firewall architectures for high speed networks
play

Firewall Architectures for High-Speed Networks Errin W. Fulp DOE - PowerPoint PPT Presentation

Nov 22, 2022 •122 likes •221 views

Firewall Architectures for High-Speed Networks Errin W. Fulp DOE Network Research PI Meeting September 28, 2005 1 Project Objectives Methods that improve network firewall performance 1. Develop policy optim ization techniques Formal

  1. Firewall Architectures for High-Speed Networks Errin W. Fulp DOE Network Research PI Meeting September 28, 2005 1

  2. Project Objectives Methods that improve network firewall performance 1. Develop policy optim ization techniques – Formal models for rules and security policies – Reduce processing requirement per packet – Low impact solutions for current and future firewalls – Models used to distribute rules in parallel firewalls 2. High-speed firew all designs – One policy, distributed firewalls, parallel processing – Maintain QoS requirements and differentiation – Scalable with increasing speeds and volumes – Robust (highly available), able to survive DoS attacks Wake Forest Computer Science DOE Network Research PI Meeting, 2005 E. W. Fulp 2 nsg.cs.wfu.edu

  3. Research Progress • Three year DOE ECPI project – First year : firewall policies and analytical models – Second year : firewall designs and rule distribution – Third year : hybrid and dynamic firewall designs • Network Security Group at Wake Forest University – Errin Fulp, Ryan Farley, and Steve Tarsa Wake Forest Computer Science DOE Network Research PI Meeting, 2005 E. W. Fulp 3 nsg.cs.wfu.edu

  4. Policy Optimization Reduce comparisons while maintaining integrity 1 . Optim ize the policy, best arrangement (NP-hard) Firewall policy Policy DAG Linear arrangement – Optimized list reduces number of compares (upto 80% ) – Rule compression and expansion 2. New non-linear representation – Policy trie requires 1/ k compares – Policy trie optimization Wake Forest Computer Science DOE Network Research PI Meeting, 2005 E. W. Fulp 4 nsg.cs.wfu.edu

  5. Distributed Firewall Designs • Three distributed designs – Data parallel , distribute packets – Function parallel , distribute rules – Hierarchical , distribute packets and rules scalable, redundant, faster than data, scalable potentially fastest, stateful, stateful inspection difficult, stateful, redundant?, no differentiation possible, rule no differentiation differentiation distribution difficult Wake Forest Computer Science DOE Network Research PI Meeting, 2005 E. W. Fulp 5 nsg.cs.wfu.edu

  6. Function Parallel • Each node has a portion of the policy – Every packet processed by each node, and informs gate – Gate make final decision based on the policy DAG • Results for 4-node parallel firewall – Function parallel 3 to 3.5 times better than data-parallel • Gate is an additional delay, prefer to eliminate Wake Forest Computer Science DOE Network Research PI Meeting, 2005 E. W. Fulp 6 nsg.cs.wfu.edu

  7. Eliminating the Gate • Possible to remove the gate machine – Must distribute rules so only one node accepts – Use policy DAG and trie to guide decisions ( integrity ) • Consider a policy and two node function-parallel • Function parallel design is becoming hierarchical – Nodes are designed to handle certain types of traffic – Maintains QoS, isolate DoS attacks Wake Forest Computer Science DOE Network Research PI Meeting, 2005 E. W. Fulp 7 nsg.cs.wfu.edu

  8. Continuing Research • Finalize proofs for rule distribution – Eliminate gate and maintaining integrity – Use policy profile to optimize performance • Create a redundant gate-less design – Use policy DAG and trie to distribute rules – Gateless performance with redundant attributes • Dynamic array of firewall nodes – Function parallel is not always better… – Use queueing theory to determine optimal design – Data and/ or function parallel distribution Wake Forest Computer Science DOE Network Research PI Meeting, 2005 E. W. Fulp 8 nsg.cs.wfu.edu

  9. Synergistic Activities • Cyber Security Group at PNNL , Summer 2005 – Deborah Frincke, John McCoy, Tom McKenna, and Patrick Wheeler (UC Davis) – High-speed firewall and IPS designs – Developed policy optimization techniques • New Start-up Com pany , Spring 2005 – High-speed firewall and IDS/ IPS solutions – Two patents pending ( firewall optimization, rule distribution, and distributed architectures ) – Business plan developed – Initial implementation at WFU and testing at NC State – Seeking funding/ initial investors, possible SBIR Wake Forest Computer Science DOE Network Research PI Meeting, 2005 E. W. Fulp 9 nsg.cs.wfu.edu

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Parallel Firewall Designs for High-Speed Networks Ryan J. Farley WAKE FOREST US Department of

Parallel Firewall Designs for High-Speed Networks Ryan J. Farley WAKE FOREST US Department of

Wake Forestp pComputer Science + DOE MICS Parallel Firewall Designs for High-Speed Networks 1 Parallel Firewall Designs for High-Speed Networks Ryan J. Farley WAKE FOREST US Department of Energy U N I V E R S I T Y Computer Science Network

1.21k views • 49 slides
Firewalls in FreeBSD and OpenBSD What is firewall? firewall is a method of protecting hosts

Firewalls in FreeBSD and OpenBSD What is firewall? firewall is a method of protecting hosts

Firewalls in FreeBSD and OpenBSD What is firewall? firewall is a method of protecting hosts and networks connected to other hosts and networks against attacks from the outside and from the inside. a firewall is a network security system

440 views • 30 slides
Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation

Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation

Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation controlled connection between networks at different security levels = boundary protection ( L1 > L2 ) network at network at security

1.07k views • 67 slides
Sophos XG Firewall IP Partners ICT Systems & Services www.ippartners.gr XG Firewall

Sophos XG Firewall IP Partners ICT Systems & Services www.ippartners.gr XG Firewall

Sophos XG Firewall IP Partners ICT Systems & Services www.ippartners.gr XG Firewall Overview Todays top firewall problems What IT managers say about their existing firewall Firewall Satisfaction Survey (Spiceworks 2017) Top

548 views • 52 slides
High Speed and Low-Power SerDes Architectures using Chord Signaling Part 1: THEORY Amin

High Speed and Low-Power SerDes Architectures using Chord Signaling Part 1: THEORY Amin

High Speed and Low-Power SerDes Architectures using Chord Signaling Part 1: THEORY Amin Shokrollahi In collaboration with the Engineering Team of Kandou Bus Chip-to-Chip Communication Chip 1 Chip 2 Communication wires Task: reliably

1.32k views • 107 slides
High Speed Networks Need Proactive Congestion Control Using Programmable Forwarding Planes!

High Speed Networks Need Proactive Congestion Control Using Programmable Forwarding Planes!

High Speed Networks Need Proactive Congestion Control Using Programmable Forwarding Planes! Lavanya Jose , Steve Ibanez, Lisa Yan, Nick McKeown, Sachin Katti Stanford University Mohammad Alizadeh George Varghese MIT Microsoft Research

608 views • 28 slides
Cybersecurity Distributed processing and ubiquitous high-speed networks empower a vision for

Cybersecurity Distributed processing and ubiquitous high-speed networks empower a vision for

Cybersecurity Distributed processing and ubiquitous high-speed networks empower a vision for instant access to any information, anywhere, at any time. How will we protect privacy, property and system integrity of digital everything?

509 views • 12 slides
MoonGen A Scriptable High-Speed Packet Generator Sebastian Gallenm uller, Paul Emmerich

MoonGen A Scriptable High-Speed Packet Generator Sebastian Gallenm uller, Paul Emmerich

Chair for Network Architectures and Services Technical University of Munich (TUM) MoonGen A Scriptable High-Speed Packet Generator Sebastian Gallenm uller, Paul Emmerich October 31th, 2015 Chair for Network Architectures and Services

519 views • 7 slides
MoonGen A Scriptable High-Speed Packet Generator Paul Emmerich March 4th, 2015 Chair for

MoonGen A Scriptable High-Speed Packet Generator Paul Emmerich March 4th, 2015 Chair for

Chair for Network Architectures and Services Technische Universit at M unchen MoonGen A Scriptable High-Speed Packet Generator Paul Emmerich March 4th, 2015 Chair for Network Architectures and Services Department of Informatics

477 views • 21 slides
High Speed Networks Carey Williamson Department of Computer Science University of Calgary

High Speed Networks Carey Williamson Department of Computer Science University of Calgary

CPSC 641: Performance Issues in High Speed Networks Carey Williamson Department of Computer Science University of Calgary Agenda Welcome! Course Overview Administrative Details Expectations Q&A Todays Lecture

309 views • 8 slides
Hardware Acceleration: An Essential Part of Cyber Security in High-Speed Networks Ji

Hardware Acceleration: An Essential Part of Cyber Security in High-Speed Networks Ji

Hardware Acceleration: An Essential Part of Cyber Security in High-Speed Networks Ji Novotn Pavel eleda Radek Krej novotny@ics.muni.cz celeda@ics.muni.cz krejci@liberouter.org DeepSec In-Depth Security Conference 2010

652 views • 52 slides
Next Generation Networks Next Generation Networks QoS Control Architectures and QoS Control

Next Generation Networks Next Generation Networks QoS Control Architectures and QoS Control

I nternational Telecom m unication Union ITU-T Next Generation Networks Next Generation Networks QoS Control Architectures and QoS Control Architectures and Protocols Protocols Keith Mainwaring Technical Leader, Cisco S ystems I TU-T W

662 views • 19 slides
Firewall What is it? Do we need one? Oxford Hills School District March 5, 2018 What is a

Firewall What is it? Do we need one? Oxford Hills School District March 5, 2018 What is a

Firewall What is it? Do we need one? Oxford Hills School District March 5, 2018 What is a firewall? Term first used in 1851 Henry Ford used them to protect passengers from engine fires, smoke and heat. Computer networks: a part of a

500 views • 21 slides
Exploiting Opportunistic Scheduling in Cellular Data Networks Radmilo Racic, Denys Ma Hao Chen,

Exploiting Opportunistic Scheduling in Cellular Data Networks Radmilo Racic, Denys Ma Hao Chen,

Exploiting Opportunistic Scheduling in Cellular Data Networks Radmilo Racic, Denys Ma Hao Chen, Xin Liu University of California, Davis 1 3G Cellular Networks Provide high speed downlink data access Examples HSDPA (High Speed

641 views • 23 slides
MoonGen A Scriptable High-Speed Packet Generator Paul Emmerich January 31st, 2016 FOSDEM 2016

MoonGen A Scriptable High-Speed Packet Generator Paul Emmerich January 31st, 2016 FOSDEM 2016

Chair for Network Architectures and Services Technical University of Munich (TUM) MoonGen A Scriptable High-Speed Packet Generator Paul Emmerich January 31st, 2016 FOSDEM 2016 Chair for Network Architectures and Services Department of

1.2k views • 30 slides
Complex network planning methodology and framework Mitcsenkov Attila (BME TMIT, High Speed

Complex network planning methodology and framework Mitcsenkov Attila (BME TMIT, High Speed

Image: Sumitomo Electric Lightwave Computer aided network planning and techno-economic assessment of next generation optical access networks Complex network planning methodology and framework Mitcsenkov Attila (BME TMIT, High Speed Networks

851 views • 51 slides
Emergency Situations System IHN-ESS Authored by: Martin Dendis Kristina Sukhomlina Situation:

Emergency Situations System IHN-ESS Authored by: Martin Dendis Kristina Sukhomlina Situation:

Emergency Situations System IHN-ESS Authored by: Martin Dendis Kristina Sukhomlina Situation: Suggestion: Development: High-Fidelity prototype Hi-Fi prototype: camera view Hi-Fi prototype: alert Thank you for your attention Any

301 views • 8 slides
CORPORATE PRESENTATION 2015 CONFIDENTIAL This report is solely for the use of client personnel.

CORPORATE PRESENTATION 2015 CONFIDENTIAL This report is solely for the use of client personnel.

CORPORATE PRESENTATION 2015 CONFIDENTIAL This report is solely for the use of client personnel. No part of it may be circulated, quoted, or reproduced for distribution outside the client organization without prior written approval from EDPE

565 views • 11 slides
Journalists / Press 2% Professional Musicians* 18% Amateur Musicians

Journalists / Press 2% Professional Musicians* 18% Amateur Musicians

Journalists / Press 2% Professional Musicians* 18% Amateur Musicians 39% Music Professionals 20% Music Lovers 21% Heaven for musicians and

420 views • 4 slides
Hi-fi Prototype II Alwyn, Anna, Basel, and Ethan Our Team Alwyn Tan Anna Carroll Basel Al

Hi-fi Prototype II Alwyn, Anna, Basel, and Ethan Our Team Alwyn Tan Anna Carroll Basel Al

Hi-fi Prototype II Alwyn, Anna, Basel, and Ethan Our Team Alwyn Tan Anna Carroll Basel Al Sharaf Ethan Eirinberg Overview Interface Introduction Task Flows Future Work Discussion Changes Overview Interface Introduction Task Flows

900 views • 28 slides
Financial Presentation for the Six Months Ended September 30, 2011 (held on October 28, 2011)

Financial Presentation for the Six Months Ended September 30, 2011 (held on October 28, 2011)

Financial Presentation for the Six Months Ended September 30, 2011 (held on October 28, 2011) Tetsuo Kuba President and Representative Director <Todays Presentation> I will give a summary of financial results for the six months ended

383 views • 9 slides
Intergovernmental Cooperation Agreement to Develop a Digital Parcel Map Whereas, the City of

Intergovernmental Cooperation Agreement to Develop a Digital Parcel Map Whereas, the City of

Intergovernmental Cooperation Agreement to Develop a Digital Parcel Map Whereas, the City of Galesburg has been actively pursuing the development of a Geographic Information System (GIS) for several years, including the creation of the position

227 views • 5 slides
Modeling and Characterization of High Frequency Effects in ULSI Interconnects Narain Arora and

Modeling and Characterization of High Frequency Effects in ULSI Interconnects Narain Arora and

Modeling and Characterization of High Frequency Effects in ULSI Interconnects Narain Arora and Li Song narain@cadence.com May 11, 2005 1 CADENCE DESIGN SYSTEMS, INC. Outline Interconnect High Frequency Effects Resistance effect

294 views • 25 slides
Status and trends of insecticide resistance in malaria vectors GMP Entomology and Vector Control

Status and trends of insecticide resistance in malaria vectors GMP Entomology and Vector Control

Status and trends of insecticide resistance in malaria vectors GMP Entomology and Vector Control and Imperial College London 19 June 2018 Background Good news: Major progress in malaria prevention & control this century, mainly due to

592 views • 29 slides

More recommend