Filtering Firewall Research Articles

RANCANG BANGUN SISTEM KEAMANAN JARINGAN MIKROTIK MENGGUNAKAN FIREWALL FILTERING DAN PORT KNOCKING DENGAN NOTIFIKASI TELEGRAM PADA EVENT VIRTUAL

Network security is a very important aspect in maintaining information security. In network management using proxy devices, use of firewall filtering and port knocking in an effort to increase security and control network access and hide services that are not needed. In addition to obtaining information on suspicious network activity in real-time with telegram notifications. The method used includes analysis of network security needs, system architecture design, firewall filtering and port knocking configurations on the proxy and integration with the telegram API to send notifications. The results of this study show that using firewall filtering and port knocking on Mikrotik can effectively improve network security by limiting unauthorized access and reducing the risk of attacks from outside. The system is also capable of providing notifications via telegram when suspicious activity is detected, thus enabling a network administrator to respond quickly to these threats

Development of Computer Network Security Management at North Tabukan 1 State Vocational School

The development of the internet at this time makes all companies, especially SMKN 1 Tabukan Utara, able to utilize internet technology in supporting computer-based information systems. For this place to run its business properly, it must be supported by an information system and supported by a good computer network infrastructure. Computer network infrastructure in the SMKN 1 Tabukan Utara still has several disadvantages such as the absence of website blocking, login authentication, and regular bandwidth distribution. To overcome these problems, it is necessary to design the network properly, as for the methods used in designing this network using the Network Development Life Cycle (NDLC). This method can develop existing competition through several stages of the process, namely analysis, design, prototype simulation, implementation, monitoring, and management. The results of this study are in the form of a home computer network SMKN 1 Tabukan Utara that implements Captive Portal, Virtual Lan, Firewall Filtering, L7 protocol, and Bandwidth Management.

An Analysis and Design of Network Security Using Firewall at the Library and Archives Services of Bengkulu province

This study is based on the problems that are often encountered in the research location, namely how to secure the inlislite server by designing network security using Packet Filter Firewall of IPtables. The purpose of this study is to optimize the data security of the inlislite system in the Library and Archives Service of Bengkulu Province. The method used is the Network Development Life Cycle (NDLC) method, a cycle of network design stages that can guide a network design, which depends on the size of the project to be implemented and the purpose of the project. By testing a Denial of Service (DoS) attack against inlislite using hping3 on linux, the inlislite website can no longer be accessed. Therefore, the author designed a new system to secure the inlislite server from unwanted attacks using the IPTables firewall filter then it can become a firewall that will ward off Distributed Denial of Service and Denial of Service attacks on inlislite servers. From the results of research and testing that has been carried out, the IPTables firewall is very good for securing servers in the Library and Archives Service of Bengkulu Province and applying more rules to clients in terms of internet use.

CMT: An Efficient Algorithm for Scalable Packet Classification

AbstractPacket classification plays an essential role in diverse network functions such as quality of service, firewall filtering and load balancer. However, implementing an efficient packet classifier is a challenging problem. The problem even gets worse in the era of software-defined network, in which frequent rule updates are performed, and complex flow tables are used. This paper proposes CMT, a new software algorithm named by its novel data structure—common mask tree—to implement an efficient multi-field packet classifier. The core idea of CMT is to combine the strengths of both decision-tree and tuple-space schemes by employing tree-like structures and hash tables simultaneously. The objective of CMT is to achieve both high classification performance and fast rule updates. In the evaluation section, CMT is compared with decision-tree and tuple-space schemes. Compared to the state-of-the-art decision-tree methods, CMT performs rule updates at two orders of magnitude faster. CMT has a stable performance on different rulesets and achieves a 40% improvement in memory access compared to the state-of-the-art tuple-space method.

Efficient multi-category packet classification using TCAM

Packet classification is the base of various network functions such as firewall filtering, network intrusion detection and quality of services, etc. Ternary content addressable memory (TCAM) is widely employed in performing efficient packet classification. However, TCAM has some drawbacks, including limited capacity, high energy consumption, and incapability to store arbitrary ranges. Moreover, TCAM is only suitable for single-match packet classification natively, which is associated with one rule-set and reports one rule, for it only reports the first matching entry. However, except for single-match packet classification, another type of packet classification, multi-category packet classification, which is associated with multiple rule-sets and reports one matching rule for each rule-set, is also required in some scenarios, such as in the consolidation of multiple single-match network functions. The naive scheme performing multi-category packet classification with TCAM is to search a packet in multiple rule-sets one by one. Its performance decreases linearly as the number of rule-sets increases. To efficiently perform multi-category packet classification using TCAM, a novel scheme named REM is proposed in this paper. REM is based on the idea of reducing TCAM accesses per classification by merging rule-entry sets converted from rule-sets. The experiments show that compared with the naive scheme, REM can achieve 3x to 5x improvement on packet classification throughput, and reduce the energy consumption by 50% to 75%.

A Novel Method for Resource Efficient Security Service Chain Embedding Oriented to Cloud Datacenter Networks

An important and promising application for the network function virtualization (NFV) technology is in network security, where can dynamically and flexibly accomplish the chaining virtualized security network functions (VSNFs), e.g., network address translation, antispam and packet filter firewall, etc., and thus inspect, monitor or filter traffic flows in the cloud datacenter networks. However, the traffic flows addressed by the VSNFs mainly depend on the security service requirements from mobile users, such as the network security level, end-to-end latency, and security resource, etc. Considering the dynamic nature of cloud datacenter networks, determining the embedding of VSNFs and routing security service paths that optimizes the security resource utilization is a challenging problem, particularly without violating the end-to-end delay constraints and security service requirements. This can also be called security service chain dynamic embedding problem (SSC-DMP). In this paper, we present an NFV-enabled framework for a system that achieves the SSC dynamic embedding in the cloud datacenter networks. We first formulate an integer linear programming (ILP) model to solve the SSC-DMP exactly in small-scale network topology. Then, in order to reduce the time complexity when applying the large-scale network topology, we propose an efficient SSC dynamic embedding solution that is based on the particle swarm optimization. Extensive simulation results show that the proposed algorithm could significantly outperform the current benchmarks at least 35.2% and 23.1% in terms of resource consumption and end-to-end delay, respectively.

Analisis Performa RouterOS MikroTik pada Jaringan Internet

The internet network enters various sectors and is used in various activities, especially in the automation, industry 4.0 trend. Where almost all applications, ranging from desktops, websites, mobile (android and ios) that are used in various fields of education, transportation, banks, logistics, services, of course use high complexity internet networks that need to be analyzed so that high performance can be obtained. Analyzing the performance of MikroTik on the internet is the aim of this research. Research by configuring includes ip route, firewall filter, NAT, Mangle for packet tagging, Queue (bandwidth management), bridge wireless, DHCP and ip cloud DDNS on MikroTik. The results concluded that moving the configuration center point on the modem (giving the IP address down) to the MikroTik router can be done well, it can also translate company, institutional, school and even parent policies to the home internet when children access the internet, such as when it is allowed to access the internet can be arranged, things that may or may not be arranged in order to educate children to use the internet positively, use MikroTik to analyze internet network performance. As for the further research by looking at problems that exist after MikroTik is configured.

Dynamic Firewall Decomposition and Composition in the Cloud

Firewalls filter malicious traffic and provide the network with a satisfying level of security. Thus, their performance is critical for the whole network. Rule-based firewalls are the most widely deployed among traditional ones. However, as the size of the rule list of a firewall increases, lookup latency increases significantly. One main solution to enhance the performance of a firewall is to reorder rules based on traffic characteristics to obtain the minimum number of packet matches. The optimal firewall rule ordering problem (ORO) is NP-Complete. Therefore, setting up a centralized firewall for a whole network is infeasible. Our proposed solution dynamically scales in and out firewalls across multiple administrative domains for more efficient rules optimization, filtering, and better attack response. The proposed solution, in this paper, outsources the firewall functions into micro firewalls, which are located in different places and have their configurations. Therefore, traffic is treated locally and in a distributed way. The experimental results show that our proposed solution is scalable regarding the organization’s network requirements. Moreover, the central firewall is relaxed executing rules optimization algorithms in consecutive time intervals, inefficiency.

Improving Internal BGP Provide Fast Failover in Multihoming Environment Mobile Backhaul

Integrating multipath technology with inter-domain routing is one of the most promising trends in building a package routing policy system for the next generation. However, gradually changing the current inter-domain routing from a single path to multipath failover routing is a difficult problem. In the previous study, the application of the BGP algorithm was applied only to connections on external BGP techniques or between AS numbers. In this paper, we study the impact of implementing traffic routing policies on backhaul carrier Ethernet (Metro-E). Implementing iBGP as a medium on Metro-E for failover technology. The purpose of this paper is to propose and implement routing policies including policy expressions, firewall filters, route preferences, policy chain and policy statements in failover links in IGPs on routing deployment policies, using the Juniper Router Operating System. The results of this application show that periodically the intervals in the graph clearly show a direct correlation between the average failover time. When the main link fails, the link will be connected or active, secondary links and tertiary links will be created. Likewise, switching paths from secondary links to tertiary links, and so on will choose random (round robin). So that during the transfer process does not require time, it can be interpreted as 0 seconds, or not packet loss. So if the average failover response for direct implementation requires only 0-1 seconds.

An Approach to Mitigate Malware Attacks Using Netfilter's Hybrid Frame in Firewall Security

With the steady advancements in the technology, the network security is really important these days to protect information from attackers. In this research, the main focus is on designing strong firewall filtering rules so that detection of malicious code is achieved to an optimal level. A proposed framework is introduced to improve the performance parameters such as Server response time, Web content analysis, Bandwidth, and the performance of the Network traffic load. This research work defines a new set of IPtable rules achieved by modifying the kernel source code. This is done using OpenBSD kernel source code, which results in the formation of a mini-firewall. Therefore, a new hybrid approach is proposed by adding packet filtering rules and SNORT technology in mini-firewall for malicious activity detection. It is an efficient and practical technique which will be helpful to mitigate the malware attacks and secure LAMP server. Experimental analysis has been done to conclude that around 70-75% malicious activity can be reduced by using the proposed technique.

Protection of heterogeneous architectures on FPGAs: An approach based on hardware firewalls

Embedded systems are parts of our daily life and used in many fields. They can be found in smartphones or in modern cars including GPS, light/rain sensors and other electronic assistance mechanisms. These systems may handle sensitive data (such as credit card numbers, critical information about the host system and so on) which must be protected against external attacks as these data may be transmitted through a communication link where attackers can connect to extract sensitive information or inject malicious code within the system. This work presents an approach to protect communications in multiprocessor architectures. This approach is based on hardware security enhancements acting as firewalls. These firewalls filter all data going through the system communication bus and an additional flexible cryptographic block aims to protect external memory from attacks. Benefits of our approach are demonstrated using a case study and some custom software applications implemented in a Field-Programmable Gate Array (FPGA). Firewalls implemented in the target architecture allow getting a low-latency security layer with flexible cryptographic features. To illustrate the benefit of such a solution, implementations are discussed for different MPSoCs implemented on Xilinx Virtex-6 FPGAs. Results demonstrate a reduction up to 33% in terms of latency overhead compared to existing efforts.

An Approach for Improving Performance of a Packet Filtering Firewall Based on Fuzzy Petri Net

An Approach for Improving Performance of a Packet Filtering Firewall Based on Fuzzy Petri Net

A Network Management System for Handling Scientific Data Flows

Large scientific data transfers often occur at high rates causing increased burstiness in Internet traffic. To limit the adverse effects of these high-rate large-sized flows, which are referred to as $$\alpha $$? flows, on delay-sensitive audio/video flows, a network management system called Alpha Flow Traffic Engineering System (AFTES) is proposed for intra-domain traffic engineering. An offline approach is used in which AFTES analyzes NetFlow records collected by routers, extracts source---destination address prefixes of $$\alpha $$? flows, and uses these prefixes to configure firewall filters at ingress routers of a provider's network to redirect future $$\alpha $$? flows to traffic-engineered paths and isolated queues. The effectiveness of this scheme was evaluated through an analysis of 7 months of NetFlow data obtained from an ESnet router. For this data set, 91 % of bytes generated by $$\alpha $$? flows during high-rate intervals would have been directed had AFTES been deployed. The negative aspect of using address prefixes in firewall filters, i.e., the redirection of $$\beta $$β flows to $$\alpha $$?-flow paths/queues, was also quantified.

FPGA Based Firewall using Embedded Processor for Vulnarability Packet Detection

<p>This paper describes the design of high performance packet filtering firewall using embedded system. An FPGA (field programmable gate array) platform has been used for implementation and analysing the network firewall. It is capable of accepting real time changes. This network security application has an ability to perform powerful protection against unwanted data packets such as virus attack, spam in e-mails, hackers, worms, spyware unauthorized contents. However the firewalls don’t address the difficulty of unwanted data packets intrusion. The ultimate aim of this work is to create a systematic way of approach for unwanted packets discard in a network system. We use a specially trained algorithms such as Wu-manber algorithms (high performance, multi-pattern matching), bloom filter algorithm (space efficient data structure for testing an element in the set.Our design is mainly based on machine learning and artificial intelligence. This gives a high efficiency, improved performance and high ability of packet detection with less contribution of time in an effective way.</p>

Performance Evaluation and Comparison of Network Firewalls under DDoS Attack

Network firewalls act as the first line of defense against unwanted and malicious traffic and also represent critical point of failure during DDoS attack. Predicting the overall firewall performance is crucial to network security administrators and designers in assessing the strength and effectiveness of network firewalls against DDoS attacks. In this paper, authors have made a humble attempt to study and compare DDoS performance of various types of firewalls in operation as on today. Analysis and detailed comparison is performed on open source packet filter (PF) firewall, Checkpoint SPLAT and Cisco ASA in a testing environment with laboratory generated DDoS traffic. It is attempted to identify various firewall DDoS performance parameters which can be considered during DDoS attack. Further, experiments are carried out to study effect of varying TCP Opening Timers on performance of stateful inspection firewall during Sync Flood attack. Also, in order to improve performance, intelligence is applied in PF firewall rulebase to mitigate DDoS.

Reasoning about visibility

We consider properties of sequences of spatial regions, as seen from a viewpoint. In particular, we concentrate on two types of regions: (1) general domains in which a region is any subset of the space, and (2) axis-parallel domains, where the regions are boxes in an N-dimensional space. We introduce binary relations allowing to express properties of these sequences and present two approaches to process them. First, we show that constraints on these relations can be solved in polynomial time for general domain and that the same problem is NP-complete in the axis-parallel case. Second, we introduce a modal logic on these relations, called Visibility Logic, and show that model-checking on a finite sequence of regions can be done in polynomial time (both in the general and axis-parallel cases). Finally, we present applications to image processing and firewall filtering.

Research on Firewall System for Confidential Network

To satisfy the special needs of confidential networks, a protection method of combining ingress and egress access control for network boundary security is proposed. In preventing network attacks, a combined mechanism of packets filtering firewall and intrusion detection system based on artificial neural network and rule matching is implemented to increase the accuracy of intrusion detection. In preventing information leakage, techniques of identity authentication and content filtering are integrated into the mechanism of egress access control so that strategies with more flexibility in security auditing and access control can be implemented, which is effective to prevent the sensitive or secret data from leaking out and to trace the source of leakage.

Novel Architecture for Intrusion-Tolerant Distributed Intrusion Detection System using Packet Filter Firewall and State Transition Tables

Tremendous efforts have been taken over many years to secure the network against attacks; still attackers are successful with painful frequency. Experienced attackers try to disable the Intrusion Detection System (IDS) before launching attack. Therefore there should be some mechanism in IDS for uninterrupted detection of intrusion even though failure in IDS has occurred due to attacks. This paper presents the design and implementation of Novel Intrusion-Tolerant Distributed Intrusion Detection System using Packet Filter Firewall and State Transition Tables. Proposed architecture is immune to both, failure of IDS components and compromised IDS components. This architecture is capable of restricting the effect of network attacks like DoS, DDoS and Probing to a subset of network. Experimental results prove the usefulness and efficiency of this architecture.

Research of matrix bloom filter in virus filtering firewall

Concerning the inefficient problem of traditional signature-based virus filtering algorithm in practice,a novel virus filtering algorithm based on Matrix Bloom Filter (MBF) was proposed. Based on the analysis of the space efficiency,time efficiency and the potential effects of false positives,the mathematical model of the algorithm was studied and the design scheme of virus filters in high-speech engine was given. Finally,the simulation experimental results demonstrate the effectiveness and practicability of the proposed algorithm.

VERIFICATION OF DISTRIBUTED FIREWALLS CONFIGURATION VS. SECURITY POLICIES USING 𝒜ℒ𝒞𝒬ℐ(𝒟)

Packet filtering firewalls have an important role in providing security in IP networks which control the traversal of packets across the boundaries of a secured network based on a specific security policy. Manual configuring of packet filtering firewalls can be extremely complex and error-prone. Therefore, it can be performed in an improper way which is not in conformance with security policies. So, we need an approach to analyze the configuration of whole packet-filtering firewalls in the network in order to discover all policy violations. In this article, we introduce an approach based on description logics to verify the configuration of all the firewalls in a network universally vs. security policies. Using this approach, system managers can express and analyze security policies with a formal and simple language. This high-level language is extensible and topology-independent. In this approach, we first automatically transform high-level security policies into low-level policies, i.e., filtering rules. Then we develop an algorithm to discover policy violations which takes configuration of the firewalls, network topology, routing information, and low-level security policies as input and determines existing policy violations as output.