Abstract
The dynamic redistribution of filtering rules between firewalls, which are located in the same network, is a technical solution that can cope with temporary changes in the traffic load processed by the firewalls themselves. This paper presents a novel formal model for networks including multiple cascaded firewalls, that can be leveraged to enable the transfer of a set of rules from a firewall to its downstream neighbors when the changes in the input traffic profile suggest to do so. With respect to other solutions appeared in the literature a formal approach, besides providing unambiguous specifications and mathematical proofs of correctness, also enables the computation of theoretical bounds for the expected performance before the proposed scheme is actually deployed in the target network. The underlying mechanism, on which our approach is based, is the reduction of the average number of rules checked per packet in order to increase the packet processing rate. Our network model takes into account both the system topology and firewall characteristics. A suitable transformation algorithm is then introduced, which is able to preserve the security integrity of the network while moving rules between cascaded firewalls and allowing tangible performance improvements in terms of packets processing rate for a given traffic profile. Correctness of the proposed solution has been formally proven and validated by means of simulation. Performance figures have also been obtained by running the proposed algorithm in a laboratory experimental test-bed.
Highlights
T ODAY, protection and effective management of digital communication networks (DCNs) in all application areas are recognized key aspects, which are gaining increasing attention even in domains that were not sensitive to security issues till few years ago
The reference scenario considered in [27] for evaluating performance and the related metric cannot be put into direct correspondence with our solution, anyway a rough comparison is possible by considering their configuration where just one auxiliary FW is instantiated to relieve the overloaded central device. Their metric, called Packet Processing Time (PPT) measures the time spent by a firewall to check packets by assuming that this cost is linearly proportional to the position of the matched rule in the FW sequence
Thedistribution of filtering rules between different firewalls located in the same network is a technical challenge which is key in the design phase of a new system, and during the real-time operation and management of the network itself
Summary
T ODAY, protection and effective management of digital communication networks (DCNs) in all application areas are recognized key aspects, which are gaining increasing attention even in domains that were not sensitive to security issues till few years ago. If the FW input load becomes too high, as in temporary traffic peaks or in DoS attacks, the latency experienced in packet processing can become too large and even cause packet losses To mitigate this problem, different solutions can be adopted, which either operate within a single FW, i.e., intra-firewall techniques, or rely on suitable network-level approaches involving multiple FWs, i.e., inter-firewall approaches. Advanced FWs make use of content-addressable memories (CAMs) or even ternary CAMs (TCAMs) to speed-up their operations, but they are rarely found in industrial devices which are, by contrast, quite simple and equipped with relatively low-power computing resources, as their design focuses on (mechanical) robustness over performance With such a kind of constraints a software redistribution of the filtering load enables a better use of the existing h/w without affecting negatively the system functional requirements.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
