OPTWALL: A Hierarchical Traffic-Aware Firewall
Mehmud Abliz, Subrata Acharya, Bryan Mills, Taieb ZnatiUniversity of Pittsburgh, PA
Albert Greenberg, Microsoft Research, WA
Jia Wang, Zihui Ge, AT&T Research, NJ
- The overall efficiency, reliability, and availability of a firewall is crucial in enforcing and administrating security.
- The continuous growth of the Internet, coupled with increasing sophistication of the attacks, is placing stringent performance demands of firewall.
Main approach for improving firewalls – rule optimization. Yet optimizing firewalls is hard, because
- NP hard problem, hence not suitable for large number of rules
- Need to maintain policy integrity
Splits rule set hierarchically into multiple rule sets to reduce the average time for matching a packet to a rule.
Provides an adaptation scheme which can dynamically change priority of a rule based on the traffic.
How does a typical firewall works
A typical present day firewall enforces its security policies via a set of multi-dimensional packet filters (usually a list of rules). Traffic gets filtered by this list following the “first hit” principle.
- OPTWALLSplitting Approaches
- Optimal Approach (A*)
- Heuristic Solution (Greedy)
- Initial filter determination
- Hit count - Hit count
- Hit count – Maximum distance
- Random – Random
- Maximum distance – Maximum distance
- Our Goal
- Improve the performance of firewall via
- Reducing the average time the firewall spend on matching a packet to a rule in its rule set
- Preserve the semantics of the original rule set
- Efficiently prevent attacks, especially denial of service attack, via maintaining the optimality of the rule set as traffic patterns and rule sets change
- Study the problem of decentralized multi- dimensional firewall optimization
- Present OPTWALL, a hierarchical traffic aware framework for firewall optimization
- Adaptive anomaly detection/counteraction mechanism
- Nearly 35% improvement in operational cost of firewalls in worst case for a heavily loaded firewall operation
- Evaluation Metric
- Cost of a rulei
- cost (rulei) = hit-count (rulei) * sum (size ( rulei)...size (rulei-1))
This work has been accepted to NDSS 2007. Poster designed by Mehmud Abliz.