Embed Size (px)
Citation preview
Traffic-Aware Dynamic Firewall Policy Management:
Techniques and Applications
Presented by Group 2: Shan Gao (3412192)
Dayang Yu (3441202) Jiayu Zhou (3405232)
1
Introduction Main Techniques
Matching Optimization Techniques Early Rejection Optimization Techniques
Comparative StudyConclusionReferences (23
slides in total)
Outline
2
Firewall: permit or deny network traffic based on a firewall policy
Firewall policy: a list of ordered rules specifies what types of packets should be allowed from/into the protected network
Rule: filtering fields & an action field.
The packet is accepted or denied by a specific rule if the packet header information matches all the network fields of this rule
Firewall policy rule management: 1. To reduce the filtering overhead (FCAPS) 2. Security (FCAPS)
Introduction
3
Figure 1 Classification of traffic-aware firewall policy techniques
Main Techniques
4
Objectives: try to minimize the matching time of normal network traffic:
Static techniques (not traffic-aware) Algorithmic techniques: 1) hardware-based solutions; 2)
specialized data structures; 3) heuristics improve the search time
Adaptive techniques (traffic-aware) Rule-based optimization: 1) common branch tree; 2)
offline statistical-based rule generation; 3) dynamic rule ordering;
Field-based optimization: 1) multifield alphabetic tree; 2) huffman-tree-based filtering; 3) segment-list-based filtering
Matching Optimization
5
1) Common Branch Tree
Number of rules & number of fields build common branch decision trees good average case performance:
Less memory than binary decision trees
Limitation: decision tree needs to be rebuilt every time the traffic pattern changes
Adaptive traffic-aware —— Rule-based optimization
6
2) Offline Statistical-Based Rule Generation Traffic-aware firewall optimizer (TFO): Step 1: pre-optimization (removes redundancies) Step 2: a rule-set-based optimizer & a traffic-
based optimizer
The rule-set-based optimizer: Disjoint Set Creator (DSC) & Disjoint Set Merger (DSM) algorithms
The traffic-based optimizer: hot caching, default proxy, total re-ordering, online adaptation
Adaptive traffic-aware —— Rule-based optimization
7
3) Dynamic Rule Ordering The optimal rule ordering (ORO) problem is
NP-hard a heuristic approximation algorithm achieves near-optimal results
Compute filtering rule weights based on: matching frequency & matching recency
Limitation: it is not good for policies with a large number of overlapping rules.
Adaptive traffic-aware —— Rule-based optimization
8
1) Multifield Alphabetic Tree Calculates the field value frequency build the
alphabetic search tree adaptive packet searching
The alphabetic search tree: improve the overall average filtering
Limitation: the overhead of updating the tree can be significant
Adaptive traffic-aware —— Field-based optimization
9
2) Huffman-Tree-Based Filtering The Huffman tree: represent the segmentation of
traffic address space in the firewall policy
Number of rules & number of segments build a Huffman tree enhance the performance of searching & good for policies with a large number of rules
Limitation: the Huffman tree needs to be rebuilt periodically to reflect changes in network flows.
Adaptive traffic-aware —— Field-based optimization
10
3) Segment-List-Based Filtering Number of rules & number of segments build a
policy-segment-based search list get rid of the maintenance cost of the Huffman tree
A heuristic algorithm minimize the average search time
Limitation: it has transient behavior until a good order of segments is obtained
Adaptive traffic-aware —— Field-based optimization
11
Early Rejection Optimization
Importance• Protect firewalls from DoS attacks that target the
default deny rule.• Minimize the filtering overhead.
ClassificationOnline early rejection• Field value cover-based early rejection• BDD-based relaxed policyBlacklist blocking• Longest common prefix(LCP)-based blacklist
blocking12
Online Early Rejection—— Field value cover-based early rejection
Objective Filter out as many discarded packets as possible
with the lowest overhead.Basic idea
The early rejection rules can be formed as a combination of the common field values that cover all rules in the policy.
A typical early rejection rule(RR)
The limitation of the technique is that it is not suitable for large number of rules.
13
Online Early Rejection —— BDD-Based Relaxed PolicyBasic idea• Approximate the current policy with another new policy. Provided a packet, the technique evaluates it against the
policy, and reaches one of three options: accepted, rejected or more filtering is needed by the original policy.
• Efficient Boolean expression can be used to represent and approximate the policy Each Boolean expression represents the different packets that match a specific rule, and the variables used for this
expression correspond to the bits of individual packet header fields
14
Online Early Rejection —— BDD-Based Relaxed Policy
The limitation of the technique is that the overhead to build the BDD is usually significant.
15
Longest Common Prefix (LCP)-Based Blacklist BlockingObjective Minimize the impact of malicious sources in the
network using the available network resources.
Basic idea Addresses with certain prefixes should be blocked.
Data structure LCP tree ----a kind of binary tree.
16
Example of LCP tree
The limitation of this technique is that all the malicious IP addresses must be known before the computation of the optimal solution.
Longest Common Prefix (LCP)-Based Blacklist Blocking
17
Leaves of the tree
represent the malicious IP
addresses.
All the other nodes
represent the longest
common prefixes between
any pair of IPs in the tree.
Comparative Study
Table 1 . Comparison of the algorithms, data structures, and complexity of traffic-aware dynamic firewall policy techniques.
18
Introduction to Related Terms
Skewedness: The measure of asymmetry in the
probability distribution of traffic.
Dynamic: An index to measure whether the
traffic pattern has frequent changes or not.
Comparative Study
Higherskewedness
Traffic “leans” to one side of
the mean
Smaller number of rules required
to match
Higherdynamic
Adapt firewalls more dynamically
Minimize the packets’
matching time
19
Table 2. Comparison of limitations and application suitability of traffic–aware dynamic firewall policy techniques.
Comparative Study
20
(+ denotes corresponding technique suits this property )(- denotes corresponding technique doesn’t suit this property)(N/A denotes this technique is not applicable for this property)
F C A P SFault managementConfiguration managementAccounting managementPerformance management: The decrease of matching time by
using different techniques can provide high performance packet filtering.
Security management: Border device only passes packets that satisfy rules, block the malicious sources in the network occupy the available network resources.
21
Conclusion
References
[1] Duan Qi and Ehab Al-Shaer, “Traffic-aware dynamic firewall policy management: techniques and applications”, Communications Magazine, IEEE, 2013, vol. 51, no. 7.
[2] S. Acharya et al., “Traffic-Aware Firewall Optimization Strategies,” IEEE ICC, 2006.
[3] A. Attar, “Performance Characteristics of BDD-Based Packet Filters”, University of the Witwatersrand, 2001.
[4] H. Hamed and E. Al-Shaer, “Dynamic Rule Ordering Optimization for High-Speed Firewall Filtering,” ASIACCS’06, 2006.
[5] H. Hamed, A. El-Atawy, and E. Al-Shaer, “Adaptive Statistical Optimization Techniques for Firewall Packet Filtering,” IEEE INFOCOM ’06, Apr. 2006.
[6] F. Soldo, A. Markopoulou, and K. J. Argyraki, “Optimal Filtering of Source Address Prefixes: Models and Algorithms,” IEEE INFOCOM ’09, 2009, pp. 2446–54.
[7] M. Tim, Tele9752 Network Operations and Control, Lecture notes, 2013
22
THANK YOU !
23
