
This Article  
 
Share  
Bibliographic References  
Add to:  
Digg Furl Spurl Blink Simpy Del.icio.us Y!MyWeb  
Search  
 
ASCII Text  x  
Dmitry Rovniagin, Avishai Wool, "The Geometric Efficient Matching Algorithm for Firewalls," IEEE Transactions on Dependable and Secure Computing, vol. 8, no. 1, pp. 147159, JanuaryFebruary, 2011.  
BibTex  x  
@article{ 10.1109/TDSC.2009.28, author = {Dmitry Rovniagin and Avishai Wool}, title = {The Geometric Efficient Matching Algorithm for Firewalls}, journal ={IEEE Transactions on Dependable and Secure Computing}, volume = {8}, number = {1}, issn = {15455971}, year = {2011}, pages = {147159}, doi = {http://doi.ieeecomputersociety.org/10.1109/TDSC.2009.28}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }  
RefWorks Procite/RefMan/Endnote  x  
TY  JOUR JO  IEEE Transactions on Dependable and Secure Computing TI  The Geometric Efficient Matching Algorithm for Firewalls IS  1 SN  15455971 SP147 EP159 EPD  147159 A1  Dmitry Rovniagin, A1  Avishai Wool, PY  2011 KW  Network communication KW  networklevel security and protection. VL  8 JA  IEEE Transactions on Dependable and Secure Computing ER   
[1] F. Baboescu, S. Singh, and G. Varghese, "Packet Classification for Core Routers: Is There an Alternative to Cams," Proc. IEEE INFOCOM, 2003.
[2] F. Baboescu and G. Varghese, "Scalable Packet Classification," Proc. ACM SIGCOMM, pp. 199210, 2001.
[3] N. BarYosef and A. Wool, "Remote Algorithmic Complexity Attacks Against Randomized Hash Tables," Proc. Int'l Conf. Security and Cryptography (SECRYPT), pp. 117124, July 2007.
[4] M.M. Buddhikot, S. Suri, and M. Waldvogel, "Space Decomposition Techniques for Fast Layer4 Switching," Proc. Conf. Protocols for High Speed Networks IV, pp. 2541, Aug. 1999.
[5] W.R. Cheswick, S.M. Bellovin, and A. Rubin, Firewalls and Internet Security: Repelling the Wily Hacker, second ed. AddisonWesley, 2003.
[6] M. Christiansen and E. Fleury, Using Interval Decision Diagrams for Packet Filtering, http://www.cs.auc.dk/fleurypublications. html , 2002.
[7] E. Cohen and C. Lund, "Packet Classification in Large ISPs: Design and Evaluation of Decision Tree Classifiers," Proc. ACM SIGMETRICS, pp. 7384, 2005.
[8] S. Crosby and D. Wallach, "Denial of Service via Algorithmic Complexity Attacks," Proc. 12th USENIX Security Symp., pp. 2944, Aug. 2003.
[9] M. de Berg, M. van Kreveld, and M. Overmars, Computational Geometry: Algorithms and Applications, second ed. SpringerVerlag, 2000.
[10] D.P. Dobkin and R.J. Lipton, "Multidimensional Searching Problems," SIAM J. Computing, vol. 5, no. 2, pp. 181186, 1976.
[11] D. Eppstein and S. Muthukrishnan, "Internet Packet Filter Management and Rectangle Geometry," Proc. ACMSIAM Symp. Discrete Algorithms (SODA), pp. 827835, 2001.
[12] A. Feldmann and S. Muthukrishnan, "Tradeoffs for Packet Classification," Proc. IEEE INFOCOM, pp. 11931202, 2000.
[13] W. Feller, An Introduction to Probability Theory and Its Applications, vol. 1, third ed. John Wiley & Sons, 1967.
[14] Firewall Wizards, Electronic Mailing List, 19972009, archived, http://listserv.icsalabs.com/pipermailfirewallwizards /, 2009.
[15] P. Gupta and N. McKeown, "Algorithms for Packet Classification," IEEE Network, vol. 15, no. 2, pp. 2432, Mar./Apr. 2001.
[16] P. Gupta and N. McKeown, "Packet Classification on Multiple Fields," Proc. ACM SIGCOMM, pp. 147160, 1999.
[17] D. Hartmeier, "Design and Performance of the OpenBSD Stateful Packet Filter (pf)," Proc. FREENIX Track: 2002 USENIX Ann. Technical Conf., June 2002.
[18] R. Jain, The Art of Computer Systems Performance Analysis. John Wiley & Sons, 1991.
[19] S. Kandula, D. Katabi, M. Jacob, and A. Berger, "Botz4Sale: Surviving Organized DDOS Attacks that Mimic Flash Crowds," Proc. Second Symp. Networked Systems Design and Implementation (NSDI), 2005.
[20] T.V. Lakshman and D. Stiliadis, "HighSpeed PolicyBased Packet Forwarding Using Efficient MultiDimensional Range Matching," Proc. ACM SIGCOMM, pp. 203214, 1998.
[21] C. Logg and L. Cottrell, Characterization of the Traffic between SLAC and the Internet, http://www.slac.stanford.edu/comp/net/netflow SLACNetflow.html, Mar. 2001.
[22] J. Matoušek, "Geometric Range Searching," ACM Computing Surveys, vol. 26, no. 4, pp. 422461, 1994.
[23] The Netfilter/Iptables Project, v1.2.7, http:/www.netfilter.org/, 2002.
[24] PF: OpenBSD Packet Filter, http://www.benzedrine.cxpf.html, 2003.
[25] L. Qiu, G. Varghese, and S. Suri, "Fast Firewall Implementations for Software and HardwareBased Routers," Proc. ACM SIGMETRICS, 2001.
[26] D. Reed, IP Filter, http://coombs.anu.edu.auavalon/, 2003.
[27] D. Rovniagin and A. Wool, "The Geometric Efficient Matching Algorithm for Firewalls," Technical Report EES20036, Dept. of Electrical Eng. Systems, Tel Aviv Univ., http://www.eng.tau. ac.il/yashees20036.ps , 2009.
[28] D. Rovniagin and A. Wool, "The Geometric Efficient Matching Algorithm for Firewalls," Proc. 23th Convention of IEEE Israel, pp. 153156, Sept. 2004.
[29] G. Shwed, System for Securing Inbound and Outbound Data Packet Flow in a Computer Network, US patent number 5,606,668, Feb. 1997.
[30] S. Singh, F. Baboescu, G. Varghese, and J. Wang, "Packet Classification Using Multidimensional Cutting," Proc. ACM SIGCOMM, 2003.
[31] M. Smid, "Dynamic Rectangular Point Location with an Application to the Closest Pair Problem," Information and Computation, vol. 116, no. 1, pp. 19, Jan. 1995.
[32] V. Srinivasan, "A Packet Classification and Filter Management System," Proc. IEEE INFOCOM, pp. 14641473, 2001.
[33] V. Srinivasan, S. Suri, and G. Varghese, "Packet Classification Using Tuple Space Search," Proc. ACM SIGCOMM, pp. 135146, 1999.
[34] V. Srinivasan and G. Varghese, "Faster IP Lookups Using Controlled Prefix Expansion," Proc. ACM Conf. Measurement and Modeling of Computer Systems, pp. 110, 1998.
[35] V. Srinivasan, G. Varghese, S. Suri, and M. Waldvogel, "Fast and Scalable Layer Four Switching," Proc. ACM SIGCOMM, pp. 191202, 1998.
[36] D.E. Taylor, "Survey and Taxonomy of Packet Classification Techniques," ACM Computing Surveys, vol. 37, no. 3, pp. 238275, 2005.
[37] M. Waldvogel, "MultiDimensional Prefix Matching Using Line Search," Proc. IEEE Local Computer Networks, pp. 200207, Nov. 2000.
[38] M. Waldvogel, G. Varghese, J. Turner, and B. Plattner, "Scalable High Speed IP Routing Lookups," Proc. ACM SIGCOMM, pp. 2536, Sept. 1997.
[39] P.R. Warkhede, S. Suri, and G. Varghese, "Fast Packet Classification for TwoDimensional ConflictFree Filters," Proc. IEEE INFOCOM, pp. 14341443, 2001.
[40] D.D. WelchAbernathy, Essential Checkpoint Firewall1: An Installation, Configuration, and Troubleshooting Guide. AddisonWesley, 2002.
[41] T.Y.C. Woo, "A Modular Approach to Packet Classification: Algorithms and Results," Proc. IEEE INFOCOM, pp. 12131222, 2000.
[42] A. Wool, "Architecting the Lumeta Firewall Analyzer," Proc. 10th USENIX Security Symp., pp. 8597, Aug. 2001.
[43] A. Wool, "Packet Filtering and Stateful Firewalls," Handbook of Information Security, vol. III: Threats, Vulnerabilities, Prevention, Detection and Management, H. Bidgoli, ed., chapter 171, pp. 526536. John Wiley & Sons, 2006.
[44] A. Wool, "A Quantitative Study of Firewall Configuration Errors," Computer, vol. 37, no. 6, pp. 6267, June 2004.