skip to main content
OSTI.GOV title logo U.S. Department of Energy
Office of Scientific and Technical Information

Title: Firewall Architectures for High-Speed Networks: Final Report

Abstract

Firewalls are a key component for securing networks that are vital to government agencies and private industry. They enforce a security policy by inspecting and filtering traffic arriving or departing from a secure network. While performing these critical security operations, firewalls must act transparent to legitimate users, with little or no effect on the perceived network performance (QoS). Packets must be inspected and compared against increasingly complex rule sets and tables, which is a time-consuming process. As a result, current firewall systems can introduce significant delays and are unable to maintain QoS guarantees. Furthermore, firewalls are susceptible to Denial of Service (DoS) attacks that merely overload/saturate the firewall with illegitimate traffic. Current firewall technology only offers a short-term solution that is not scalable; therefore, the \textbf{objective of this DOE project was to develop new firewall optimization techniques and architectures} that meet these important challenges. Firewall optimization concerns decreasing the number of comparisons required per packet, which reduces processing time and delay. This is done by reorganizing policy rules via special sorting techniques that maintain the original policy integrity. This research is important since it applies to current and future firewall systems. Another method for increasing firewall performance is with newmore » firewall designs. The architectures under investigation consist of multiple firewalls that collectively enforce a security policy. Our innovative distributed systems quickly divide traffic across different levels based on perceived threat, allowing traffic to be processed in parallel (beyond current firewall sandwich technology). Traffic deemed safe is transmitted to the secure network, while remaining traffic is forwarded to lower levels for further examination. The result of this divide-and-conquer strategy is lower delays for legitimate traffic, higher throughput, and traffic differentiation (a key component for maintaining QoS). Furthermore, the distributed design is scalable to traffic loads and is less susceptible to DoS attacks. Simulation and analytical results show these new architectures out-perform any current firewall system, providing higher throughput, lower delays, and predictable traffic differentiation.« less

Authors:
Publication Date:
Research Org.:
Wake Forest Univrsity
Sponsoring Org.:
USDOE Office of Science (SC)
OSTI Identifier:
924750
Report Number(s):
DOE/ER/25581-1
TRN: US201006%%824
DOE Contract Number:
FG02-03ER25581
Resource Type:
Technical Report
Country of Publication:
United States
Language:
English
Subject:
99 GENERAL AND MISCELLANEOUS//MATHEMATICS, COMPUTING, AND INFORMATION SCIENCE; DESIGN; OPTIMIZATION; PERFORMANCE; PROCESSING; SECURITY; SIMULATION; SORTING; Firewalls, high-speed, networks, security policy

Citation Formats

Errin W. Fulp. Firewall Architectures for High-Speed Networks: Final Report. United States: N. p., 2007. Web. doi:10.2172/924750.
Errin W. Fulp. Firewall Architectures for High-Speed Networks: Final Report. United States. doi:10.2172/924750.
Errin W. Fulp. 2007. "Firewall Architectures for High-Speed Networks: Final Report". United States. doi:10.2172/924750. https://www.osti.gov/servlets/purl/924750.
@article{osti_924750,
title = {Firewall Architectures for High-Speed Networks: Final Report},
author = {Errin W. Fulp},
abstractNote = {Firewalls are a key component for securing networks that are vital to government agencies and private industry. They enforce a security policy by inspecting and filtering traffic arriving or departing from a secure network. While performing these critical security operations, firewalls must act transparent to legitimate users, with little or no effect on the perceived network performance (QoS). Packets must be inspected and compared against increasingly complex rule sets and tables, which is a time-consuming process. As a result, current firewall systems can introduce significant delays and are unable to maintain QoS guarantees. Furthermore, firewalls are susceptible to Denial of Service (DoS) attacks that merely overload/saturate the firewall with illegitimate traffic. Current firewall technology only offers a short-term solution that is not scalable; therefore, the \textbf{objective of this DOE project was to develop new firewall optimization techniques and architectures} that meet these important challenges. Firewall optimization concerns decreasing the number of comparisons required per packet, which reduces processing time and delay. This is done by reorganizing policy rules via special sorting techniques that maintain the original policy integrity. This research is important since it applies to current and future firewall systems. Another method for increasing firewall performance is with new firewall designs. The architectures under investigation consist of multiple firewalls that collectively enforce a security policy. Our innovative distributed systems quickly divide traffic across different levels based on perceived threat, allowing traffic to be processed in parallel (beyond current firewall sandwich technology). Traffic deemed safe is transmitted to the secure network, while remaining traffic is forwarded to lower levels for further examination. The result of this divide-and-conquer strategy is lower delays for legitimate traffic, higher throughput, and traffic differentiation (a key component for maintaining QoS). Furthermore, the distributed design is scalable to traffic loads and is less susceptible to DoS attacks. Simulation and analytical results show these new architectures out-perform any current firewall system, providing higher throughput, lower delays, and predictable traffic differentiation.},
doi = {10.2172/924750},
journal = {},
number = ,
volume = ,
place = {United States},
year = 2007,
month = 8
}

Technical Report:

Save / Share:
  • This project developed a new scalable network firewall and Intrusion Protection System (IPS) that can manage increasing traffic loads, higher network speeds, and strict Quality of Service (QoS) requirements. This new approach provides a strong foundation for next-generation network security technologies and products that address growing and unmet needs in the government and corporate sectors by delivering Optimal Network Security. Controlling access is an essential task for securing networks that are vital to private industry, government agencies, and the military. This access can be granted or denied based on the packet header or payload contents. For example, a simple networkmore » firewall enforces a security policy by inspecting and filtering the packet headers. As a complement to the firewall, an Intrusion Detection System (IDS) inspects the packet payload for known threat signatures; for example, virus or worm. Similar to a firewall policy, IDS policies consist of multiple rules that specify an action for matching packets. Each rule can specify different items, such as the signature contents and the signature location within the payload. When the firewall and IDS are merged into one device, the resulting system is referred to as an Intrusion Protection System (IPS), which provides both packet header and payload inspections. Having both types of inspections is very desirable and more manageable in a single device.« less
  • This paper describes various parallel-processing architecture networks that are candidates for eventual airborne use. An attempt at projecting which type of network is suitable or optimum for specific metafunction or stand-alone applications is made. However, specific algorithms will need to be developed and bench marks executed before firm conclusions can be drawn. Also, a conceptual projection of how these processors can be built in small, flyable units through the use of wafer-scale integration is offered. The use of the PAVE PILLAR system architecture to provide system level support for these tightly coupled networks is described. The author concludes that: (1)more » extremely high processing speeds implemented in flyable hardware is possible through parallel-processing networks if development programs are pursued; (2) dramatic speed enhancements through parallel processing requires an excellent match between the algorithm and computer-network architecture; (3) matching several high speed parallel oriented algorithms across the aircraft system to a limited set of hardware modules may be the most cost-effective approach to achieving speed enhancements; and (4) software-development tools and improved operating systems will need to be developed to support efficient parallel-processor use.« less
  • The purpose of the study was to determine the value to the electric utility industry of ultra-high-speed fault clearing and, in particular, the value of one-cycle total fault clearing time for EHV and UHV systems. Protective relaying aspects were examined to determine to what extent existing relay schemes can be improved and to identify promising new concepts that would fulfill the requirements of one-cycle fault clearing. System stability studies were made for three different types of applications that would benefit from high-speed fault clearing. These applications included radial systems designed to be stable for normally cleared faults, energy centers designedmore » to be stable for breaker failure, and ''dumbbell'' systems consisting of two large systems interconnected by weak ties. Nominal voltage levels of 345, 500, 765, and 1,100 kV corresponding to maximum voltage ratings of 362, 550, 800, and 1,200 kV were included in the analysis. Where appropriate, both existing and future machine reactances and inertia constants were used. Performance of the various systems were compared on the basis of permissible power transfer with one-cycle fault clearing compared to three-cycle fault clearing and were evaluated in terms of dollars per kilowatt-mile difference in transmission costs.« less
  • The goal of our work has been to develop a solid theoretical framework for the problem of learning from examples, in order to evaluate Neural Network architecture and develop new powerful parallel techniques and algorithms. Our approach was based on the formulation of the problem of learning from examples as a problem of approximation of multivariate functions from sparse data, in such a way as to take advantage of existing large body of results in function approximation theory and regularization. Our work has been successful beyond our original expectations at the time we wrote the proposal. We have developed amore » sizable body of theoretical results and applications. Several projects, many outside our own group, are now pursuing different aspects of the theory, and are developing algorithms and applying the technique to practical domains.« less