Increasing SIP firewall performance by ruleset size limitation

To protect SIP communication networks from attacks, especially flooding attacks like denial-of-service or message spam, intrusion detection systems (IDS) are deployed at the ingress point of the network to filter potential malicious traffic. A key issue of IDS performance is the operation of its firewall to block malicious user requests. Depending on the complexity of the firewall ruleset, filtering performance of the IDS can decrease considerably during high-load flooding situations. In this paper we propose a scheme to increase IDS firewall performance by merging several similar rules into more general ones and ignoring lesser relevant rules to limit the number of firewall rules. We formalise a mathematical model to compute new firewall rules and show exemplary with traffic from SIP VoIP communication networks how the calculation can be performed. If applied to a VoIP IDS, the scheme can increase firewall thoughput considerably, while retaining most of its effectiveness.

[1]  Thomas Magedanz,et al.  VoIP defender: highly scalable SIP-based security architecture , 2007, IPTComm '07.

[2]  S. Ehlert,et al.  Specification-Based Denial-of-Service Detection for SIP Voice-over-IP Networks , 2008, 2008 The Third International Conference on Internet Monitoring and Protection.

[3]  William Stallings Network Security Essentials: Applications and Standards (3rd Edition) , 2006 .

[4]  Costas Lambrinoudakis,et al.  Survey of security vulnerabilities in session initiation protocol , 2006, IEEE Communications Surveys & Tutorials.

[5]  Sushil Jajodia,et al.  Fast Detection of Denial-of-Service Attacks on IP Telephony , 2006, 200614th IEEE International Workshop on Quality of Service.

[6]  Mohamed G. Gouda,et al.  Removing Redundancy from Packet Classifiers , 2004 .

[7]  Ehab Al-Shaer,et al.  Dynamic rule-ordering optimization for high-speed firewall filtering , 2006, ASIACCS '06.

[8]  William Stallings,et al.  Network Security Essentials: Applications and Standards , 1999 .

[9]  J. Rosenberg,et al.  Session Initiation Protocol , 2002 .

[10]  Christopher Leckie,et al.  CPU-based DoS attacks against SIP servers , 2008, NOMS 2008 - 2008 IEEE Network Operations and Management Symposium.

[11]  Tzvi Raz,et al.  Analysis of active intrusion prevention data for predicting hostile activity in computer networks , 2007, CACM.

[12]  Zhan Zhang,et al.  Reducing the Size of Rule Set in a Firewall , 2007, 2007 IEEE International Conference on Communications.

[13]  Mohamed G. Gouda,et al.  Complete Redundancy Removal for Packet Classifiers in TCAMs , 2010, IEEE Trans. Parallel Distributed Syst..

[14]  Nick McKeown,et al.  Packet classification on multiple fields , 1999, SIGCOMM '99.

[15]  Radu State,et al.  Holistic VoIP intrusion detection and prevention system , 2007, IPTComm '07.

[16]  David S. Johnson,et al.  Computers and Intractability: A Guide to the Theory of NP-Completeness , 1978 .

[17]  Jianying Zhou,et al.  Design and optimize firewall for mobile networks , 2004, IEEE 60th Vehicular Technology Conference, 2004. VTC2004-Fall. 2004.