Adaptive optimization of packet filtering devices performance ensuring a conflict-free network configuration

Security rules management in firewall and security gateway is a hard and error prone task as administrators must correctly implement and update a large amount of policies especially when rapid changing occurs due to new security needs. The challenge to address in multi-firewall and security gateway environment is to implement conflict-free policies, necessary to avoid security inconsistency, and to optimize, at the same time, performances in term of average filtering time, in order to make firewalls stronger against DoS and DDoS attacks. Additionally the approach should be real time, based on the characteristics of network traffic. There is a vast amount of literature on security policy conflict detection and resolution and on device rule set shaping to improve policy implementation performance. Our work defines an algorithm to find conflict free optimized device rule sets in real time, by relying on information gathered from traffic analysis. We show results obtained from our test environment confirming that operational costs of devices could be improved based on traffic analysis via log files of the security device. We demonstrate computational power savings up to 24% with fully conflict free device policies.

[1]  Andrea Westerinen,et al.  Policy Core Information Model - Version 1 Specification , 2001, RFC.

[2]  Albert G. Greenberg,et al.  OPTWALL: A Hierarchical Traffic-Aware Firewall , 2007, NDSS.

[3]  Simone Ferraresi,et al.  Security Policies Tuning Among IP Devices , 2007, KES.

[4]  Ehab Al-Shaer,et al.  Analysis of Firewall Policy Rules Using Data Mining Techniques , 2006, 2006 IEEE/IFIP Network Operations and Management Symposium NOMS 2006.

[5]  Marshall T. Rose,et al.  Reliable Delivery for syslog , 2001, RFC.

[6]  Guru M. Parulkar,et al.  Detecting and resolving packet filter conflicts , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[7]  Andrea Baiocchi,et al.  Automatic Conflict Analysis and Resolution of Traffic Filtering Policy for Firewall and Security Gateway , 2007, 2007 IEEE International Conference on Communications.

[8]  Albert G. Greenberg,et al.  Simulation study of firewalls to aid improved performance , 2006, 39th Annual Simulation Symposium (ANSS'06).

[9]  Albert G. Greenberg,et al.  Traffic-Aware Firewall Optimization Strategies , 2006, 2006 IEEE International Conference on Communications.

[10]  Ehab Al-Shaer,et al.  Dynamic rule-ordering optimization for high-speed firewall filtering , 2006, ASIACCS '06.

[11]  Andrea Westerinen,et al.  Terminology for Policy-Based Management , 2001, RFC.

[12]  Chris Lonvick,et al.  The BSD Syslog Protocol , 2001, RFC.

[13]  Hideo Yamamoto,et al.  Delay Reduction for Liner-Search Based Packet Filters , 2004 .

[14]  Cataldo Basile,et al.  Towards an algebraic approach to solve policy conflicts , 2004 .

[15]  Errin W. Fulp,et al.  Optimization of Network Firewall Policies using Directed Acyclical Graphs , 2005 .

[16]  Ehab Al-Shaer,et al.  Modeling and Management of Firewall Policies , 2004, IEEE Transactions on Network and Service Management.

[17]  Ehab Al-Shaer,et al.  Conflict classification and analysis of distributed firewall policies , 2005, IEEE Journal on Selected Areas in Communications.