Anticipatory distributed packet filter configurations for carrier-grade IP networks

Abstract

Packet filters have traditionally been used to shield IP networks from known attack flows, usually within firewall systems connecting trusted and non-trusted network segments. As IP networks grow and tend to connect to more and more neighbor networks with unknown trust status, carrier-grade operators in particular are beginning to experience raising costs due to increasingly complex filter configurations that have to be applied to their networks, in order to maintain a desired security level. In this paper, we discuss the general properties of distributed packet filter configurations in large networks. Additionally, an algorithm for a simplified compilation of anticipatory static packet filter configurations in heterogeneous IP networks as well as simulation results that demonstrate possible filter cost reduction is presented.