parallel firewall designs for high speed networks
play

Parallel Firewall Designs for High-Speed Networks Ryan J. Farley - PowerPoint PPT Presentation

Feb 12, 2024 •694 likes •1.21k views

Wake Forestp pComputer Science + DOE MICS Parallel Firewall Designs for High-Speed Networks 1 Parallel Firewall Designs for High-Speed Networks Ryan J. Farley WAKE FOREST US Department of Energy U N I V E R S I T Y Computer Science Network

  1. Wake Forestp pComputer Science + DOE MICS Parallel Firewall Designs for High-Speed Networks 1 Parallel Firewall Designs for High-Speed Networks Ryan J. Farley WAKE FOREST US Department of Energy U N I V E R S I T Y Computer Science Network Security Group MISC Division nsg.cs.wfu.edu Computer Science MS Defense • Fall 2005 Ryan J. Farley Dec 2005

  2. Wake Forestp pComputer Science + DOE MICS Parallel Firewall Designs for High-Speed Networks 2 Abstract • Firewalls are vital to security policy enforcement • However, they introduce significant delay to a system • What will happen in the next generation of networks? • This presentation will introduce a novel parallel firewall system • Objects: – Maintain Quality of Service – Mitigate Denial of Service – Provide High Scalability Ryan J. Farley Dec 2005

  3. Wake Forestp pComputer Science + DOE MICS Parallel Firewall Designs for High-Speed Networks 3 Modern Security Issues • Connections to the Internet can leave a network vulnerable • Conventionally a firewall is utilized like a router, between a group of networks • Not just a routing table, they enforce an ordered set of rules • Called a security policy , or ACL • Knowledge of previous decisions is state Ryan J. Farley Dec 2005

  4. Wake Forestp pComputer Science + DOE MICS Parallel Firewall Designs for High-Speed Networks 4 Example Policy Representations • Best match vs Last match vs First match • Tree/Graph methods show that input style may vary from actual implementation 1 Deny all traffic 2 Allow traffic from host x with any service 3 Deny traffic from any host with service y Figure 1: Example Psuedo-policy with “all traffic” rule at top Ryan J. Farley Dec 2005

  5. Wake Forestp pComputer Science + DOE MICS Parallel Firewall Designs for High-Speed Networks 5 Example Policy Representations • Best match vs Last match vs First match • Tree/Graph methods show that input style may vary from actual implementation 1 Deny all traffic 2 Allow traffic from host x with any service 3 Deny traffic from any host with service y Figure 2: Example Psuedo-policy with “all traffic” rule at top Ryan J. Farley Dec 2005

  6. Wake Forestp pComputer Science + DOE MICS Parallel Firewall Designs for High-Speed Networks 6 Example Policy Representations • Best-match vs Last-match vs First-match • Tree/Graph methods show that input style may vary from actual implementation 1 Allow traffic from host x with any service 2 Deny traffic from any host with service y 3 Deny all traffic Figure 3: Example Psuedo-policy with “all traffic” rule at bottom Ryan J. Farley Dec 2005

  7. Wake Forestp pComputer Science + DOE MICS Parallel Firewall Designs for High-Speed Networks 7 ESnet and UltraNet • DOE network to support climate analysis and simulation – Facilities are located across the United States • Network consists of leased fiber (OC 192) and Gigabit Ethernet – Maximum data rate is 5 Gbps Europe USN Asia - Pacific 2 nd USN Chicago (CHI) Backbone ESnet Washington, Sunnyvale DC (DC) (SNV) Existing Core Atlanta (ATL) Existing hubs New hubs El Paso (ELP) DOE/OSC sites • Several important security issues are present Ryan J. Farley Dec 2005

  8. Wake Forestp pComputer Science + DOE MICS Parallel Firewall Designs for High-Speed Networks 8 Allowing for High Speed Networks • Security policy enforcement imposes significantly higher processing loads than routing • This will only increase as networking technology advances • Several solutions for improving firewall performance 1. Optimize algorithms 2. Optimize rules 3. Parallelize system • Rule optimization is an area of future research (Matt Lane) • Improvements for a single firewall can be made, but are a temporary solution Ryan J. Farley Dec 2005

  9. Wake Forestp pComputer Science + DOE MICS Parallel Firewall Designs for High-Speed Networks 9 A Candidate for Parallelization • Firewalls are a candidate for parallelism • Two types: 1. Data parallel (DP) – divides data processed 2. Function parallel (FP) – divides work of processing data • Data parallel – Scalable to load – Fails to reduce policy processing time • Function parallel – Reduces policy processing time – Allows higher performance capabilities Ryan J. Farley Dec 2005

  10. Wake Forestp pComputer Science + DOE MICS Parallel Firewall Designs for High-Speed Networks 10 What I Will Cover Today • Background Material (Policy Concepts) • Current Approaches • Function Parallel Design – With Gate – With no Gate • Theoretical Layout • Simulation Results • How to DIY Ryan J. Farley Dec 2005

  11. Wake Forestp pComputer Science + DOE MICS Parallel Firewall Designs for High-Speed Networks 11 Firewall Modeling Concepts • A rule is an ordered tuple and an associated action r = ( r [1] , r [2] , . . ., r [ k ]) • Any tuple of a rule can be fully specified or contain wildcards ‘*’ • A packet is the same but has neither ranges nor an action d = ( d [1] , d [2] , . . . , d [ k ]) • Definition Packet d matches r i if d ⇒ r i d [ l ] ⊆ r i [ l ] , iff l = 1 , . . . , k Ryan J. Farley Dec 2005

  12. Wake Forestp pComputer Science + DOE MICS Parallel Firewall Designs for High-Speed Networks 12 Policy Models • A firewall enforces a policy Definition A policy R is an ordered list of n rules { r 1 , r 2 , . . . , r n } • From this point on, assume first match model Source Destination No. Proto. IP Port IP Port Action 1 UDP 1.1.* * * 80 deny 2 TCP 2.* * 1.* 90 accept 3 UDP * * 1.* * accept 4 TCP 2.* * 1.* 20 accept 5 UDP 1.* * * * accept 6 * * * * * deny Ryan J. Farley Dec 2005

  13. Wake Forestp pComputer Science + DOE MICS Parallel Firewall Designs for High-Speed Networks 13 Accept Sets • A policy default is executed when all other rules fail to match • To reduce the policy size use a default rule: – Default ‘deny’ – Default ‘accept’ • An accept set A is the set of all possible unique packets which a policy will accept • A deny set D is the set of all possible unique packets which a policy will deny Definition A comprehensive policy R is one where ¯ D = A Definition R and R ′ are equivalent if A = A ′ Definition If R ′ is a modified R then integrity is maintained Ryan J. Farley Dec 2005

  14. Wake Forestp pComputer Science + DOE MICS Parallel Firewall Designs for High-Speed Networks 14 Modeling Precedence • Precedence modeled as a Directed Acyclical Graph (DAG) – Vertices are rules, edges are precedence relationships – Edge exists between r i and r j , if i < j and the rules intersect – Rules intersect if their every tuple of their set intersection is non-empty Definition The intersection of rule r i and r j , ( r i ∩ r j ) r i ∩ r j = ( r i [ l ] ∩ r j [ l ]) , l = 1 , . . . , k r 1 r 2 r 1 r 2 r 1 ∩ r 2 • Intersection describes the set of packets that match both rules • If two rules intersect, then the order is significant Ryan J. Farley Dec 2005

  15. Wake Forestp pComputer Science + DOE MICS Parallel Firewall Designs for High-Speed Networks 15 Precedence Relationships Source Destination No. Proto. IP Port IP Port Action 1 UDP 1.1.* * * 80 deny 2 TCP 2.* * 1.* 90 accept 3 UDP * * 1.* * accept 4 TCP 2.* * 1.* 20 accept 5 UDP 1.* * * * accept 6 * * * * * deny r 1 r 2 r 3 r 4 r 5 r 6 Ryan J. Farley Dec 2005

  16. Wake Forestp pComputer Science + DOE MICS Parallel Firewall Designs for High-Speed Networks 16 Discussion on Current Firewall Approaches • Software Firewalls – User space vs Kernel space – NetFilter, SunScreen, IPFilter – Good development platform • Hardware Firewalls – Edgeware Net Appliances – Cisco, Check Point – Closer to line speed – Dedicated logic, most use niche market devices ∗ NPU – Network Processing Unit ∗ ASIC – Application Specific Integrated Circuit ∗ FPGA – Field Programmable Gate Array Ryan J. Farley Dec 2005

  17. Wake Forestp pComputer Science + DOE MICS Parallel Firewall Designs for High-Speed Networks 17 Discussion on Current Firewall Approaches • Ultimately Software approaches are bound to the limits of the OS: – Resource competitive environment • Both solutions are limited by the hardware used • Common solution is to buy bigger and faster machine – Non-modular – Not economically ideal • Single points of entry can easily become overwhelmed in surges of traffic – Denial of Service • Therefore there is a need for a scalable solution Ryan J. Farley Dec 2005

  18. Wake Forestp pComputer Science + DOE MICS Parallel Firewall Designs for High-Speed Networks 18 Current Parallel Firewall Architectures • An array of firewalls consists of m firewall nodes • Each firewall node has a local policy to enforce • Definition A system is data parallel (load-balancing) if: – Distributes packets evenly to all firewall nodes – Duplicates original policy to each firewall node ( R i = R ) packet distributor • r 1 r 1 r 1 r 2 r 2 r 2 r 3 r 3 r 3 r 4 r 4 r 4 r 5 r 5 r 5 r 6 r 6 r 6 Ryan J. Farley Dec 2005

  19. Wake Forestp pComputer Science + DOE MICS Parallel Firewall Designs for High-Speed Networks 19 Data Parallel, Overview • Previously done by Benecke, then Jeff Shirley • Packet distribution ensures no duplicates • Maintains integrity since A i = A • Better throughput than traditional designs Ryan J. Farley Dec 2005

Recommend

Firewall Architectures for High-Speed Networks Errin W. Fulp DOE Network Research PI Meeting

Firewall Architectures for High-Speed Networks Errin W. Fulp DOE Network Research PI Meeting

Firewall Architectures for High-Speed Networks Errin W. Fulp DOE Network Research PI Meeting September 28, 2005 1 Project Objectives Methods that improve network firewall performance 1. Develop policy optim ization techniques Formal

221 views • 9 slides
Firewalls in FreeBSD and OpenBSD What is firewall? firewall is a method of protecting hosts

Firewalls in FreeBSD and OpenBSD What is firewall? firewall is a method of protecting hosts

Firewalls in FreeBSD and OpenBSD What is firewall? firewall is a method of protecting hosts and networks connected to other hosts and networks against attacks from the outside and from the inside. a firewall is a network security system

440 views • 30 slides
Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation

Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation

Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation controlled connection between networks at different security levels = boundary protection ( L1 &gt; L2 ) network at network at security

1.07k views • 67 slides
High-speed parallel software implementation of the T pairing Diego F. Aranha Institute of

High-speed parallel software implementation of the T pairing Diego F. Aranha Institute of

High-speed parallel software implementation of the T pairing Diego F. Aranha Institute of Computing UNICAMP Joint work with Julio L opez and Darrel Hankerson Diego F. Aranha, Julio L opez, Darrel Hankerson High-speed parallel

623 views • 44 slides
Sophos XG Firewall IP Partners ICT Systems &amp; Services www.ippartners.gr XG Firewall

Sophos XG Firewall IP Partners ICT Systems &amp; Services www.ippartners.gr XG Firewall

Sophos XG Firewall IP Partners ICT Systems &amp; Services www.ippartners.gr XG Firewall Overview Todays top firewall problems What IT managers say about their existing firewall Firewall Satisfaction Survey (Spiceworks 2017) Top

548 views • 52 slides
Speed Serial-Link Transmitter Designs Ikchan Jang 1 , Soyeon Joo 1 , SoYoung Kim 1 , Jintae Kim 2

Speed Serial-Link Transmitter Designs Ikchan Jang 1 , Soyeon Joo 1 , SoYoung Kim 1 , Jintae Kim 2

Model-Based Synthesis of High- Speed Serial-Link Transmitter Designs Ikchan Jang 1 , Soyeon Joo 1 , SoYoung Kim 1 , Jintae Kim 2 , 1 College of Information and Communication Engineering, Sungkyunkwan University, Suwon, Korea 2 Department of

297 views • 25 slides
Parallel Programming and High-Performance Computing Part 2: High-Performance Networks Dr.

Parallel Programming and High-Performance Computing Part 2: High-Performance Networks Dr.

Technische Universitt Mnchen Parallel Programming and High-Performance Computing Part 2: High-Performance Networks Dr. Ralf-Peter Mundani CeSIM / IGSSE Technische Universitt Mnchen 2 High-Performance Networks Overview some

895 views • 74 slides
High Speed Networks Need Proactive Congestion Control Using Programmable Forwarding Planes!

High Speed Networks Need Proactive Congestion Control Using Programmable Forwarding Planes!

High Speed Networks Need Proactive Congestion Control Using Programmable Forwarding Planes! Lavanya Jose , Steve Ibanez, Lisa Yan, Nick McKeown, Sachin Katti Stanford University Mohammad Alizadeh George Varghese MIT Microsoft Research

608 views • 28 slides
Cybersecurity Distributed processing and ubiquitous high-speed networks empower a vision for

Cybersecurity Distributed processing and ubiquitous high-speed networks empower a vision for

Cybersecurity Distributed processing and ubiquitous high-speed networks empower a vision for instant access to any information, anywhere, at any time. How will we protect privacy, property and system integrity of digital everything?

509 views • 12 slides
High Speed Networks Carey Williamson Department of Computer Science University of Calgary

High Speed Networks Carey Williamson Department of Computer Science University of Calgary

CPSC 641: Performance Issues in High Speed Networks Carey Williamson Department of Computer Science University of Calgary Agenda Welcome! Course Overview Administrative Details Expectations Q&amp;A Todays Lecture

309 views • 8 slides
Hardware Acceleration: An Essential Part of Cyber Security in High-Speed Networks Ji

Hardware Acceleration: An Essential Part of Cyber Security in High-Speed Networks Ji

Hardware Acceleration: An Essential Part of Cyber Security in High-Speed Networks Ji Novotn Pavel eleda Radek Krej novotny@ics.muni.cz celeda@ics.muni.cz krejci@liberouter.org DeepSec In-Depth Security Conference 2010

652 views • 52 slides
Firewall What is it? Do we need one? Oxford Hills School District March 5, 2018 What is a

Firewall What is it? Do we need one? Oxford Hills School District March 5, 2018 What is a

Firewall What is it? Do we need one? Oxford Hills School District March 5, 2018 What is a firewall? Term first used in 1851 Henry Ford used them to protect passengers from engine fires, smoke and heat. Computer networks: a part of a

500 views • 21 slides
Exploiting Opportunistic Scheduling in Cellular Data Networks Radmilo Racic, Denys Ma Hao Chen,

Exploiting Opportunistic Scheduling in Cellular Data Networks Radmilo Racic, Denys Ma Hao Chen,

Exploiting Opportunistic Scheduling in Cellular Data Networks Radmilo Racic, Denys Ma Hao Chen, Xin Liu University of California, Davis 1 3G Cellular Networks Provide high speed downlink data access Examples HSDPA (High Speed

641 views • 23 slides
Scalable Interconnection Networks 1 Scalable, High Performance Network At Core of Parallel

Scalable Interconnection Networks 1 Scalable, High Performance Network At Core of Parallel

Scalable Interconnection Networks 1 Scalable, High Performance Network At Core of Parallel Computer Architecture Requirements and trade-offs at many levels Elegant mathematical structure Deep relationships to algorithm structure

691 views • 52 slides
Complex network planning methodology and framework Mitcsenkov Attila (BME TMIT, High Speed

Complex network planning methodology and framework Mitcsenkov Attila (BME TMIT, High Speed

Image: Sumitomo Electric Lightwave Computer aided network planning and techno-economic assessment of next generation optical access networks Complex network planning methodology and framework Mitcsenkov Attila (BME TMIT, High Speed Networks

851 views • 51 slides
Parallel Computers The Demand for Computational Speed Continual demand for greater computational

Parallel Computers The Demand for Computational Speed Continual demand for greater computational

Parallel Computers The Demand for Computational Speed Continual demand for greater computational speed from a computer system than is currently possible. Areas requiring great computational speed include numerical modeling and simulation of

609 views • 46 slides
An Integrated Partnership Between High-Speed Fiber Optic Networks and Renewable Energy Luis A.

An Integrated Partnership Between High-Speed Fiber Optic Networks and Renewable Energy Luis A.

An Integrated Partnership Between High-Speed Fiber Optic Networks and Renewable Energy Luis A. Reyes, Jr. CEO Kit Carson Electric Cooperative, Inc. August 30, 2018 Science, Technology and Telecommunications Committee Kit Carson Electric

360 views • 16 slides
Spinning Relations: High-Speed Networks for Distributed Join Processing Philip Frey, Romulo

Spinning Relations: High-Speed Networks for Distributed Join Processing Philip Frey, Romulo

Spinning Relations: High-Speed Networks for Distributed Join Processing Philip Frey, Romulo Goncalves, Martin Kersten, Jens Teubner Problem Statement We address a core database problem, but for large problem sizes: Process a join R S

443 views • 11 slides
Multicasting Protocols for High-Speed, Wormhole Routing Local Area Networks Mario Gerla, Prasasth

Multicasting Protocols for High-Speed, Wormhole Routing Local Area Networks Mario Gerla, Prasasth

MULTICASTING ON WORMHOLE LANS Multicasting Protocols for High-Speed, Wormhole Routing Local Area Networks Mario Gerla, Prasasth Palnati, Simon Walton, (University of California, Los Angeles) SIGCOMM 96, PALO ALTO THE SUPERCOMPUTER

306 views • 13 slides
MINUTES OF ORAL EVIDENCE taken before the HIGH SPEED RAIL BILL COMMITTEE on the HIGH SPEED RAIL

MINUTES OF ORAL EVIDENCE taken before the HIGH SPEED RAIL BILL COMMITTEE on the HIGH SPEED RAIL

MINUTES OF ORAL EVIDENCE taken before the HIGH SPEED RAIL BILL COMMITTEE on the HIGH SPEED RAIL (WEST MIDLANDS CREWE) BILL Monday 19 March 2018 (Afternoon) In Committee Room 5 PRESENT: James Duddridge (Chair) Sandy Martin Mrs Sheryll

956 views • 57 slides
Using a firewall to control traffic in networks 1 Example Network .35 .12 .36 .11 3.3.3.0/24

Using a firewall to control traffic in networks 1 Example Network .35 .12 .36 .11 3.3.3.0/24

Using a firewall to control traffic in networks 1 Example Network .35 .12 .36 .11 3.3.3.0/24 1.1.1.0/24 Rd .1 Ra .4.1 .4.4 1.1.0.0/16 Rc 2.2.2.0/24 .1 .4.2 .1 .23 Rb .47 Re .15.6 .99 1.1.2.0/24 4.4.4.0/24 .24 2 Firewall

708 views • 13 slides
Introduction of High speed line High speed line Japan International Consultants for

Introduction of High speed line High speed line Japan International Consultants for

Introduction of High speed line High speed line Japan International Consultants for Transportation Co., Ltd. (JIC) Index Trend of the HSR Project HSR Project in The World Superiority of Introducing HSR Transport Needs

1.02k views • 25 slides
in High-Speed Networks Presented at INDIS 2017 Mariam Kiran ESnet, LBNL Anshuman Chabbra (NSIT)

in High-Speed Networks Presented at INDIS 2017 Mariam Kiran ESnet, LBNL Anshuman Chabbra (NSIT)

Classifying Elephant and Mice Flows in High-Speed Networks Presented at INDIS 2017 Mariam Kiran ESnet, LBNL Anshuman Chabbra (NSIT) Anirban Mandal (Renci) Funded under DE-SC0012636 1 Talk Agenda Current challenges in Elephant and Mice

494 views • 18 slides
Is he ever going to quit? 1 High power, high speed and high linearity photodiode for

Is he ever going to quit? 1 High power, high speed and high linearity photodiode for

Is he ever going to quit? 1 High power, high speed and high linearity photodiode for NextGen-VLA antenna project Qinglong Li, Andreas Beling, Joe C. Campbell University of Virginia, Charlottesville, VA 22904 Outline High power photodiode

746 views • 25 slides

More recommend