures, and complexity of traffic-aware dynamic firewall policy techniques. 18

19 Introduction to Related Terms  Skewedness: The measure of asymmetry in the probability distribution of traffic.   Dynamic: An index to measure whether the traffic pattern has frequent changes or not. Comparative Study Higher skewedness Traffic “leans” to one side of the mean Smaller number of rules required to match Higher dynamic Adapt firewalls more dynamically Minimize the packets’ matching time 19

20 Table 2. Comparison of limitations and application suitability of traffic–aware dynamic firewall policy techniques. Comparative Study 20 (+ denotes corresponding technique suits this property ) (- denotes corresponding technique doesn’t suit this property) (N/A denotes this technique is not applicable for this property)

21 F C A P S Fault management Configuration management Accounting management Performance management: The decrease of matching time by using different techniques can provide high performance packet filtering. Security management: Border device only passes packets that satisfy rules, block the malicious sources in the network occupy the available network resources. 21 Conclusion

22 References [1] Duan Qi and Ehab Al-Shaer, “Traffic-aware dynamic firewall policy management: techniques and applications”, Communications Magazine, IEEE, 2013, vol. 51, no. 7. [2] S. Acharya et al., “Traffic-Aware Firewall Optimization Strategies,” IEEE ICC, 2006. [3] A. Attar, “Performance Characteristics of BDD-Based Packet Filters”, University of the Witwatersrand, 2001. [4] H. Hamed and E. Al-Shaer, “Dynamic Rule Ordering Optimization for High-Speed Firewall Filtering,” ASIACCS’06, 2006. [5] H. Hamed, A. El-Atawy, and E. Al-Shaer, “Adaptive Statistical Optimization Techniques for Firewall Packet Filtering,” IEEE INFOCOM ’06, Apr. 2006. [6] F. Soldo, A. Markopoulou, and K. J. Argyraki, “Optimal Filtering of Source Address Prefixes: Models and Algorithms,” IEEE INFOCOM ’09, 2009, pp. 2446–54. [7] M. Tim, Tele9752 Network Operations and Control, Lecture notes, 2013 22

23 THANK YOU ! 23

Download ppt "Presented by Group 2: Presented by Group 2: Shan Gao (3412192) Shan Gao (3412192) Dayang Yu (3441202) Dayang Yu (3441202) Jiayu Zhou (3405232) Jiayu Zhou."

Similar presentations

Access Control List (ACL)

Access Control List (ACL)
Introduction to Computer Science 2 Lecture 7: Extended binary trees

Introduction to Computer Science 2 Lecture 7: Extended binary trees
1 IP-Lookup and Packet Classification Advanced Algorithms & Data Structures Lecture Theme 08 – Part I Prof. Dr. Th. Ottmann Summer Semester 2006.

1 IP-Lookup and Packet Classification Advanced Algorithms & Data Structures Lecture Theme 08 – Part I Prof. Dr. Th. Ottmann Summer Semester 2006.
VCRIB: Virtual Cloud Rule Information Base Masoud Moshref, Minlan Yu, Abhishek Sharma, Ramesh Govindan HotCloud 2012.

VCRIB: Virtual Cloud Rule Information Base Masoud Moshref, Minlan Yu, Abhishek Sharma, Ramesh Govindan HotCloud 2012.
Resource Management §A resource can be a logical, such as a shared file, or physical, such as a CPU (a node of the distributed system). One of the functions.

Resource Management §A resource can be a logical, such as a shared file, or physical, such as a CPU (a node of the distributed system). One of the functions.
Fast Firewall Implementation for Software and Hardware-based Routers Lili Qiu, Microsoft Research George Varghese, UCSD Subhash Suri, UCSB 9 th International.

Fast Firewall Implementation for Software and Hardware-based Routers Lili Qiu, Microsoft Research George Varghese, UCSD Subhash Suri, UCSB 9 th International.
A Ternary Unification Framework for Optimizing TCAM-Based Packet Classification Systems Author: Eric Norige, Alex X. Liu, and Eric Torng Publisher: ANCS.

A Ternary Unification Framework for Optimizing TCAM-Based Packet Classification Systems Author: Eric Norige, Alex X. Liu, and Eric Torng Publisher: ANCS.
First Step Towards Automatic Correction of Firewall Policy Faults Fei Chen Alex X. Liu Computer Science and Engineering Michigan State University JeeHyun.

First Step Towards Automatic Correction of Firewall Policy Faults Fei Chen Alex X. Liu Computer Science and Engineering Michigan State University JeeHyun.
ClassBench: A Packet Classification Benchmark

ClassBench: A Packet Classification Benchmark
Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.

Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.
UNIVERSITY OF JYVÄSKYLÄ Yevgeniy Ivanchenko Yevgeniy Ivanchenko University of Jyväskylä

UNIVERSITY OF JYVÄSKYLÄ Yevgeniy Ivanchenko Yevgeniy Ivanchenko University of Jyväskylä
Firewall Policy Queries Author: Alex X. Liu, Mohamed G. Gouda Publisher: IEEE Transaction on Parallel and Distributed Systems 2009 Presenter: Chen-Yu Chang.

Firewall Policy Queries Author: Alex X. Liu, Mohamed G. Gouda Publisher: IEEE Transaction on Parallel and Distributed Systems 2009 Presenter: Chen-Yu Chang.
1 On Constructing Efficient Shared Decision Trees for Multiple Packet Filters Author: Bo Zhang T. S. Eugene Ng Publisher: IEEE INFOCOM 2010 Presenter:

1 On Constructing Efficient Shared Decision Trees for Multiple Packet Filters Author: Bo Zhang T. S. Eugene Ng Publisher: IEEE INFOCOM 2010 Presenter:
Privacy-Preserving Cross-Domain Network Reachability Quantification

Privacy-Preserving Cross-Domain Network Reachability Quantification
Efficient Multidimensional Packet Classification with Fast Updates Author: Yeim-Kuan Chang Publisher: IEEE TRANSACTIONS ON COMPUTERS, VOL. 58, NO. 4, APRIL.

Efficient Multidimensional Packet Classification with Fast Updates Author: Yeim-Kuan Chang Publisher: IEEE TRANSACTIONS ON COMPUTERS, VOL. 58, NO. 4, APRIL.
Shuchi Chawla, Carnegie Mellon University Static Optimality and Dynamic Search Optimality in Lists and Trees Avrim Blum Shuchi Chawla Adam Kalai 1/6/2002.

Shuchi Chawla, Carnegie Mellon University Static Optimality and Dynamic Search Optimality in Lists and Trees Avrim Blum Shuchi Chawla Adam Kalai 1/6/2002.
Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.

Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.
Fast binary and multiway prefix searches for pachet forwarding Author: Yeim-Kuan Chang Publisher: COMPUTER NETWORKS, Volume 51, Issue 3, pp. 588-605, February.

Fast binary and multiway prefix searches for pachet forwarding Author: Yeim-Kuan Chang Publisher: COMPUTER NETWORKS, Volume 51, Issue 3, pp , February.
Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.

Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Similar presentations

Ads by Google