• Corpus ID: 16167667

Network Firewall Policy Tries

@inproceedings{Fulp2005NetworkFP,
  title={Network Firewall Policy Tries},
  author={Errin W. Fulp and Stephen J. Tarsa},
  year={2005}
}
Network firewalls remain the forefront defense for most computer systems. These critical devices filter traffic by comparing arriving packets to a list of rules, or security policy, in a sequential manner. Unfortunately packet filtering in this fashion can result in significant traffic delays, which is problematic for applications that require strict Quality of Service (QoS) guarantees. Furthermore, as network speeds and capacities continue to increase, the processing time associated with… 

Figures and Tables from this paper

Parallel Firewall Designs for High-Speed Networks

  • E. Fulp
  • Computer Science
    Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications
  • 2006
Different parallel firewall architectures that have the ability to process packets at high speeds are reviewed, each using an array of firewalls to enforce a security policy, but will differ on how the array is used.

Firewall Architectures for High-Speed Networks

Simulation and analytical results show these new architectures out-perform any currentrewall system, providing higher throughput, lower delays, and predictable traffic differentiation.

Firewall Best Practices for Securing Smart Healthcare Environment: A Review

The paper provides a comprehensive review and best practices of firewall types, with offered benefits and drawbacks, which may help to define a comprehensive set of policies for smart healthcare devices and environments.

Trie-based policy representations for network firewalls

A new technique for representing a security policy that maintains policy integrity and provides more efficient processing is introduced, and the n-ary trie developed in this paper can be proven to maintain policy integrity.

PARALLEL FIREWALL DESIGNS FOR HIGH-SPEED NETWORKS

This thesis introduces a novel parallel firewall design, where firewall nodes collectively enforce a security policy, and the new function parallel design allows stateful inspection of packets, a critical component in preventing certain types of network attacks.

References

SHOWING 1-10 OF 22 REFERENCES

Firewall Architectures for High-Speed Networks: Final Report

Simulation and analytical results show these new architectures out-perform any current firewall system, providing higher throughput, lower delays, and predictable traffic differentiation.

Using IDDs for Packet Filtering

This paper proposes a complete framework for packet classification, and introduces an extension of IDDs called Multi-Terminal Interval Decision Diagrams in order to deal with any number of policies.

Network firewalls

The authors classify firewalls into three main categories: packet filtering, circuit gateways, and application gateways; their focus is on the TCP/IP protocol suite, especially as used on the Internet.

Modeling and Management of Firewall Policies

A set of techniques and algorithms are presented that provide automatic discovery of firewall policy anomalies to reveal rule conflicts and potential problems in legacy firewalls, and anomaly-free policy editing for rule insertion, removal, and modification.

An unavailability analysis of firewall sandwich configurations

  • Steve GoddardR. KieckhaferY. Zhang
  • Computer Science
    Proceedings Sixth IEEE International Symposium on High Assurance Systems Engineering. Special Topic: Impact of Networking
  • 2001
A model is presented to analyze the steady-state unavailability of firewall sandwiches and compare the un availability of various load-balancing configurations, showing that redundancy management policies are at least as important as the number of redundant processing nodes.

Linux firewalls

Linux Firewalls discusses the technical details of the iptables firewall and the Netfilter framework that are built into the Linux kernel, and it explains how they provide strong filtering, Network Address Translation (NAT), state tracking, and application layer inspection capabilities that rival many commercial tools.

Fast firewall implementations for software and hardware-based routers

  • L. QiuG. VargheseS. Suri
  • Computer Science
    Proceedings Ninth International Conference on Network Protocols. ICNP 2001
  • 2001
This paper re-examine two basic mechanisms that have been dismissed in the literature as being too inefficient: backtracking search and set pruning tries and finds using real databases that the time for back tracking search is much better than the worst-case bound.

Fast firewall implementations for software-based and hardware-based routers

This paper re-examine two basic mechanisms that have been dismissed in the literature as being too inefficient: backtracking search and set pruning tries and finds using real databases that the time forBacktracking search is much better than the worst-case bound; instead of Ω((logN)k-1), the search time is only roughly twice the optimal search time1.

Detecting and resolving packet filter conflicts

  • H. AdiseshuS. SuriG. Parulkar
  • Computer Science
    Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064)
  • 2000
This work proposes a new scheme for conflict resolution, which is based on the idea of adding resolve filters, and tries it on 3 existing firewall databases, and has found conflicts, which are potential security holes, in each of them.

Packet filtering in high speed networks

The commercial viability of the future Internet depends on its ability to provide differentiated service to paying customers, and examples of differentiated service include firewalls for enterprise networks, bandwidth guarantees to applications, and traffic sensitive routing.