Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Firewall Architectures for High-Speed Networks Errin W. Fulp DOE Network Research PI Meeting September 28, 2005.

Published bySusan Charlene Stevens Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Firewall Architectures for High-Speed Networks Errin W. Fulp DOE Network Research PI Meeting September 28, 2005."— Presentation transcript:

1 1 Firewall Architectures for High-Speed Networks Errin W. Fulp DOE Network Research PI Meeting September 28, 2005

2 Computer Science Wake Forest nsg.cs.wfu.edu E. W. FulpDOE Network Research PI Meeting, 2005 2 Project Objectives Methods that improve network firewall performance 1.Develop policy optimization techniques –Formal models for rules and security policies –Reduce processing requirement per packet –Low impact solutions for current and future firewalls –Models used to distribute rules in parallel firewalls 2.High-speed firewall designs –One policy, distributed firewalls, parallel processing –Maintain QoS requirements and differentiation –Scalable with increasing speeds and volumes –Robust (highly available), able to survive DoS attacks

3 Computer Science Wake Forest nsg.cs.wfu.edu E. W. FulpDOE Network Research PI Meeting, 2005 3 Research Progress Three year DOE ECPI project –First year: firewall policies and analytical models –Second year: firewall designs and rule distribution –Third year: hybrid and dynamic firewall designs Network Security Group at Wake Forest University –Errin Fulp, Ryan Farley, and Steve Tarsa

4 Computer Science Wake Forest nsg.cs.wfu.edu E. W. FulpDOE Network Research PI Meeting, 2005 4 Policy Optimization Reduce comparisons while maintaining integrity 1.Optimize the policy, best arrangement (NP-hard) –Optimized list reduces number of compares (upto 80%) –Rule compression and expansion 2.New non-linear representation –Policy trie requires 1/k compares –Policy trie optimization Firewall policy Policy DAGLinear arrangement

5 Computer Science Wake Forest nsg.cs.wfu.edu E. W. FulpDOE Network Research PI Meeting, 2005 5 Distributed Firewall Designs Three distributed designs –Data parallel, distribute packets –Function parallel, distribute rules –Hierarchical, distribute packets and rules scalable, redundant, stateful inspection difficult, no differentiation faster than data, scalable stateful, redundant?, no differentiation potentially fastest, stateful, differentiation possible, rule distribution difficult

6 Computer Science Wake Forest nsg.cs.wfu.edu E. W. FulpDOE Network Research PI Meeting, 2005 6 Function Parallel Each node has a portion of the policy –Every packet processed by each node, and informs gate –Gate make final decision based on the policy DAG Results for 4-node parallel firewall –Function parallel 3 to 3.5 times better than data-parallel Gate is an additional delay, prefer to eliminate

7 Computer Science Wake Forest nsg.cs.wfu.edu E. W. FulpDOE Network Research PI Meeting, 2005 7 Eliminating the Gate Possible to remove the gate machine –Must distribute rules so only one node accepts –Use policy DAG and trie to guide decisions (integrity) Consider a policy and two node function-parallel Function parallel design is becoming hierarchical –Nodes are designed to handle certain types of traffic –Maintains QoS, isolate DoS attacks

8 Computer Science Wake Forest nsg.cs.wfu.edu E. W. FulpDOE Network Research PI Meeting, 2005 8 Continuing Research Finalize proofs for rule distribution –Eliminate gate and maintaining integrity –Use policy profile to optimize performance Create a redundant gate-less design –Use policy DAG and trie to distribute rules –Gateless performance with redundant attributes Dynamic array of firewall nodes –Function parallel is not always better… –Use queueing theory to determine optimal design –Data and/or function parallel distribution

9 Computer Science Wake Forest nsg.cs.wfu.edu E. W. FulpDOE Network Research PI Meeting, 2005 9 Synergistic Activities Cyber Security Group at PNNL, Summer 2005 –Deborah Frincke, John McCoy, Tom McKenna, and Patrick Wheeler (UC Davis) –High-speed firewall and IPS designs –Developed policy optimization techniques New Start-up Company, Spring 2005 –High-speed firewall and IDS/IPS solutions –Two patents pending (firewall optimization, rule distribution, and distributed architectures) –Business plan developed –Initial implementation at WFU and testing at NC State –Seeking funding/initial investors, possible SBIR

Download ppt "1 Firewall Architectures for High-Speed Networks Errin W. Fulp DOE Network Research PI Meeting September 28, 2005."

Similar presentations

Motorola General Business Use MOTOROLA and the Stylized M Logo are registered in the US Patent & Trademark Office. All other product or service names are.

Motorola General Business Use MOTOROLA and the Stylized M Logo are registered in the US Patent & Trademark Office. All other product or service names are.
Current methods for negotiating firewalls for the Condor ® system Bruce Beckles (University of Cambridge Computing Service) Se-Chang Son (University of.

Current methods for negotiating firewalls for the Condor ® system Bruce Beckles (University of Cambridge Computing Service) Se-Chang Son (University of.
Mobile IPv6. Why study Mobility in IPv6? What is so different about Mobile IPv6 ?

Mobile IPv6. Why study Mobility in IPv6? What is so different about Mobile IPv6 ?
1 © 2005 Cisco Systems, Inc. All rights reserved. CONFIDENTIAL AND PROPRIETARY INFORMATION Cisco Wireless Strategy Extending and Securing the Network Bill.

1 © 2005 Cisco Systems, Inc. All rights reserved. CONFIDENTIAL AND PROPRIETARY INFORMATION Cisco Wireless Strategy Extending and Securing the Network Bill.
DARPA OASIS PI Meeting – Santa Fe – July 24-27, 2001Slide 1 Aegis Research Corporation Not for Public Release Survivability Validation Framework for Intrusion.

DARPA OASIS PI Meeting – Santa Fe – July 24-27, 2001Slide 1 Aegis Research Corporation Not for Public Release Survivability Validation Framework for Intrusion.
Sponsored by the National Science Foundation The Hive Mind: Applying a Security Sensor Network to GENI Spiral 2 Year-end Project Review University of California,

Sponsored by the National Science Foundation The Hive Mind: Applying a Security Sensor Network to GENI Spiral 2 Year-end Project Review University of California,
Secrecy Preserving Signatures Filtering Packets without Learning the Filtering Rules.

Secrecy Preserving Signatures Filtering Packets without Learning the Filtering Rules.
Firewall Query Engine and Firewall Comparison Engine Mohamed Gouda Alex X. Liu Computer Science Department The University of Texas at Austin.

Firewall Query Engine and Firewall Comparison Engine Mohamed Gouda Alex X. Liu Computer Science Department The University of Texas at Austin.
1 TCAM Razor: A Systematic Approach Towards Minimizing Packet Classifiers in TCAMs Department of Computer Science and Information Engineering National.

1 TCAM Razor: A Systematic Approach Towards Minimizing Packet Classifiers in TCAMs Department of Computer Science and Information Engineering National.
Network Topologies CS 1202.

Network Topologies CS 1202.
Network Topologies CSC1202-2013 (c) Nouf AlJaffan.

Network Topologies CSC (c) Nouf AlJaffan.
© 2008 Bivio Networks, Inc. All rights reserved. Specifications subject to change without notice. Evolution & Requirements for DPI in Network Security.

© 2008 Bivio Networks, Inc. All rights reserved. Specifications subject to change without notice. Evolution & Requirements for DPI in Network Security.
Chapter 4 DECISION SUPPORT AND ARTIFICIAL INTELLIGENCE

Chapter 4 DECISION SUPPORT AND ARTIFICIAL INTELLIGENCE
Web Caching Schemes1 A Survey of Web Caching Schemes for the Internet Jia Wang.

Web Caching Schemes1 A Survey of Web Caching Schemes for the Internet Jia Wang.
Network Security Testing Techniques Presented By:- Sachin Vador.

Network Security Testing Techniques Presented By:- Sachin Vador.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Internet Research Needs a Critical Perspective Towards Models –Sally Floyd –IMA Workshop, January 2004.

Internet Research Needs a Critical Perspective Towards Models –Sally Floyd –IMA Workshop, January 2004.
1IMIC, 8/30/99 Constraint-Based Unicast and Multicast: Practical Issues Bala Rajagopalan NEC C&C Research Labs Princeton, NJ

1IMIC, 8/30/99 Constraint-Based Unicast and Multicast: Practical Issues Bala Rajagopalan NEC C&C Research Labs Princeton, NJ
Secure Overlay Services Adam Hathcock Information Assurance Lab Auburn University.

Secure Overlay Services Adam Hathcock Information Assurance Lab Auburn University.
1© Copyright 2015 EMC Corporation. All rights reserved. SDN INTELLIGENT NETWORKING IMPLICATIONS FOR END-TO-END INTERNETWORKING Simone Mangiante Senior.

1© Copyright 2015 EMC Corporation. All rights reserved. SDN INTELLIGENT NETWORKING IMPLICATIONS FOR END-TO-END INTERNETWORKING Simone Mangiante Senior.

Similar presentations

Ads by Google