OPTWALL: A Hierarchical Traffic-Aware Firewall

Subrata Acharya; Mehmud Abliz; Bryan Mills; Taieb F. Znati; Jia Wang; Zihui Ge; Albert Greenberg

OPTWALL: A Hierarchical Traffic-Aware Firewall

Subrata Acharya, Mehmud Abliz, Bryan Mills, Taieb F. Znati, Jia Wang, Zihui Ge, Albert Greenberg

Research output: Contribution to conference › Paper › peer-review

Abstract

The overall efficiency, reliability, and availability of a firewall is crucial in enforcing and administrating security, especially when the network is under attack. The continuous growth of the Internet, coupled with the increasing sophistication of the attacks, is placing stringent demands on firewall performance. These challenges require new designs, architecture and algorithms to optimize firewalls. In this paper, we propose OPTWALL, an adaptive hierarchical firewall optimization framework aimed at reducing operational cost of firewalls. The main features of the proposed approach are the hierarchical design, splitting techniques, an online traffic adaptation mechanism, and a strong reactive scheme to counter malicious attacks (e.g. Denial-of-Service (DoS) attacks). To the best of our knowledge, this work is the first of its kind to use traffic characteristics in the design of an adaptive hierarchical firewall optimization framework. To study the performance of OPTWALL, a set of experiments are conducted on Linux ipchains. The performance evaluation study uses a large set of firewall policies and traffic traces managed by a Tier-1 ISP and provides security access for the ISP network from/to its business partners. Results show the high potential of OPTWALL to reduce the operational cost of firewalls. In particular, the results show that a performance improvement of nearly 35% can been achieved in a heavily loaded network environment.

Original language	English
Publication status	Published - 2007
Externally published	Yes
Event	14th Symposium on Network and Distributed System Security, NDSS 2007 - San Diego, United States Duration: Feb 28 2007 → Mar 2 2007

Conference

Conference	14th Symposium on Network and Distributed System Security, NDSS 2007
Country/Territory	United States
City	San Diego
Period	2/28/07 → 3/2/07

ASJC Scopus subject areas

Safety, Risk, Reliability and Quality
Computer Networks and Communications
Control and Systems Engineering

Cite this

@conference{33e46343f17e4d8290d62c4fb6b2e289,

title = "OPTWALL: A Hierarchical Traffic-Aware Firewall",

abstract = "The overall efficiency, reliability, and availability of a firewall is crucial in enforcing and administrating security, especially when the network is under attack. The continuous growth of the Internet, coupled with the increasing sophistication of the attacks, is placing stringent demands on firewall performance. These challenges require new designs, architecture and algorithms to optimize firewalls. In this paper, we propose OPTWALL, an adaptive hierarchical firewall optimization framework aimed at reducing operational cost of firewalls. The main features of the proposed approach are the hierarchical design, splitting techniques, an online traffic adaptation mechanism, and a strong reactive scheme to counter malicious attacks (e.g. Denial-of-Service (DoS) attacks). To the best of our knowledge, this work is the first of its kind to use traffic characteristics in the design of an adaptive hierarchical firewall optimization framework. To study the performance of OPTWALL, a set of experiments are conducted on Linux ipchains. The performance evaluation study uses a large set of firewall policies and traffic traces managed by a Tier-1 ISP and provides security access for the ISP network from/to its business partners. Results show the high potential of OPTWALL to reduce the operational cost of firewalls. In particular, the results show that a performance improvement of nearly 35% can been achieved in a heavily loaded network environment.",

author = "Subrata Acharya and Mehmud Abliz and Bryan Mills and Znati, {Taieb F.} and Jia Wang and Zihui Ge and Albert Greenberg",

note = "Publisher Copyright: {\textcopyright} 2007Proceedings of the Symposium on Network and Distributed System Security, NDSS 2007. All Rights Reserved.; 14th Symposium on Network and Distributed System Security, NDSS 2007 ; Conference date: 28-02-2007 Through 02-03-2007",

year = "2007",

language = "English",

}

TY - CONF

T1 - OPTWALL

T2 - 14th Symposium on Network and Distributed System Security, NDSS 2007

AU - Acharya, Subrata

AU - Abliz, Mehmud

AU - Mills, Bryan

AU - Znati, Taieb F.

AU - Wang, Jia

AU - Ge, Zihui

AU - Greenberg, Albert

PY - 2007

Y1 - 2007

N2 - The overall efficiency, reliability, and availability of a firewall is crucial in enforcing and administrating security, especially when the network is under attack. The continuous growth of the Internet, coupled with the increasing sophistication of the attacks, is placing stringent demands on firewall performance. These challenges require new designs, architecture and algorithms to optimize firewalls. In this paper, we propose OPTWALL, an adaptive hierarchical firewall optimization framework aimed at reducing operational cost of firewalls. The main features of the proposed approach are the hierarchical design, splitting techniques, an online traffic adaptation mechanism, and a strong reactive scheme to counter malicious attacks (e.g. Denial-of-Service (DoS) attacks). To the best of our knowledge, this work is the first of its kind to use traffic characteristics in the design of an adaptive hierarchical firewall optimization framework. To study the performance of OPTWALL, a set of experiments are conducted on Linux ipchains. The performance evaluation study uses a large set of firewall policies and traffic traces managed by a Tier-1 ISP and provides security access for the ISP network from/to its business partners. Results show the high potential of OPTWALL to reduce the operational cost of firewalls. In particular, the results show that a performance improvement of nearly 35% can been achieved in a heavily loaded network environment.

AB - The overall efficiency, reliability, and availability of a firewall is crucial in enforcing and administrating security, especially when the network is under attack. The continuous growth of the Internet, coupled with the increasing sophistication of the attacks, is placing stringent demands on firewall performance. These challenges require new designs, architecture and algorithms to optimize firewalls. In this paper, we propose OPTWALL, an adaptive hierarchical firewall optimization framework aimed at reducing operational cost of firewalls. The main features of the proposed approach are the hierarchical design, splitting techniques, an online traffic adaptation mechanism, and a strong reactive scheme to counter malicious attacks (e.g. Denial-of-Service (DoS) attacks). To the best of our knowledge, this work is the first of its kind to use traffic characteristics in the design of an adaptive hierarchical firewall optimization framework. To study the performance of OPTWALL, a set of experiments are conducted on Linux ipchains. The performance evaluation study uses a large set of firewall policies and traffic traces managed by a Tier-1 ISP and provides security access for the ISP network from/to its business partners. Results show the high potential of OPTWALL to reduce the operational cost of firewalls. In particular, the results show that a performance improvement of nearly 35% can been achieved in a heavily loaded network environment.

UR - http://www.scopus.com/inward/record.url?scp=85180529579&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85180529579&partnerID=8YFLogxK

M3 - Paper

AN - SCOPUS:85180529579

Y2 - 28 February 2007 through 2 March 2007

ER -

OPTWALL: A Hierarchical Traffic-Aware Firewall

Abstract

Conference

ASJC Scopus subject areas

Other files and links

Fingerprint

Cite this