CSDL Home IEEE Transactions on Dependable and Secure Computing 2011 vol.8 Issue No.01 - January-February

Subscribe

Issue No.01 - January-February (2011 vol.8)

pp: 147-159

Dmitry Rovniagin , Tel Aviv University, Israel

Avishai Wool , Tel Aviv University, Israel

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/TDSC.2009.28

ABSTRACT

Since firewalls need to filter all the traffic crossing the network perimeter, they should be able to sustain a very high throughput, or risk becoming a bottleneck. Firewall packet matching can be viewed as a point location problem: Each packet (point) has five fields (dimensions), which need to be checked against every firewall rule in order to find the first matching rule. Thus, algorithms from computational geometry can be applied. In this paper, we consider a classical algorithm that we adapted to the firewall domain. We call the resulting algorithm “Geometric Efficient Matching” (GEM). The GEM algorithm enjoys a logarithmic matching time performance. However, the algorithm's theoretical worst-case space complexity is O(n^4) for a rule-base with n rules. Because of this perceived high space complexity, GEM-like algorithms were rejected as impractical by earlier works. Contrary to this conclusion, this paper shows that GEM is actually an excellent choice. Based on statistics from real firewall rule-bases, we created a Perimeter rules model that generates random, but nonuniform, rule-bases. We evaluated GEM via extensive simulation using the Perimeter rules model. Our simulations show that on such rule-bases, GEM uses near-linear space, and only needs approximately 13 MB of space for rule-bases of 5,000 rules. Moreover, with use of additional space improving heuristics, we have been able to reduce the space requirement to 2-3 MB for 5,000 rules. But most importantly, we integrated GEM into the code of the Linux iptables open-source firewall, and tested it on real traffic loads. Our GEM-iptables implementation managed to filter over 30,000 packets-per-second on a standard PC, even with 10,000 rules. Therefore, we believe that GEM is an efficient and practical algorithm for firewall packet matching.

INDEX TERMS

Network communication, network-level security and protection.

CITATION

Dmitry Rovniagin, Avishai Wool, "The Geometric Efficient Matching Algorithm for Firewalls",

*IEEE Transactions on Dependable and Secure Computing*, vol.8, no. 1, pp. 147-159, January-February 2011, doi:10.1109/TDSC.2009.28REFERENCES

- [1] F. Baboescu, S. Singh, and G. Varghese, "Packet Classification for Core Routers: Is There an Alternative to Cams,"
Proc. IEEE INFOCOM, 2003.- [2] F. Baboescu and G. Varghese, "Scalable Packet Classification,"
Proc. ACM SIGCOMM, pp. 199-210, 2001.- [3] N. Bar-Yosef and A. Wool, "Remote Algorithmic Complexity Attacks Against Randomized Hash Tables,"
Proc. Int'l Conf. Security and Cryptography (SECRYPT), pp. 117-124, July 2007.- [4] M.M. Buddhikot, S. Suri, and M. Waldvogel, "Space Decomposition Techniques for Fast Layer-4 Switching,"
Proc. Conf. Protocols for High Speed Networks IV, pp. 25-41, Aug. 1999.- [5] W.R. Cheswick, S.M. Bellovin, and A. Rubin,
Firewalls and Internet Security: Repelling the Wily Hacker, second ed. Addison-Wesley, 2003.- [6] M. Christiansen and E. Fleury, Using Interval Decision Diagrams for Packet Filtering, http://www.cs.auc.dk/fleurypublications. html , 2002.
- [7] E. Cohen and C. Lund, "Packet Classification in Large ISPs: Design and Evaluation of Decision Tree Classifiers,"
Proc. ACM SIGMETRICS, pp. 73-84, 2005.- [8] S. Crosby and D. Wallach, "Denial of Service via Algorithmic Complexity Attacks,"
Proc. 12th USENIX Security Symp., pp. 29-44, Aug. 2003.- [9] M. de Berg, M. van Kreveld, and M. Overmars,
Computational Geometry: Algorithms and Applications, second ed. Springer-Verlag, 2000.- [10] D.P. Dobkin and R.J. Lipton, "Multidimensional Searching Problems,"
SIAM J. Computing, vol. 5, no. 2, pp. 181-186, 1976.- [11] D. Eppstein and S. Muthukrishnan, "Internet Packet Filter Management and Rectangle Geometry,"
Proc. ACM-SIAM Symp. Discrete Algorithms (SODA), pp. 827-835, 2001.- [12] A. Feldmann and S. Muthukrishnan, "Tradeoffs for Packet Classification,"
Proc. IEEE INFOCOM, pp. 1193-1202, 2000.- [13] W. Feller,
An Introduction to Probability Theory and Its Applications, vol. 1, third ed. John Wiley & Sons, 1967.- [14] Firewall Wizards, Electronic Mailing List, 1997-2009, archived, http://listserv.icsalabs.com/pipermailfirewall-wizards /, 2009.
- [15] P. Gupta and N. McKeown, "Algorithms for Packet Classification,"
IEEE Network, vol. 15, no. 2, pp. 24-32, Mar./Apr. 2001.- [16] P. Gupta and N. McKeown, "Packet Classification on Multiple Fields,"
Proc. ACM SIGCOMM, pp. 147-160, 1999.- [17] D. Hartmeier, "Design and Performance of the OpenBSD Stateful Packet Filter (pf),"
Proc. FREENIX Track: 2002 USENIX Ann. Technical Conf., June 2002.- [18] R. Jain,
The Art of Computer Systems Performance Analysis. John Wiley & Sons, 1991.- [19] S. Kandula, D. Katabi, M. Jacob, and A. Berger, "Botz-4-Sale: Surviving Organized DDOS Attacks that Mimic Flash Crowds,"
Proc. Second Symp. Networked Systems Design and Implementation (NSDI), 2005.- [20] T.V. Lakshman and D. Stiliadis, "High-Speed Policy-Based Packet Forwarding Using Efficient Multi-Dimensional Range Matching,"
Proc. ACM SIGCOMM, pp. 203-214, 1998.- [21] C. Logg and L. Cottrell, Characterization of the Traffic between SLAC and the Internet, http://www.slac.stanford.edu/comp/net/netflow SLAC-Netflow.html, Mar. 2001.
- [22] J. Matoušek, "Geometric Range Searching,"
ACM Computing Surveys, vol. 26, no. 4, pp. 422-461, 1994.- [23] The Netfilter/Iptables Project, v1.2.7, http:/www.netfilter.org/, 2002.
- [24] PF: OpenBSD Packet Filter, http://www.benzedrine.cxpf.html, 2003.
- [25] L. Qiu, G. Varghese, and S. Suri, "Fast Firewall Implementations for Software and Hardware-Based Routers,"
Proc. ACM SIGMETRICS, 2001.- [26] D. Reed, IP Filter, http://coombs.anu.edu.auavalon/, 2003.
- [27] D. Rovniagin and A. Wool, "The Geometric Efficient Matching Algorithm for Firewalls," Technical Report EES2003-6, Dept. of Electrical Eng. Systems, Tel Aviv Univ., http://www.eng.tau. ac.il/yashees2003-6.ps , 2009.
- [28] D. Rovniagin and A. Wool, "The Geometric Efficient Matching Algorithm for Firewalls,"
Proc. 23th Convention of IEEE Israel, pp. 153-156, Sept. 2004.- [29] G. Shwed,
System for Securing Inbound and Outbound Data Packet Flow in a Computer Network, US patent number 5,606,668, Feb. 1997.- [30] S. Singh, F. Baboescu, G. Varghese, and J. Wang, "Packet Classification Using Multidimensional Cutting,"
Proc. ACM SIGCOMM, 2003.- [31] M. Smid, "Dynamic Rectangular Point Location with an Application to the Closest Pair Problem,"
Information and Computation, vol. 116, no. 1, pp. 1-9, Jan. 1995.- [32] V. Srinivasan, "A Packet Classification and Filter Management System,"
Proc. IEEE INFOCOM, pp. 1464-1473, 2001.- [33] V. Srinivasan, S. Suri, and G. Varghese, "Packet Classification Using Tuple Space Search,"
Proc. ACM SIGCOMM, pp. 135-146, 1999.- [34] V. Srinivasan and G. Varghese, "Faster IP Lookups Using Controlled Prefix Expansion,"
Proc. ACM Conf. Measurement and Modeling of Computer Systems, pp. 1-10, 1998.- [35] V. Srinivasan, G. Varghese, S. Suri, and M. Waldvogel, "Fast and Scalable Layer Four Switching,"
Proc. ACM SIGCOMM, pp. 191-202, 1998.- [36] D.E. Taylor, "Survey and Taxonomy of Packet Classification Techniques,"
ACM Computing Surveys, vol. 37, no. 3, pp. 238-275, 2005.- [37] M. Waldvogel, "Multi-Dimensional Prefix Matching Using Line Search,"
Proc. IEEE Local Computer Networks, pp. 200-207, Nov. 2000.- [38] M. Waldvogel, G. Varghese, J. Turner, and B. Plattner, "Scalable High Speed IP Routing Lookups,"
Proc. ACM SIGCOMM, pp. 25-36, Sept. 1997.- [39] P.R. Warkhede, S. Suri, and G. Varghese, "Fast Packet Classification for Two-Dimensional Conflict-Free Filters,"
Proc. IEEE INFOCOM, pp. 1434-1443, 2001.- [40] D.D. Welch-Abernathy,
Essential Checkpoint Firewall-1: An Installation, Configuration, and Troubleshooting Guide. Addison-Wesley, 2002.- [41] T.Y.C. Woo, "A Modular Approach to Packet Classification: Algorithms and Results,"
Proc. IEEE INFOCOM, pp. 1213-1222, 2000.- [42] A. Wool, "Architecting the Lumeta Firewall Analyzer,"
Proc. 10th USENIX Security Symp., pp. 85-97, Aug. 2001.- [43] A. Wool, "Packet Filtering and Stateful Firewalls,"
Handbook of Information Security, vol. III: Threats, Vulnerabilities, Prevention, Detection and Management, H. Bidgoli, ed., chapter 171, pp. 526-536. John Wiley & Sons, 2006.- [44] A. Wool, "A Quantitative Study of Firewall Configuration Errors,"
Computer, vol. 37, no. 6, pp. 62-67, June 2004. |