1 / 1

OPTWALL

OPTWALL: A Hierarchical Traffic-Aware Firewall. Mehmud Abliz, Subrata Acharya, Bryan Mills, Taieb Znati University of Pittsburgh, PA. Albert Greenberg, Microsoft Research, WA Jia Wang, Zihui Ge, AT&T Research, NJ. Introduction

tasha-richard
Télécharger la présentation

OPTWALL

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OPTWALL: A Hierarchical Traffic-Aware Firewall Mehmud Abliz, Subrata Acharya, Bryan Mills, Taieb ZnatiUniversity of Pittsburgh, PA Albert Greenberg, Microsoft Research, WA Jia Wang, Zihui Ge, AT&T Research, NJ • Introduction • The overall efficiency, reliability, and availability of a firewall is crucial in enforcing and administrating security. • The continuous growth of the Internet, coupled with increasing sophistication of the attacks, is placing stringent performance demands of firewall. Main approach for improving firewalls – rule optimization. Yet optimizing firewalls is hard, because • NP hard problem, hence not suitable for large number of rules • Need to maintain policy integrity OPTWALL Results Splits rule set hierarchically into multiple rule sets to reduce the average time for matching a packet to a rule. Provides an adaptation scheme which can dynamically change priority of a rule based on the traffic. How does a typical firewall works A typical present day firewall enforces its security policies via a set of multi-dimensional packet filters (usually a list of rules). Traffic gets filtered by this list following the “first hit” principle. • OPTWALLSplitting Approaches • Optimal Approach (A*) • Heuristic Solution (Greedy) • Initial filter determination • Hit count - Hit count • Hit count – Maximum distance • Random – Random • Maximum distance – Maximum distance • Our Goal • Improve the performance of firewall via • Reducing the average time the firewall spend on matching a packet to a rule in its rule set • Preserve the semantics of the original rule set • Efficiently prevent attacks, especially denial of service attack, via maintaining the optimality of the rule set as traffic patterns and rule sets change • Conclusion • Study the problem of decentralized multi- dimensional firewall optimization • Present OPTWALL, a hierarchical traffic aware framework for firewall optimization • Adaptive anomaly detection/counteraction mechanism • Nearly 35% improvement in operational cost of firewalls in worst case for a heavily loaded firewall operation • Evaluation Metric • Cost of a rulei • cost (rulei) = hit-count (rulei) * sum (size ( rulei)...size (rulei-1)) This work has been accepted to NDSS 2007. Poster designed by Mehmud Abliz.

More Related