effects of processing delay on function parallel firewalls
play

Effects of Processing Delay on Function-Parallel Firewalls Ryan J. - PowerPoint PPT Presentation

May 09, 2023 •31 likes •211 views

Effects of Processing Delay on Function-Parallel Firewalls Ryan J. Farley and Errin W. Fulp IASTED PDCN February 15, 2006 Abstract Firewalls filter packets between networks. Unfortunately, they introduce significant delay to a system.

  1. Effects of Processing Delay on Function-Parallel Firewalls Ryan J. Farley and Errin W. Fulp IASTED PDCN February 15, 2006

  2. Abstract • Firewalls filter packets between networks. • Unfortunately, they introduce significant delay to a system. • Given issues with current high speed networks, how will firewalls cope with future networks? • This presentation will introduce a parallel firewall system that can: – Maintain integrity of original system. – Mitigate Denial of Service. – Provide High Scalability. – Maintain Quality of Service. IASTED PDCN Feb, 2006 R. J. Farley Wake Forest Computer Science nsg.cs.wfu.edu

  3. Modeling Precedence • A rule is an ordered tuple and an associated action. • A policy is an ordered set of rules. • In a Policy DAG Vertices are rules, edges are precedence relationships . – Rules intersect if their every tuple of their set intersection is non-empty. – Edge exists between r i and r j , if i < j and the rules intersect. • If two rules intersect, then the order is significant. IASTED PDCN Feb, 2006 R. J. Farley 3 Wake Forest Computer Science nsg.cs.wfu.edu

  4. Accept Sets • An accept set A is the set of all possible unique packets which a policy will accept. • A deny set D is the set of all possible unique packets which a policy will deny. • A comprehensive policy R is one where D = A . • R and R’ are equivalent if A = A’ . • If R’ is a modified R then integrity is maintained. IASTED PDCN Feb, 2006 R. J. Farley 4 Wake Forest Computer Science nsg.cs.wfu.edu

  5. Data Parallel • A system is Data parallel (load-balancing) if: – Distributes packets evenly to all firewall nodes. – Duplicates original policy to each firewall node ( R i = R ) • Maintains integrity since A i = A . • Better throughput than traditional designs. • Does not allow for Quality of Service or state. • Benefit is related to load, when enough traffic exists to split. • Does not directly focus on reducing processing delay. IASTED PDCN Feb, 2006 R. J. Farley 5 Wake Forest Computer Science nsg.cs.wfu.edu

  6. Function Parallel with Gate • A system is Function parallel (with gate) if: – Duplicates packets to all firewall nodes. – Distributes local policy R i to each firewall node, where • A gate coordinates local policy results. • Incoming packets are also duplicated to the gate. • Multiple nodes may find an accept match for the same packet if: • A gate node is needed to preserve precedence. IASTED PDCN Feb, 2006 R. J. Farley 6 Wake Forest Computer Science nsg.cs.wfu.edu

  7. Function Parallel with no Gate • If the nodes could be designed to act independently then the gate could be removed. • A system is Function parallel, and does not require a gate if: – Duplicates packets to all firewall nodes. – Distributes a local policy R i to each node, where both • Since no accept sets intersect, only one node will find an accepting match. IASTED PDCN Feb, 2006 R. J. Farley 7 Wake Forest Computer Science nsg.cs.wfu.edu

  8. Simulation Comparison • Assumptions: – Each node could process 6 x 10 7 rules per second. – Inter-arrival rate scheduled on Poisson distribution. – Rule match probability according to Zipf distribution. – No additional delay for Data Parallel packet distribution. – Constant gate delay for Function Parallel with Gate • Cases were ran to determine the performance of: – Increasing arrival rates. – Increasing policy size. – Increasing number of nodes. IASTED PDCN Feb, 2006 R. J. Farley 8 Wake Forest Computer Science nsg.cs.wfu.edu

  9. Delay vs Arrival Rate • Parallel systems consisted of 5 nodes. • Policy size was 1024 rules. • Arrival rate was varied from 300 Mbps up to 6 Gbps. IASTED PDCN Feb, 2006 R. J. Farley 9 Wake Forest Computer Science nsg.cs.wfu.edu

  10. Delay vs Policy Size • Parallel systems consisted of 5 nodes. • Arrival rate was established at 650 Mbps. • Policy size was incremented from 2 to 2048. IASTED PDCN Feb, 2006 R. J. Farley 10 Wake Forest Computer Science nsg.cs.wfu.edu

  11. Delay vs Number of Nodes • Arrival rate was established at 650 Mbps. • Policy size was 1024 rules. • Parallel systems varied number of nodes from 2 to 256. IASTED PDCN Feb, 2006 R. J. Farley 11 Wake Forest Computer Science nsg.cs.wfu.edu

  12. Summary of Simulations • Illustrates advantage of parallelism. • Reducing processing time is more advantageous than reducing arriving traffic load . • Removing the gate delay helps function parallel approach theoretical rates. IASTED PDCN Feb, 2006 R. J. Farley 12 Wake Forest Computer Science nsg.cs.wfu.edu

  13. Conclusions • It is important that a firewall acts transparently to users. • Unfortunately, firewalls quickly become bottlenecks. • Particularly in High Speed Networks . • Improving implementations and hardware is not as scalable as needed. • Enter Parallel firewalls . • Data parallel does not address processing delay. • Function parallel with gate is flexible, but has the added gate delay. • Function parallel with no gate solves scalable processing delay issues. IASTED PDCN Feb, 2006 R. J. Farley 13 Wake Forest Computer Science nsg.cs.wfu.edu

  14. Future Direction of Work • Extend rule distribution and optimization methods for Function parallel with no Gate. • Incorporate Distributed IDS/IPS. • New Start-up company – Great Wall Systems. Winston-Salem, NC, USA. – Basis is two patents created through research from DOE grant. – Dedicated to High Speed Networking Devices for IDS/IPS systems. IASTED PDCN Feb, 2006 R. J. Farley 14 Wake Forest Computer Science nsg.cs.wfu.edu

  15. Candidate for Parallelism • Several solutions for improving firewall performance: – Optimize algorithms. – Optimize rules. – Parallelize system. • Improvements to the single firewall design are temporary. • Can divide load two ways: – Data Parallel - divide data processed. – Function Parallel - divide work of processing. IASTED PDCN Feb, 2006 R. J. Farley 15 Wake Forest Computer Science nsg.cs.wfu.edu

  16. How the Gate Works • Firewall nodes do not execute an action. – Send decision as a vote to the gate. – Vote consists of at least the rule number and action. • No match is a valid response. • Matches in state would have uniformally lower values. • The gate caches the packet until a decision can be made. • First match method is accomplished by executing the action of the vote with the lowest rule number. IASTED PDCN Feb, 2006 R. J. Farley 16 Wake Forest Computer Science nsg.cs.wfu.edu

  17. Other Considerations • Redundancy can be provided as long as accept sets are not violated. • Gate can use knowledge of DAG to remove necessity of some votes. • Processing the traffic asynchronously would increase work efficiency. • Removal of need for the gate would eliminate associated processing delay. IASTED PDCN Feb, 2006 R. J. Farley 17 Wake Forest Computer Science nsg.cs.wfu.edu

  18. Theoretical Comparison • Standard formula for delay of a cascading system is: • Data parallel is: • Function parallel is: • Relationship of delay is: IASTED PDCN Feb, 2006 R. J. Farley 18 Wake Forest Computer Science nsg.cs.wfu.edu

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls?

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls?

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls? Network Address Translation Types of Firewalls Linux/Windows Firewalls pfSense Blue Team Activity Brief History Firewall

348 views • 30 slides
Post Processing Effects By Michael Michuki What is Post processing? Post Processing is the

Post Processing Effects By Michael Michuki What is Post processing? Post Processing is the

Post Processing Effects By Michael Michuki What is Post processing? Post Processing is the process of adding additional Effects after production to tweak the overall look and feel of a scene. Examples of elements and effects include Lens

654 views • 47 slides
GCT535- Sound Technology for Multimedia Delay-based Effects Graduate School of Culture Technology

GCT535- Sound Technology for Multimedia Delay-based Effects Graduate School of Culture Technology

GCT535- Sound Technology for Multimedia Delay-based Effects Graduate School of Culture Technology KAIST Juhan Nam 1 Delay-based Audio Effects Types of delay-based audio effect Delay Chorus Flanger Reverberation (this will be

308 views • 13 slides
Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple

Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple

Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple firewall using Netfilter Iptables firewall in Linux Stateful Firewall Application Firewall Evading Firewalls 2 Firewalls

811 views • 55 slides
CTP431- Music and Audio Computing Audio Signal Processing (Part #2) Graduate School of Culture

CTP431- Music and Audio Computing Audio Signal Processing (Part #2) Graduate School of Culture

CTP431- Music and Audio Computing Audio Signal Processing (Part #2) Graduate School of Culture Technology KAIST Juhan Nam 1 Types of Audio Signal Processing Filter/EQ Compressor Delay-based Effects Delay, reverberation Spatial

609 views • 31 slides
Outline The Sixth International Conference on Parallel Processing and Applied Mathematics

Outline The Sixth International Conference on Parallel Processing and Applied Mathematics

Outline The Sixth International Conference on Parallel Processing and Applied Mathematics Background (PPAM 2005) Matrix computation libraries Traditional programming style based on function calls SILC: a Flexible and Environment

357 views • 3 slides
11 Introduction Introduction M/M/1 Queueing delay (revisited) R=link bandwidth (bps)

11 Introduction Introduction M/M/1 Queueing delay (revisited) R=link bandwidth (bps)

Introduction Introduction Four sources of packet delay Delay in packet-switched networks 3. Transmission delay: 4. Propagation delay: 1. nodal processing: 2. queueing R=link bandwidth (bps) d = length of physical link check

185 views • 3 slides
UMBC A B M A L T F O U M B C I M Y O R T 1 (10/29/07) I E S R C E O V

UMBC A B M A L T F O U M B C I M Y O R T 1 (10/29/07) I E S R C E O V

VLSI Design Verification and Test Delay Faults II CMPE 646 Path Counting The number of paths can be an exponential function of the # of gates. Parallel multipliers are notorious for having huge numbers of paths. It is possible to efficiently

290 views • 11 slides
Estimating Delays Gate Delay Model Would be nice to have First, normalize a model of delay

Estimating Delays Gate Delay Model Would be nice to have First, normalize a model of delay

Estimating Delays Gate Delay Model Would be nice to have First, normalize a model of delay to a back of the dimensionless units to isolate fabrication envelope method for effects d abs = d sizing gates for speed is

387 views • 9 slides
Parallel Processing Raul Queiroz Feitosa Parts of these slides are from the support material

Parallel Processing Raul Queiroz Feitosa Parts of these slides are from the support material

Parallel Processing Raul Queiroz Feitosa Parts of these slides are from the support material provided by W. Stallings Objective To present the most prominent approaches to parallel computer organization. 2 Parallel Processing Outline

1.22k views • 84 slides
Architectures for Parallel Processing Current Architectures for Parallel &quot;With the

Architectures for Parallel Processing Current Architectures for Parallel &quot;With the

Architectures for Parallel Processing Current Architectures for Parallel &quot;With the development of new kinds of equipment of Processing greater capacity, and particularly of greater speed, it is almost certain that new methods will have to

227 views • 12 slides
Verifiable Delay Functions: How to Slow Things Down (Verifiably) Dan Boneh Stanford University

Verifiable Delay Functions: How to Slow Things Down (Verifiably) Dan Boneh Stanford University

NutMiC19, June, 2019 Verifiable Delay Functions: How to Slow Things Down (Verifiably) Dan Boneh Stanford University What is a VDF? (verifiable delay function) Intuition: a function X Y that (1) takes time T to evaluate, even with

694 views • 30 slides
FIRE|WALLS Ohad Katz Overview What are Firewalls Why we need them Types of Firewalls

FIRE|WALLS Ohad Katz Overview What are Firewalls Why we need them Types of Firewalls

FIRE|WALLS Ohad Katz Overview What are Firewalls Why we need them Types of Firewalls (Categories) Implementation Best practices What are Firewalls? Internet Firewall Client/Host Network Network Security

585 views • 39 slides
Chapter 9 Firewalls The Need For Firewalls Internet connectivity is essential however

Chapter 9 Firewalls The Need For Firewalls Internet connectivity is essential however

Chapter 9 Firewalls The Need For Firewalls Internet connectivity is essential however it creates a threat Effective means of protecting LANs Inserted between the premises network and the Internet to establish a controlled

699 views • 34 slides
Firewalls Why do people want a firewall? [...] a firewalls purpose is to keep the jerks

Firewalls Why do people want a firewall? [...] a firewalls purpose is to keep the jerks

Firewalls Why do people want a firewall? [...] a firewalls purpose is to keep the jerks out of your network while still letting you get your job done. [Limiting] what kinds of connectivity is allowed between different

538 views • 30 slides
9/14/16 1 Graph Processing Graphs &amp; Analytics Parallel Graph Processing on Web Graphs

9/14/16 1 Graph Processing Graphs &amp; Analytics Parallel Graph Processing on Web Graphs

9/14/16 1 Graph Processing Graphs &amp; Analytics Parallel Graph Processing on Web Graphs PageRank Rank websites in search results GPUs, Clusters, and Multicores Belief Propagation Malicious domains &amp; infected hosts Social

599 views • 16 slides
Verifying and Mining Frequent Patterns from Large Windows over Data Streams Barzan Mozafari,

Verifying and Mining Frequent Patterns from Large Windows over Data Streams Barzan Mozafari,

Verifying and Mining Frequent Patterns from Large Windows over Data Streams Barzan Mozafari, Hetal Thakkar, Carlo Zaniolo Computer Science Department University of California Los Angeles, CA, USA { barzan,hthakkar,zaniolo } @cs.ucla.edu such

137 views • 10 slides
EU Collaborative Framework for Patient Registries - Pilot Phase Patients and Consumers

EU Collaborative Framework for Patient Registries - Pilot Phase Patients and Consumers

EU Collaborative Framework for Patient Registries - Pilot Phase Patients and Consumers Organisations (PCWP) and Healthcare Professionals Organisations (HCPWP) joint meeting 16 September 2014 Presented by: Xavier Kurz, Inspections &amp;

337 views • 17 slides
NON-FUMIGANT MEASURES AND ASSESSMENT OF HOST TOLERANCE FOR REPLANT DISEASE CONTROL Mark

NON-FUMIGANT MEASURES AND ASSESSMENT OF HOST TOLERANCE FOR REPLANT DISEASE CONTROL Mark

NON-FUMIGANT MEASURES AND ASSESSMENT OF HOST TOLERANCE FOR REPLANT DISEASE CONTROL Mark Mazzola, USDA-ARS Tree Fruit Research Lab, Wenatchee, WA INTRODUCTION Continuing studies have identified cultural and biologically active methods that

270 views • 3 slides
MAPS SS7 SIGTRAN SIGTRAN Protocol Emulation over IP 818 West Diamond Avenue - Third Floor,

MAPS SS7 SIGTRAN SIGTRAN Protocol Emulation over IP 818 West Diamond Avenue - Third Floor,

MAPS SS7 SIGTRAN SIGTRAN Protocol Emulation over IP 818 West Diamond Avenue - Third Floor, Gaithersburg, MD 20878 Phone: (301) 670-4784 Fax: (301) 670-9187 Email: info@gl.com Website: http://www.gl.com 1 SS7 Network Architecture 2 Main

1.18k views • 33 slides
PROPERTY OWNERS MEETING SEWER SERVICE RATES Fair Oaks Sewer Maintenance District (District)

PROPERTY OWNERS MEETING SEWER SERVICE RATES Fair Oaks Sewer Maintenance District (District)

PROPERTY OWNERS MEETING SEWER SERVICE RATES Fair Oaks Sewer Maintenance District (District) Garfield School 3600 Middlefield Road North Fair Oaks May 9, 2017 6:30 P.M. Department of Public Works OVERVIEW OF TONIGHTS MEETING District

403 views • 28 slides
Supramolecular Chemistry for Pressure Sensitive Adhesives ? Gordon Seminar 2014 Xavier Callies, 3

Supramolecular Chemistry for Pressure Sensitive Adhesives ? Gordon Seminar 2014 Xavier Callies, 3

Supramolecular Chemistry for Pressure Sensitive Adhesives ? Gordon Seminar 2014 Xavier Callies, 3 nd year Phd Student Guylaine Ducouret, Costantino Creton SIMM, ESPCI ParisTech, Paris, France Olivier Herscher, Ccile Fonteneau Sandrine

589 views • 19 slides
A Copy-Protection Technique with Multi-Level Error Coding Chen-Yin Liao, Jen-Wei Yeh and

A Copy-Protection Technique with Multi-Level Error Coding Chen-Yin Liao, Jen-Wei Yeh and

A Copy-Protection Technique with Multi-Level Error Coding Chen-Yin Liao, Jen-Wei Yeh and Ming-Seng Kao Department of Communication Engineering National Chiao-Tung University Hsinchu, Taiwan 1 Contents Introduction Coding scheme

423 views • 19 slides
4/11/2013 C ONVINCING E VIDENCE V ERSUS P ROOF Key distinction in statistical inference

4/11/2013 C ONVINCING E VIDENCE V ERSUS P ROOF Key distinction in statistical inference

4/11/2013 C ONVINCING E VIDENCE V ERSUS P ROOF Key distinction in statistical inference Makes drawing conclusions in inferential settings tricky. S TATISTICAL R EASONING : C ONVINCING E VIDENCE V ERSUS P ROOF Understanding what

180 views • 3 slides

More recommend