L Cai,Xh Yang

DOI: https://doi.org/10.1109/ICSMC.2005.1571196

2005-01-01

Abstract:More and more network attacks are focusing on application level vulnerabilities. Recently, several examples of this trend have been highly publicized such as the SQL Slammer and SQL Snake attacks. Traditional firewalls, used for protecting the database, only prevent attacks searching for vulnerabilities. Database firewalls take defense deep into the organization by providing full syntax control and audit of the SQL AN stream before it reaches the database, and enforcing content-driven access to database. This paper proposes a layered reference model for database firewalls by enhancing the capability of COAST Laboratory's model. It separates a database firewall into three layers (network layer, schematic layer and semantic layer) according to the knowledge, computation target, and the control granularity of each layer. Based on this model, a database firewall product had been prototyped It can greatly improve the database security by introducing self-controlled authentication principal mapping, object mapping, and mandatory access control modules.

Chuanhuang Li,Sanyuan Zhang,Weiming Wang

2013-01-01

Abstract:In the NE (Network Element) of ForCES (Forwarding and Control Element Separation) architecture, there may be hundreds of FEs (Forwarding Element). These FEs' performance directly reflects the NE's ability of processing data and providing services. Their topologies exist in various forms. In this paper, the common features of these topologies are studied, and a performance solving method that abstracting FE as GPS scheduler is proposed. Under the self-similar FBM (Fractional Brownian Motion) traffic, the performance bounds of multiple flows processed by a single FE are derived. In order to guarantee the performance of the through traffic, based on the performance model, the requirements of processing weight in each FE are analyzed.

Zou Xi,Gao Ming,Yining Wang,Chunming Wu

DOI: https://doi.org/10.1109/PAAP.2015.29

2015-01-01

Abstract:The emergence of network virtualization solves the problem of ossification. At the same time, it provides endless possibilities for the innovations of the network architecture. As a result, it has attracted the attention of the next generation Internet architecture. Therefore this paper based on the architecture of For CES to explore the implementation of the data plane virtualization and provide the framework for virtualization platform via the method. Meanwhile, in the premise of meeting the requirements which the virtual network packet has enough processing capacity. For the sake of solving the allocation of FE resource in virtual network (Forwarding Element, FE). To make the number of FE and the utilization of FE more reasonable. This paper puts forward a kind of FE resource allocation algorithm based on twice iteration subtraction. We use Click Modular Router as the data plane processing engine, then we give the virtual method to realize data plane and explain that supporting multiple virtual network and the virtualization of FE can provide more flexibility for processing data packets.

Qiumei Cheng,Chunming Wu,Haifeng Zhou,Yuhang Zhang,Rui Wang,Wei Ruan

DOI: https://doi.org/10.1109/hpcc/smartcity/dss.2018.00149

2018-01-01

Abstract:Guarding the perimeter of cloud-based enterprise networks is a challenge due to massive traffic with dynamic nature. Current firewalls of enterprise networks in cloud are largely based on static security rule configuration or simple rule matching, which makes them inflexible, error-prone and poorly effective, bringing about severe security risks. In this paper, we propose an artificial intelligence-based software-defined networks firewall (AI-SDNF) for solving the above problems. Compared with existing SDN firewalls, AI-SDNF is able to extract and analyze the payload of data packets based on machine learning technologies rather than simply match with flow tables according to several header fields (e.g., source and destination IP/MAC addresses). Considering deciding whether a packet is benign or malicious is able to be formulated as a typical binary classification problem, we employ logistic regression for training an intelligent SDN firewall under supervised machine learning. We implement a prototype of AI-SDNF on the OpenDaylight controller and the OpenStack platform. Based on the prototype, we evaluate its performance and overheads with real dataset. The experimental results indicate that AI-SDNF achieves a relatively high detection accuracy of 96.79% with an average of 0.2ms latency.

Ming Gao,Shiju Li,Weiming Wang

DOI: https://doi.org/10.1155/2013/674057

IF: 1.43

2013-01-01

Mathematical Problems in Engineering

Abstract:The idea of Forwarding and Control Element Separation has widely accepted by next generation network researchers, the regain attention of IETF (The Internet Engineering Task Force) ForCES (Forwarding and Control Element Separation) is the best proof. An IP tunnel-based redirection schema was proposed to solve the problem of routing protocol messages interaction between ForCES router and the external merchant routers. The technology of network virtualization is introduced to map network interface from ForCES FE (Forwarding Element) to CE (Control Element) which collaborating with the redirect schema.

Arief Wicaksana,Arif Sasongko

DOI: https://doi.org/10.1109/ICEEI.2011.6021782

2016-11-18

Abstract:In data communication via internet, security is becoming one of the most influential aspects. One way to support it is by classifying and filtering ethernet packets within network devices. Packet classification is a fundamental task for network devices such as routers, firewalls, and intrusion detection systems. In this paper we present architecture of fast and reconfigurable Packet Classification Engine (PCE). This engine is used in FPGA-based firewall. Our PCE inspects multi-dimensional field of packet header sequentially based on tree-based algorithm. This algorithm simplifies overall system to a lower scale and leads to a more secure system. The PCE works with an adaptation of single cycle processor architecture in the system. Ethernet packet is examined with PCE based on Source IP Address, Destination IP Address, Source Port, Destination Port, and Protocol fields of the packet header. These are basic fields to know whether it is a dangerous or normal packet before inspecting the content. Using implementation of tree-based algorithm in the architecture, firewall rules are rebuilt into 24-bit sub-rules which are read as processor instruction in the inspection process. The inspection process is comparing one sub-rule with input field of header every clock cycle. The proposed PCE shows 91 MHz clock frequency in Cyclone II EP2C70F896C6 with 13 clocks throughput average from input to output generation. The use of tree-based algorithm simplifies the multidimensional packet inspection and gives us reconfigurable as well as scalable system. The architecture is fast, reliable, and adaptable and also can maximize the advantages of the algorithm very well. Although the PCE has high frequency and little amount of clock, filtering speed of a firewall also depends on the other components, such as packet FIFO buffer. Fast and reliable FIFO buffer is needed to support the PCE. This PCE also is not completed with rule update mechanism yet. This proposed PCE is tested as a component of FPGA-based firewall to filter Ethernet packet with FPGA DE2 Board using NIOS II platform.

Hardware Architecture,Networking and Internet Architecture

WU Haibo,XU Mingwe

DOI: https://doi.org/10.3321/j.issn:1000-0054.2008.01.033

2008-01-01

Abstract:The ForCES(forwarding and control element separation) router has to be capable of supporting hundreds of forwarding elements.A topological analysis of a ForCES router was used to develop a routing mechanism based on labels to improve routing.Backup paths are introduced to reduce path recovery time.For n forwarding elements with m forwarding elements containing external interfaces,if e represents the average edge number,this routing mechanism reduces the calculational workload from O(n3) to O(mn2) and the communication cost from O(ne) to O(n),compared with the OSPF(open shortest path first) method.This method has shorter convergence times,less communication costs and is able to recover more rapidly when failed paths occasion.

Maurantonio Caprolu,Simone Raponi,Roberto Di Pietro

DOI: https://doi.org/10.1155/2019/6874592

IF: 1.968

2019-02-19

Security and Communication Networks

Abstract:The Software Defined Networking (SDN) paradigm decouples the logic module from the forwarding module on traditional network devices, bringing a wave of innovation to computer networks. Firewalls, as well as other security appliances, can largely benefit from this novel paradigm. Firewalls can be easily implemented by using the default OpenFlow rules, but the logic must reside in the control plane due to the dynamic nature of their rules that cannot be handled by data plane devices. This leads to a nonnegligible overhead in the communication channel between layers, as well as introducing an additional computational load on the control plane. To address the above limitations, we propose the architectural design of FORTRESS: a stateful firewall for SDN networks that leverages the stateful data plane architecture to move the logic of the firewall from the control plane to the data plane. FORTRESS can be implemented according to two different architectural designs: Stand-Alone and Cooperative, each one with its own peculiar advantages. We compare FORTRESS against FlowTracker, the state-of-the-art solution for SDN firewalling, and show how our solution outperforms the competitor in terms of the number of packets exchanged between the control plane and the data plane—we require 0 packets for the Stand-Alone architecture and just 4 for the Cooperative one. Moreover, we discuss how the adaptability, elegant and modular design, and portability of FORTRESS contribute to make it the ideal candidate for SDN firewalling. Finally, we also provide further research directions.

computer science, information systems,telecommunications

qingang dong,tao li,zhentao liu,lin jiang

2011-01-01

Abstract:Traffic control computation in high speed routers and switches is usually implemented with ad hoc hardware which is not reusable. This paper presents a reconfigurable architecture for network traffic control computations, based on an Augmented Finite State Machine (AFSM) controller, and the architecture is reconfigurable. The implementation of new traffic control features is realized in software, thus relieves the burden on hardware designers. Additionally, several traffic control algorithms in this paper are realized with the architecture to prove its hardware circuit high-speeded, reliable and stable. At last, with the electronic design automation tools (EDA), the frequency of the hardware circuit is up to 260MHz.

范训礼,景广军

DOI: https://doi.org/10.3969/j.issn.1000-2758.2002.03.011

2002-01-01

Xibei Gongye Daxue Xuebao/Journal of Northwestern Polytechnical University

Abstract:This paper presents a firewall system based on Linux - L-Firewall, which combines packet filter and proxy technology. Proxy and authentication are implemented on B1 level operating system. The paper emphasizes on the L-Firewall frame, especially on the implementation of packet filter module. L-Firewall provides not only HTTP, FTP proxy and packet filter, but also content filter, network address translation to protect network from IP spoofing and IP source route spoofing. L-Firewall tallies with GB/T17900-1999 and GB/T18020-1999.

崔伟,齐竞艳,蔡圣闻,黄皓

DOI: https://doi.org/10.3969/j.issn.1000-3428.2004.16.051

2004-01-01

Abstract:The paper introduces the basic notion of distributed firewall, analyses the security threatens. Then it introduces IPSec protocols,and presents an IPSec-based distributed firewall security architecture including the internal design and external design.This architecture combines IPSec and some other secure measures with distribtued firewall so as to give distributed firewall stronger security.

JeeHyun Hwang,Tao Xie,Fei Chen,Alex X. Liu

DOI: https://doi.org/10.1109/srds.2008.34

2012-01-01

IEEE Transactions on Network and Service Management

Abstract:Firewalls are the mainstay of enterprise security and the most widely adopted technology for protecting private networks. As the quality of protection provided by a firewall directly depends on the quality of its policy (i.e., configuration), ensuring the correctness of firewall policies is important and yet difficult. To help ensure the correctness, we propose a systematic structural testing approach for firewall policies. We define structural coverage (based on coverage criteria of rules, predicates, and clauses) on the firewall policy under test. To achieve high structural coverage effectively, we have developed four automated packet generation techniques: the random packet generation, the one based on local constraint solving (considering individual rules locally in a policy), the one based on global constraint solving (considering multiple rules globally in a policy), and the one based on boundary values.We have conducted an experiment on a set of real policies and a set of faulty policies to detect faults with generated packet sets. Generally, our experimental results show that a packet set with higher structural coverage has higher fault-detection capability (i.e., detecting more injected faults). Our experimental results show that a reduced packet set (maintaining the same level of structural coverage with the corresponding original packet set) maintains similar fault-detection capability with the original set.

Ming Gao,ShiJu Li,Bangzhi Xiao

DOI: https://doi.org/10.11591/telkomnika.v11i2.2005

2013-01-01

Abstract:ForCES router(ForTER) is an open experimental platform for network research of new routing algorithm，packet processing which is based on ForCES. By introducing and designing six new LFBs to ForTER, this paper propose a method of implementation of multicast IP router with network coding enabled. These LFBs undertake coding functions such as packets’ coding, labeling, buffering and decoding. We build an IP multicast network with ForTERs, which including the classic shortest path tree constructed by the reverse path from the source node to each sink ,then evaluate the completeness of throughput , performance overhead and CPU utilization. DOI: http://dx.doi.org/10.11591/telkomnika.v11i2.2005

Wajid Rafique,Xin He,Zifan Liu,Yuhu Sun,Wanchun Dou

DOI: https://doi.org/10.1109/HPCC/SmartCity/DSS.2019.00080

2019-01-01

Abstract:Managing the Internet of Things (IoT) infrastructure has become a critical challenge due to an enormous increase in the connected devices and the lack of available security solutions. Software-Defined Networking (SDN) has been extensively involved in network infrastructure management. Moreover, numerous recent studies demonstrate the use of SDN for managing IoT networks. In SDN, policy consistency and security of the data plane is maintained through Waypoint Enforcement (WPE) which ensures that the traffic traverses policy nodes/switches to implement high-level network requirements. Previous studies on SDN primarily secure SDN infrastructure against traditional Distributed Denial of Service (DDoS) attacks. However, we investigate Crossfire Attack (CFA), which is a novel DDoS attack capable of interrupting communication of data plane switches using low-rate legitimate traffic. CFA has the potential to isolate policy switch from the rest of the data plane devices which introduces many security anomalies and routing inconsistencies. We first demonstrate how CFA is lethal on policy switch attacks and then present the design and implementation of a novel CFA countermeasure called CFADefense, which employs link selection, attack detection, and malicious flows interception modules. CFADefense has been developed as an application at the application layer of the open-source Floodlight controller. Our evaluation demonstrates that CFADefense accurately detects and efficiently mitigates CFA and poses minimal overhead on the controller in dealing with this attack.

Lei Liu,Ramon Casellas,Takehiro Tsuritani,Itsuro Morita,Ricardo Martínez,Raül Muñoz

DOI: https://doi.org/10.1364/OE.21.004183

2013-02-25

Abstract:To mitigate the potential scalability issues of an OpenFlow-based control plane, a seamless OpenFlow and Path Computation Element (PCE) integrated control plane is proposed, by means of an architecture in which the path computation function is formally decoupled from the controller so the controller can off-load the task to one or more dedicated PCEs using an open and standard interface and protocol, and where the PCE obtains its topology database by means of a dedicated dynamic topology server, which is accessed by the PCE on a per-request basis. The overall feasibility and performance metrics of this integrated control plane are experimentally verified and quantitatively evaluated on a real IP over translucent Wavelength Switched Optical Network (WSON) testbed.

Shuyong Zhu,Jun Bi,Chen Sun

2014-01-01

Abstract:Software Defined Networking (SDN) is a new network architecture where network control is decoupled from forwarding and is directly programmable. However, existing techniques provide limited support for stateful forwarding in SDN data plane. Relying on the controller for all state maintaining gives rise to scalability and performance issues. In this paper, we present Stateful Forwarding Abstraction (SFA) in SDN data plane. And we design a co-processing unit in SDN switches named Forwarding Processor (FP). It can deal with state information in data plane and its instructions can be flexibly extended to meet application requirements. Through SFA, we implement stateful network processing on the datapath which covers a full range of Layer 4 to Layer 7 services. We validate its performance based on IPsec. The experiment result proves that the forwarding efficiency is greatly improved.

Duan Haixin,Wu Jianping,Li Xing

2001-01-01

Abstract:Efforts of this paper focus on the issues about management and throughput of firewalls (or screening routers) applied in transit networks. On the one hand, manual configuration of large amount of firewalls distributed in many access points can not meet the global security requirements in the open and dynamic environment. On the other hand, the ordinal lookup of filtering rules in each individual firewall results in great decrease of throughput. Aimed at a typical transit network and its security policy requirements, a policy-based access control framework (PACF) is proposed in this paper. This framework is based on three levels of abstract access control policy: organizational access control policy (OACP), global access control policy (GACP) and local access control policy (LACP). The GACP, which comes from the results of IDSes and search engines according to OACP, is automatically and dynamically distributed to firewalls as LACPs. Each LACP is then enforced by an individual firewall. Some key algorithms for distribution of GACP and enforcement of LACP are described. A hash-based algorithm is proposed, for lookup of filtering rules in LACP. Under the environment with policy requirements described in this paper, the new algorithm reduces the time complexity of lookup from O (N) of traditional sequential algorithm to O (1), which therefore increases largely the throughput of firewalls.

Jian Xie

2004-01-01

Abstract:It is hard for single- functioned secure products to meet the current demand,and the trend begin to change towards Integration.A frame of firewall based on Linux is discussed as to improve the ability of security control.

Zhenfang Wang,ZhiHui Lu,Jie Wu,Kang Fan

DOI: https://doi.org/10.1007/978-3-319-26979-5_9

2015-01-01

Abstract:In cloud, resources are virtualized and the software delivery way is becoming something like a \"service\" to provide end user and operator benefits including on-demand self-service, resource pooling, rapid elasticity and service metering capability. As a part of network function virtualization, firewall virtualization can greatly increase the firewall configuration flexibility for the cloud environment. In this paper, we focus on FWaaS Firewall as a Service and we design a parallel firewall system called CPFirewall Cloud Parallel Firewall System. In CPFirewall, the firewall resources are virtualized and multiple tenants can build up their own parallel firewall by renting virtual firewalls. This needs solve some challenges. We adopt a rule-splitting algorithm to build a rule anomaly set We call it Wrapset. for detecting rule anomaly. We design the rule-allocation algorithm to achieve the cloud-native features, including load balance and dynamic scale. And we also improve the system performance using Exponential Smoothing ES forecasting method. Experiment results have verified that CPFirewall has a higher efficiency than other firewall schemes and is much more suitable for the Cloud network environment.

Hui Yuan,Lei Zheng,Shuang Qiu,Xiangli Peng,Yuan Liang,Yaodong Hu,Guoru Deng

DOI: https://doi.org/10.1007/978-3-030-15235-2_142

2019-04-25

Abstract:With the rapid development of the network, in recent years, the Internet has greatly improved people’s lives, and the real-time, sharing and distance-removing characteristics of network information transmission have made the operation and management of enterprises more efficient and coordinated. The basis of refinement. At the same time, various network security incidents have followed, such as hacker attacks on computer network systems, and various types of viruses, Trojans and other active attacks emerge one after another. In this regard, this paper analyzes the enterprise network security system of firewall from the perspective of enterprise network security, briefly summarizes the background, advantages and disadvantages of firewall technology, and designs and implements a client software according to the actual needs of users. The network performs real-time intelligent security monitoring. After the system design is completed, the security is tested by building a simulation platform, including qualitative testing and quantitative testing, which are divided into security and performance to verify whether the system can achieve and guarantee performance.