skip to main content
OSTI.GOV title logo U.S. Department of Energy
Office of Scientific and Technical Information

Title: Integrated Scalable Parallel Firewall and Intrusion Detection System for High-Speed Networks

Abstract

This project developed a new scalable network firewall and Intrusion Protection System (IPS) that can manage increasing traffic loads, higher network speeds, and strict Quality of Service (QoS) requirements. This new approach provides a strong foundation for next-generation network security technologies and products that address growing and unmet needs in the government and corporate sectors by delivering Optimal Network Security. Controlling access is an essential task for securing networks that are vital to private industry, government agencies, and the military. This access can be granted or denied based on the packet header or payload contents. For example, a simple network firewall enforces a security policy by inspecting and filtering the packet headers. As a complement to the firewall, an Intrusion Detection System (IDS) inspects the packet payload for known threat signatures; for example, virus or worm. Similar to a firewall policy, IDS policies consist of multiple rules that specify an action for matching packets. Each rule can specify different items, such as the signature contents and the signature location within the payload. When the firewall and IDS are merged into one device, the resulting system is referred to as an Intrusion Protection System (IPS), which provides both packet header andmore » payload inspections. Having both types of inspections is very desirable and more manageable in a single device.« less

Authors:
; ;
Publication Date:
Research Org.:
GreatWall Systems, Inc.
Sponsoring Org.:
USDOE Office of Energy Research (ER)/Chicago Office/ACQ
OSTI Identifier:
963374
DOE Contract Number:
FG02-06ER86274
Resource Type:
Technical Report
Country of Publication:
United States
Language:
English
Subject:
97 MATHEMATICS AND COMPUTING; Highly-Scalable Firewall, Intrusion Detection, Intrusion Prevention

Citation Formats

Fulp, Errin W, Anderson, Robert E, and Ahn, David K. Integrated Scalable Parallel Firewall and Intrusion Detection System for High-Speed Networks. United States: N. p., 2009. Web.
Fulp, Errin W, Anderson, Robert E, & Ahn, David K. Integrated Scalable Parallel Firewall and Intrusion Detection System for High-Speed Networks. United States.
Fulp, Errin W, Anderson, Robert E, and Ahn, David K. Mon . "Integrated Scalable Parallel Firewall and Intrusion Detection System for High-Speed Networks". United States. doi:.
@article{osti_963374,
title = {Integrated Scalable Parallel Firewall and Intrusion Detection System for High-Speed Networks},
author = {Fulp, Errin W and Anderson, Robert E and Ahn, David K},
abstractNote = {This project developed a new scalable network firewall and Intrusion Protection System (IPS) that can manage increasing traffic loads, higher network speeds, and strict Quality of Service (QoS) requirements. This new approach provides a strong foundation for next-generation network security technologies and products that address growing and unmet needs in the government and corporate sectors by delivering Optimal Network Security. Controlling access is an essential task for securing networks that are vital to private industry, government agencies, and the military. This access can be granted or denied based on the packet header or payload contents. For example, a simple network firewall enforces a security policy by inspecting and filtering the packet headers. As a complement to the firewall, an Intrusion Detection System (IDS) inspects the packet payload for known threat signatures; for example, virus or worm. Similar to a firewall policy, IDS policies consist of multiple rules that specify an action for matching packets. Each rule can specify different items, such as the signature contents and the signature location within the payload. When the firewall and IDS are merged into one device, the resulting system is referred to as an Intrusion Protection System (IPS), which provides both packet header and payload inspections. Having both types of inspections is very desirable and more manageable in a single device.},
doi = {},
journal = {},
number = ,
volume = ,
place = {United States},
year = {Mon Aug 31 00:00:00 EDT 2009},
month = {Mon Aug 31 00:00:00 EDT 2009}
}

Technical Report:
Other availability
Please see Document Availability for additional information on obtaining the full-text document. Library patrons may search WorldCat to identify libraries that may hold this item. Keep in mind that many technical reports are not cataloged in WorldCat.

Save / Share:
  • Firewalls are a key component for securing networks that are vital to government agencies and private industry. They enforce a security policy by inspecting and filtering traffic arriving or departing from a secure network. While performing these critical security operations, firewalls must act transparent to legitimate users, with little or no effect on the perceived network performance (QoS). Packets must be inspected and compared against increasingly complex rule sets and tables, which is a time-consuming process. As a result, current firewall systems can introduce significant delays and are unable to maintain QoS guarantees. Furthermore, firewalls are susceptible to Denial ofmore » Service (DoS) attacks that merely overload/saturate the firewall with illegitimate traffic. Current firewall technology only offers a short-term solution that is not scalable; therefore, the \textbf{objective of this DOE project was to develop new firewall optimization techniques and architectures} that meet these important challenges. Firewall optimization concerns decreasing the number of comparisons required per packet, which reduces processing time and delay. This is done by reorganizing policy rules via special sorting techniques that maintain the original policy integrity. This research is important since it applies to current and future firewall systems. Another method for increasing firewall performance is with new firewall designs. The architectures under investigation consist of multiple firewalls that collectively enforce a security policy. Our innovative distributed systems quickly divide traffic across different levels based on perceived threat, allowing traffic to be processed in parallel (beyond current firewall sandwich technology). Traffic deemed safe is transmitted to the secure network, while remaining traffic is forwarded to lower levels for further examination. The result of this divide-and-conquer strategy is lower delays for legitimate traffic, higher throughput, and traffic differentiation (a key component for maintaining QoS). Furthermore, the distributed design is scalable to traffic loads and is less susceptible to DoS attacks. Simulation and analytical results show these new architectures out-perform any current firewall system, providing higher throughput, lower delays, and predictable traffic differentiation.« less
  • Optical transport networks based on wavelength division multiplexing (WDM) are considered to be the most appropriate choice for future Internet backbone. On the other hand, future DOE networks are expected to have the ability to dynamically provision on-demand survivable services to suit the needs of various high performance scientific applications and remote collaboration. Since a failure in aWDMnetwork such as a cable cut may result in a tremendous amount of data loss, efficient protection of data transport in WDM networks is therefore essential. As the backbone network is moving towards GMPLS/WDM optical networks, the unique requirement to support DOE’s sciencemore » mission results in challenging issues that are not directly addressed by existing networking techniques and methodologies. The objectives of this project were to develop cost effective protection and restoration mechanisms based on dedicated path, shared path, preconfigured cycle (p-cycle), and so on, to deal with single failure, dual failure, and shared risk link group (SRLG) failure, under different traffic and resource requirement models; to devise efficient service provisioning algorithms that deal with application specific network resource requirements for both unicast and multicast; to study various aspects of traffic grooming in WDM ring and mesh networks to derive cost effective solutions while meeting application resource and QoS requirements; to design various diverse routing and multi-constrained routing algorithms, considering different traffic models and failure models, for protection and restoration, as well as for service provisioning; to propose and study new optical burst switched architectures and mechanisms for effectively supporting dynamic services; and to integrate research with graduate and undergraduate education. All objectives have been successfully met. This report summarizes the major accomplishments of this project. The impact of the project manifests in many aspects: First, the project addressed many essential problems that arisen in current and future WDM optical networks, and provided a host of innovative solutions though there was no invention or patent filing. This project resulted in more than 2 dozens publications in major journals and conferences (including papers in IEEE Transactions and journals, as well as a book chapter). Our publications have been cited by many peer researchers. In particular, one of our conference papers was nominated for the best paper award of IEEE/Create-Net Broadnets (International Conference on Broadband Communications, Networks, and Systems) 2006. Second, the results and solutions of this project were well received by DOE Labs where presentations were given by the PI. We hope to continue the collaboration with DOE Labs in the future. Third, the project was the first to propose and extensively study multicast traffic grooming, new traffic models such as sliding scheduled traffic model and scheduled traffic model. Our research has sparkled a flurry of recent studies and publications by the research community in these areas. Fourth, the project has benefited a diverse population of students by motivating, engaging, enhancing their learning and skills. The project has been conducted in a manner conducive to the training of students both at graduate and undergraduate levels. As a result, one Ph.D., Dr. Abdur Billah, was graduated. Another Ph.D. student, Tianjian Li, will graduate in January 2007. In addition, four MS students were graduated. One undergraduate student, Jeffrey Alan Shininger, completed his university honors project. Fifth, thanks to the support of this ECPI project, the PI has obtained additional funding from the National Science Foundation, the Air Force Research Lab, and other sources. A few other proposals are pending. Finally, this project has also significantly impacted the curricula and resulted in the enhancement of courses at the graduate and undergraduate levels, therefore strengthening the bond between research and education.« less