OPTWALL: A Hierarchical Traffic-Aware Firewall
NDSS(2007)
摘要
The overall efficiency, reliability, and availability of a firewall is crucial in enforcing and administrating securit y, especially when the network is under attack. The continuous growth of th e Internet, coupled with the increasing sophistication of th e attacks, is placing stringent demands on firewall performance. These ch allenges require new designs, architecture and algorithms to optimi ze firewalls. In this paper, we propose OPTWALL, an adaptive hierarchical firewall optimization framework aimed at reducing operatio nal cost of firewalls. The main features of the proposed approach are t he hierarchical design, splitting techniques, an online traf fic adaptation mechanism, and a strong reactive scheme to counter maliciou s attacks (e.g. Denial-of-Service (DoS) attacks). To the best of our k nowledge, this work is the first of its kind to use traffic characteristics in the design of an adaptive hierarchical firewall optimization fr amework. To study the performance of OPTWALL, a set of experiments are conducted on Linux ipchains. The performance evaluation st udy uses a large set of firewall policies and traffic traces managed by a Tier- 1 ISP and provides security access for the ISP network from/t o its business partners. Results show the high potential of OPTWA LL to reduce the operational cost of firewalls. In particular, theresults show that a performance improvement of nearly 35% can been achiev ed in a heavily loaded network environment.
更多查看译文
关键词
denial of service,dos attack
AI 理解论文
溯源树
样例
生成溯源树,研究论文发展脉络