Beruflich Dokumente
Kultur Dokumente
CHAPTER 2
L ITERATURE SURVEY
In an era of proliferation of the compute r networks and with the rise in the
internet based communication, the networking devices such as switch, routers have
become obligatory entities in any organization. Nevertheless, the positive aspects of
the computer networks such as information sharing and ease of voluminous data
transfer has been obscured with some of the negative aspects such as the hacking and
cracking attacks which have been poised as serious security woes. As a
countermeasure to all such nuisance the security devices have emerged on the
networking canvass. Firewall is one such useful device employed in almost each and
every network for security purpose. With the networking industries existence for
nearly last three decades, the firewall technology has also seen various
implementation platforms. Traditionally, it was implemented as hardware and/or
software and many commercial players came with such devices. However, with the
wide spreading and diversified nature of the attacks, there has been a constant need to
configure these devices and also to cater them with the present gigabit network
technology. The implied latency aspects along with the rapid reconfiguration and
deployment can only be addressed with the state-of-art FPGA based solutions.
Embedding the reconfigurable networking technology and the emerging Network on
Chip (NoC) paradigm within the hub of the Internet thus offers superior levels of
performance to users of the network. Since many aspects of this development are still
regarded as an open problem, good number of research groups are working on this
theme. A review of the same is put forth in this chapter.
1
Chapter 2: Literature Survey
of various aspects of security such as access control mechanisms, mobile code security and
denial-of-service attacks, and the modeling of information flow and its application to
confidentiality policies, system composition, and covert channel analysis [112]. Thus the
domain of computer security is truly interdisciplinary and many researchers work in this
area. Moreover the security has come out to be a major issue in today’s communication
networks. This is bit natural as the security concerns of a networked machine are many
more times pronounced than the isolated ones. Further, the performance pressures on
implementing effective network security monitoring are growing fiercely due to rising
traffic rates, the need to perform much more sophisticated forms of analys is, the
requirement for inline processing, and the collapse of Moore’s law for sequential
processing. Given these growing pressures, it is time to fundamentally rethink the nature of
using hardware to support network security analysis [6]. Thus there is a vast scope to
undertake research work in this paradigm.
Further it is seen that the improvement of the firewall technology goes hand-in-
hand with the other related subject areas such as mathematics, statistics, algorithms, data
mining and soft computing. The historical perspectives covered in the next section also
evidence the same.
The term firewall originally referred to a wall intended to confine a fire or potential
fire within a building [113]. Though the term "firewall" has been around since 1764, and
the meaning has not changed. Firewalls stop or slow a hazardous event from spreading
between two locations. In the technology arena, we can trace the first use of the term
"firewall" to the late 1980s, when the Morris worm (the first real Internet virus) infiltrated
NASA, U.C. Berkeley, Lawrence Livermore Laboratory and Stanford University [106].
During those years, internet was still a fairly new technology in terms of its global usage
and connectivity. In 1988 an employee at the NASA Ames Research Center in California
sent a memo by email to his colleagues that read, "We are currently under attack from an
Internet VIRUS! It has hit Berkeley, UC San Diego, Lawrence Livermore, Stanford, and
2
Chapter 2: Literature Survey
NASA Ames." This virus known as the Morris Worm was carried by e- mail and is now a
common nuisance for even the most ambiguous domestic user. The Morris Worm was the
first large scale attack on Internet security, of which the online community neither
expected, nor were prepared for. The internet community made it a top priority to combat
any future attacks from happening and began to collaborate on new ideas, systems and
software to make the internet safe again [115] and the same was marked as the birth of
‘firewall’.
The first paper published on firewall technology was in 1988, when Jeff Mogul
from Digital Equipment Corp. developed filter systems know as packet filter firewalls
[107]. This fairly basic system was the first generation of what would become a highly
evolved and technical internet security feature. From 1980-1990 two colleagues from
AT&T Bell Laboratories, Dave Presetto and Howard Trickey, developed the second
generation of firewalls known as circuit level firewalls. Publications by Gene Spafford of
Purdue University, Bill Cheswick at AT&T laboratories and Marcus Ranum described a
third generation firewall known as application layer firewall. Marcus Ranum's work on the
technology spearheaded the creation of the first commercial product [108]. The produc t
was released by Digital Equipment Corporation's (DEC) who named it the SEAL product.
DEC’s first major sale was on June 13, 1991 to a chemical company based on the East-Cost
of the USA.
Interestingly, at AT&T Bill Cheswick and Steve Bellovin were continuing their
research in packet filtering and developed a working model for their own company based
upon their original 1st generation architecture. Further, in 1992, Bob Braden and Annette
DeSchon at the University of Southern California developed their own fourth generation
packet filter firewall system [113]. The product known as “Visas” was the first system to
have a visual integration interface with colors and icons, which could be easily
implemented to and accessed on a computer operating system such as Microsoft's Windows
or Apple's Mac/OS. In 1994 a US company called “Check Point” built this in to readily
available software platform [114].
In 1996 The CERT Coordination Center had received reports of programs that
launched denial-of-service attacks by creating a "UDP packet storm" either on a system or
3
Chapter 2: Literature Survey
between two systems. An attack on one host causes that host to perform poorly. An attack
between two hosts caused extreme network congestion in addition to adversely affected
host performance. To overcome that problem they used to disable and filter change an echo
services as well as disable and filter other unused UDP services [94]. This led to the
development of the next generation firewall technology. Thus the fifth and final generation
of firewall was based on Kernel Proxy technology. This design is constantly evolving but
its basic features and codes are currently in widespread use in both commercial and
domestic computer systems. Cisco, one of the largest internet security companies on a
global scale released the product to the public in 1997 and it remains one of the top sellers
of internet firewall technology on the market [111]. With so many generations and
demystified specifications, choosing a firewall for your network can be a difficult task and
needs to be balanced security, capacity, flexibility and functionality in a unique manner for
the network.
4
Chapter 2: Literature Survey
and very expensive [129]. Susceptibility to DoS is an intrinsic problem of any service
provisioning system albeit amplified in the networked digital environment due to speed and
automation where, at a minimum, the occurrence of a potentially valid event (e.g., service
request, TCP SYN packet) must be processed to ascertain its validity. It is further reported
in [130] that almost all of the tools used on the distributed denial of service (DDOS) attacks
on Yahoo, Amazon, eBay, and E-Trade internet sites, have used ICMP for covert
communications between the DDOS clients and the attacker’s handler program. Some of
the most widely known distributed denial of service attack tools like Tribe Flood Net2K
[131] and Stacheldraht rely on ICMP tunneling to establish communication channels
between the compromised machines and the hacker’s machine. Since ICMP tunneling is
very simple to deploy and can cause a significant amount of damage it has been classified
as a high risk security threat by Internet Security Services [132] and SANS [133].
DOS Attacks [128] Denial of Service (Hard to Prevent, But These Draw Immediate
Attention To The Attacker)
Example: Flooding Attacks, Disassociation Attacks
Disclosure Attacks Reading/Revealing Information
[127] Example: MITM Attacks
Modification Attacks Changing Information
[120] Example: We just modified your HomePage!
Escalation of Is an act of exploiting a bug, design flaw or configuration
Privilege [90] oversight in an operating system or software application to gain
elevated access to resources that are normally protected from an
application or user
Network Security ? Sniffing: password grabbing
Architectures [121, ? Brute Force: password attempts
122] ? Buffer Overflows: httpd, ftpd, rpc/dcom
? Spoofing Attacks: forging IP/MAC/Etc.
? Flooding: SYN, UDP, ICMP Flooding
? Redirection: using ICMP, ARP, STP, MITM Attacks
? Anti-Virus: Worms, Viruses, Trojans
? Masquerading
? Social Engineering
5
Chapter 2: Literature Survey
With the above referred emerging scenario, it is reported that the current trend of
the IT security industry is to move from software solutions to appliance based solutions has
resulted in a shift of emphasis for example in the firewall industry, which in some instances
is providing IDS and IPS as part of their solutions [134]. In our work too we resorted to the
appliance based firewall solution on the FPGA platform.
6
Chapter 2: Literature Survey
The first network firewalls appeared in the late 1980s and was architecturally
similar to routers used to separate a network into smaller LANs. The first security firewalls
were used in the early 1990s. They were IP routers with filtering rules. The first security
policy was something like the following: allow anyone "in here" to access "out there."
Also, keep anyone (or anything I don't like) "out there" from getting "in here." These
firewalls were effective, but limited [11]. It was often very difficult to get the filtering rules
right, for example. In some cases, it was difficult to identify all the parts of an application
that needed to be restricted. In other cases, people would move around and the rules would
have to be changed.
The next security firewalls were more elaborate and more tunable. There were
firewalls built on so-called bastion hosts. Probably the first commercial firewall of this
type, using filters and application gateways (proxies), was from Digital Equipment
Corporation, and was based on the DEC corporate firewall. Brian Reid and the engineering
team at DEC's Network Systems Lab in Palo Alto originally invented the DEC firewall.
The first commercial firewall [116] was configured for and delivered to the first customer,
a large East Coast-based chemical company, on June 13, 1991. During the next few
months, Marcus Ranum at Digital invented security proxies and rewrote much of the rest of
the firewall code. The firewall product was produced and dubbed DEC SEAL (for Secure
External Access Link). The DEC SEAL was made up of an external system, called
Gatekeeper, the only system the Internet could talk to, a filtering gateway, called Gate, and
an internal Mailhub.
Now a day’s need of Firewall is significantly increased for the security of any
computer network. Secured machines or networks connected to internet are now frequently
attacked by the malicious machines around the world. These ca n be protected from those
attacks by denying the access to those machines through a firewall. The harmful attacks can
be reduced by limiting the rate of unwanted traffic or by dropping the harmful packets.
Firewall can manage the protocols, which are the programs specifically designed for the
7
Chapter 2: Literature Survey
communication with the services running on the computer. The attacker can try to use these
protocols to get the access of computer for the malicious activity. For example FTP (file
transfer protocol).These network protocols are organized in Layers. IP packets are routed
through multiple, physically separated networks by the Network layer. Components have
been developed for the FPX (Field Programmable Port Extender) that allow applications to
handle data on several protocol layers [1]. For ATM to implement IP over Ethernet in
statistic systems similar circuits are used [2].
Jun Li and Jelena Mirkovic et. al. (2002) developed the source address validity
enforcement protocol (SAVE) protocol to enable routers to check source address validity
[95]. SAVE is incoming-table-based filtering to filter packets that carry forged source
addresses. In this approach, a router on the internet builds an incoming table that specifies
the correct incoming interface for a given source address, even with asymmetric routing
present. When a packet arrives on an interface, a router can consult its incoming table to
determine whether this packet comes from the proper direction this protocol handles cases
of asymmetric routing correctly. This was demonstrated through simulation that the
incoming table built by the protocol properly detects forged IP addresses, except during
transient periods following routing changes [110]. The incoming table produced by the
SAVE protocol can be used for other than filtering. Valid incoming interface information is
also beneficial for many techniques that currently assume symmetric routing and forward
packets on non-optimal routes x
The series of malicious worm attack like “MS Blaster” and “SoBig- f” caused
treme ndous economical damage worldwide. Lonely “SoBig- f” damaged estimated about
$29.7 billion [3]. Most of the built- in-firewalls have ability to examine the packet headers
but hidden application level attacks are undetected and pass through those firewalls.
Application level attacks are usually hidden in the payload packet headers [4]. IP packet
flooding is one of the major problems which congest the network link. Host is unable to
stop the packets addressed to it and the IP router arbitrarily drops packets in response to the
overload. To overcome this host may reject new connections and avoid the overload. This
flooding attack can be controlled by setting the priorities to some services and providing
lower quality service rather than reject the request (service degradation) [5].
8
Chapter 2: Literature Survey
The literature survey reveals that researchers have rated firewall security as the
most focal issue. The emphasis was found to be mostly on the filtering performance issues
[13-15]. On the other hand, a few related works [16, 17] attempt to address only one of the
conflict problems which is the rule correlation in filtering policies. Other approaches [18,
19] propose using a high- level policy language to define and analyze firewall policies and
then map this language to filtering rules. Although using such high-level languages might
avoid rule anomalies, they are not practical for the most widely used firewalls that contain
low-level filtering rules. It is simply because redefining already existing policies using
high- level languages require far more effort than just analyzing existing rules using stand -
alone tools such as the Firewall Policy Advisor.
9
Chapter 2: Literature Survey
In recent years firewalls have seen some impressive technological advances (e.g.,
stateful inspection, transparency, performance, etc) and wide-spread deployment. In
contrast, firewall and security management technology is lacking.
Yair Bartal and Alain Mayer [100], presented “Firmato”, which is firewall
management toolkit, for successful firewall management at an appropriate level of
abstraction with the distinguishing properties and components such as
10
Chapter 2: Literature Survey
Today, even a moderately sized corporate intranet contains multiple firewalls and
routers, which are all used to enforce various aspects of the global corporate security
policy. Configuring these devices to work in unison is difficult, especially if they are made
by different vendors. Even testing or reverse-engineering an existing configuration is hard.
Firewall configuration files are written in low- level formalisms, whose readability is
comparable to assembly code, and the global policy is spread over all the firewalls that are
involved. To minimize, some of these difficulties researchers Alain Mayer and Avishai
Wool designed and implemented a novel firewall analysis software tool “Fang”, which
allows the administrator to easily discover and test the global firewall policy [79]. The tool
uses a minimal description of the network topology, and directly parses the various vendor-
specific low level configuration files. It interacts with the user through a query-and-answer
session, which is conducted at a much higher level of abstraction. Gregory R. described a
prototype self-securing network interface (NI) for detecting such things as TTL abuse,
fragmentation abuse, "SYN bomb" attacks, and random-propagation worms like Code-Red
[80].
For proper configuration of both firewalls and NIDSs, it is necessary to use several
sets of filtering and alerting rules. Nevertheless, the existence of anomalies between those
rules, particularly in distributed multi-component scenarios, is very likely to degrade the
network security policy. The discovering and removal of these anomalies is a serious and
complex problem to solve [83]. Lihua Yuan introduces a static analysis toolkit
“FIREMAN” for firewall modeling and analysis [84]. By treating firewall configurations as
specialized programs, FIREMAN applies static analysis techniques to check mis-
11
Chapter 2: Literature Survey
Although firewall security has been given strong attention in the research
community, the emphasis was mostly on the filtering performance and hardware support
issues [29-33]. On the other hand, few related work [30] present a resolution for the
correlation conflict problem only. Other approaches [29-33] propose using a high- level
policy language to define and analyze firewall policies and then map this language to
filtering rules. Firewall query-based languages based on filtering rule s are also proposed in
[33].
There are also research papers reporting ASIC based packet classification co
processors [24]. The advantage of FPGA based co processing approach is due to the
reconfigurable nature of the FPGA that adds additional flexibility in filtering mechanisms
compared to ASIC solutions [25].
Anti- virus protection, firewall and patches to cover security holes in critical
software are perhaps among the top security mechanisms that a consumer can use to protect
one's home computing environment. Of these security mechanisms, a firewall is considered
the most effective in protecting computers and is the most widely used form of protection
in businesses [68]. Nanda Kumar and Kannan Mohan et.al.(2008) specifically investigate
factors that impact the adoption of firewalls by home computer users [67]. The
aforementioned AOL survey specifically indicated that among these security technologies,
firewall is the least understood and least used in home computing environments. According
to this survey, while more than 80% of respondents had anti-virus programs installed in
their computers, only 37% had firewall solutions installed [89]. One of the possible reasons
for the low use of firewalls is the difficulty faced by individuals using and maintaining
firewall applications when compared to keeping their critical software (such as operating
systems and internet browser) and anti-virus protection up-to date. The relative difficulty of
12
Chapter 2: Literature Survey
using the firewa ll and the low installed base in home environments provides the motivation
for this research.
By empirical studies of the application of the technique, researchers observed that
selected fewer tests and required a simpler, less costly, analysis [59]. The technique, which
they refer to as the Change-based regression test selection technique, is basically the Class
firewall technique, but with the class firewall removed. In their research paper they
formulate a hypothesis stating that these empirical observations are not incidental, but an
inherent property of the Class firewall technique. Also prove that the hypothesis holds for
Java in a stable testing environment, and conclude that the effectiveness of the Class
firewall regression testing technique can be improved without sacrificing the defect
detection capability of the technique, by removing the class firewall.
Today's personal firewall software solutions can make it easy for novices and
experts to keep personal information safe. We can find various web articles related to
personal firewall protection and comprehensive reviews to help and giving information to
purchasing decision. For selection of the Personal Firewall Program what specification one
should consider is given by various online reports. Als o there are various personal firewall
software available in the market [62].
White, Lee et. al. (2008) reported that Testing firewalls (TFW) have proven to be a
useful approach for regression testing in both functional and object-oriented software [63].
They involve only the modules that are closely related to the changed modules. They lead
to substantially reduced regression tests but still are very effective in detecting regression
faults. They investigates situations when data-flow paths are longer, and the testing of
modules and components only one level away from the changed elements may not detect
certain regression faults; an extended firewall considers these longer data paths. They
reported empirical studies that show the degree to which an extended firewall (EFW)
detected more faults, and how much more testing was required to achieve this increased
detection introduced the EFW and conducted the case studies where the extra cost for EFW
over TFW was about 30% in additional tests, and 30–50% in extra time for analysis and
test execution.
13
Chapter 2: Literature Survey
2.9 Alleviating the Difficulty in Rules management with Emerging Parallel NIDS
The design and management of firewall rule sets is a very difficult and error-prone
task because of the difficulty of translating access control requirements into complex low-
level firewall languages [64]. Although high- level languages have been proposed to model
firewall access control lists, none has been widely adopted by the industry. According to
Pozo et. al. (2009) the main reason is that their complexity is close to that of many existing
low- level languages. In addition, none of the high- level languages that automatically
generate firewall rule sets verifies the model prior to the code-generation phase. Error
correction in the early stages of the development process is cheaper compared to the cost
associated with correcting errors in the production phase. In addition, errors generated in
the production phase usually have a huge impact on the reliability and robustness of the
generated code and final system. They proposed the application of the ideas of Model-
Based Development to firewall access control list modeling and automatic rule set
generation. In view of the difficulty in rules management researchers Michele Colajanni,
Mirco Marchetti (2006) proposed a parallel NIDS architecture that is able to provide with
fully reliable analysis, high performance and scalability [71]. These properties come
together with the low costs and high ?exibility that are guaranteed by a total software
implementation. The load balancing mechanism of the proposed NIDS distributes the
traffic among a con?gurable number of parallel se nsors, so that each of them is reached by
14
Chapter 2: Literature Survey
a manageable amount of traffic. The parallelism and traffic distribution do not alter the
results of the traffic analysis that remains reliable and stateful.
The award winning Sunbelt Personal Firewall used to be called the Kerio Personal
Firewall (KPF) Firewall is a very good piece of code which relies on windows firewall
[65]. Tucows gave it their 5-Cow Rating. McAfee Firewall Enterprise is another major
player in the security field offers unprecedented levels of application control and threat
protection. Advanced capabilities, such as application visualization, reputation-based
global intelligence, automated threat feeds, encrypted traffic inspection, intrusion
prevention, anti- virus, and content filtering, block attacks before they occur [76]. The Cisco
PIX (Private Internet exchange) is a popular IP firewall and network address translation
(NAT) appliance. It was one of the first products in this market segment. In 2005, Cisco
introduced the newer Adaptive Security Appliance (ASA), which inherited much of PIX
features, and in 2008 announced PIX end-of-sale. The PIX technology is still sold in a
blade, the Firewall Services Module (FWSM), for the Cisco Catalyst 6500 switch series
and the 7600 Router series [93].
15
Chapter 2: Literature Survey
level languages might avoid rule anomalies, they are not practical for the most widely used
firewalls that contain low level filtering rules. It is simply because redefining already
existing policies using high- level languages require far more effort than just analyzing
existing rules using stand-alone tools such as the Firewall Policy Advisor. Therefore, in
[146] a significant approach and comprehensive framework to automate anomaly discovery
and rule editing in legacy firewalls has been suggested. As reported in [137], firewall
management ranges from command line to sophisticated GUI-based and secured remote
access. Security management and administration, particularly as it applies to different
firewalls using different technologies and provided by different vendors, is a critical
problem. As more and more security services are introduced and applied to different
firewall components, properly configuring and maintaining the services consistently
becomes increasingly difficult. An error by an administrator in maintaining a consistent
configuration of security services can easily lead to security vulnerability [137]. Notable in
this context is the BullGuard [61] Internet Security 10 that has been regarded as a
comprehensive interne t security suite that allows keeping the computer passwords, private
documents and important files secure. As a security suite, BullGuard includes antivirus,
antispyware and firewall technologies. It also includes many effective modes of protection
against Trojans, worms and other viruses with ease of use as well as the extra features, such
as online backup, gaming mode and the vulnerability scanner.
The security system designed by Labs’ WatchGuard Security System 2.0 is suited
for mid-size organizations and networks [59]. It consists of two components: a hardware-
based packet filter, a graphical configuration and management tool. The product provides
general administration, configuration and monitoring services. The configuration is stored
on the hardware component, which acts independently of the system used for the
configuration and administration tasks. Once the firewall’s configuration has been defined,
it is downloaded to the hardware based packet filter, where it is executed independently of
the administration program. The hardware component, Firebox has a serial console port
and three Ethernet ports [117]. The Ethernet ports are for internal trusted, external un-
trusted and bastion networks, respectively. The software component, the Security
16
Chapter 2: Literature Survey
Management System (SMS), provides the Firebox configuration services. The SMS
program can connect to the Firebox over the serial port or over a network connection.
Check Point Security Gateways provide comprehensive, flexible and extensible
security solutions, while keeping security operations simple and affordable [118, 119].
With integrated hardware appliances, independent or pre-defined bundles of software
blades, and virtualization options, a Check Point Security Gateway solution can be
customized to fit the needs and budget of any size or type of business.
17
Chapter 2: Literature Survey
research work. However since the FPGA based firewalls come under the hardware type, a
comparison of hardware firewall Vs their software counterpart is described below.
18
Chapter 2: Literature Survey
nodes and links of the network in a way that different user can have the level of security
they individually need, without having to pay added hardware costs or excess network
delay.
Table 2.2 Hardware Vs Software Firewalls: Pros and Cons
Hardware Firewalls Software Firewalls
PROS PROS
? Inexpensive ? Works at the application level
? Works at the port level ? Ideal for one machine with many users
? Can protect multiple PCs ? Analyzes incoming and outgoing traffic
? Nonintrusive ? Convenient for travelers, mobile
? Uses a dedicated, secure platform workers
? Hides PCs from the outside world ? Easy to update
? Doesn't affect PC performa nce
CONS CONS
? Difficult to customize ? Doesn't hide a PC from the outside
? Ignores most outgoing traffic world
As consider feature of the hardware and software firewalls summarized in table above [66].
The Robert N. Smith and Yu Chen addressed diversity of security needs among the
different information and resources connected over a secure data network their one of the
research article [69]. Installation of firewalls across the data network is a popular approach
to providing a secure data network. However, single, individual firewalls may not provide
adequate security protection to meet the user's needs. The cost of super firewalls, design
flaws, as well as implementation inappropriateness with such firewalls may retain security
loopholes. Towards this heuristics placement and of these firewalls across the different
19
Chapter 2: Literature Survey
nodes and links of the network in a way that different user can have the level of security
they individually need, without having to pay added hardware costs or excess network
delay.
Qiu, Lili and George Varghese et.al. (2001) find that using real databases that the
time for backtracking search is much better than the worst-case bound; instead of an
Omega;((logN)k-1 ), the search time is only roughly twice the optimal search time1.
Similarly, they find that set pruning tries having much better storage costs than the worst
case bound and also proposing several new techniques to further improve the two basic
mechanisms [88].
Check Point one of the leading security device manufacturer launched new
modular, centrally managed software blades for Security Gateways to tailor targeted
network security solutions specific to business security needs. Firewall, intrusion
prevention, Web security, anti- malware, and other security gateway software blades can be
combined for a customized solution [70]. Alternatively, Check Point Security Gateway
Systems are turnkey appliances that have been configured with pre-defined bundles of
security gateway software blades to produce comprehensive network security solutions for
a wide range of company sizes and network environments.
The differences between a software and hardware firewall are vast, and the best
protection for computer and network is to use both, as each offers different but much-
needed security features and benefits. Updating your firewall and your operating system is
essential to maintaining optimal protection, as is testing your firewall to ensure it is
connected and working correctly.
There is no main difference between hardware and software firewalls in the end
they both do the same task. They both act as barriers between the internet and the computer
and they both help protect them from anything harmful that can harm the computer from
the outside connection. The choice between choosing the firewall is purely preference, but
there should be some thought when choosing [101,102,103,104,105]. The best and most
20
Chapter 2: Literature Survey
minimum that one should do to protect a computer is to have a hardware firewall in place.
The ease of setting up and the range of protection for various numbers of computers is an
obvious choice. To improve the protection, adding a software firewall can pretty much
eliminate most if not all incoming or outgoing harmful materials from the internet.
Although more configurations are required with a software firewall, there is more
flexibility and control for the user. In the ideal situation the best would be to have both
hardware and software firewalls they both will give the good protection from the internet.
21
Chapter 2: Literature Survey
This hardware-based firewall offers the advantages of speed over a software firewall, in
addition to direct interfacing with network devices, such as an Ethernet or a serial line
transceiver. A firewall's complexity and processing time of firewall increases with increase
in the size of its rule set. Empirical studies show that as the rule set grows larger, power
consumption and delay time for processing IP Packets particularly on Hardware firewalls
increases extremely, and, therefore the performance of the firewall decreases
proportionally. Researchers Ezzati, S. and Naji, H.R present a new FPGA based firewall
with high performance, high processing speed, low power consumption, and low space
utilization [8]. They use Embedded Memories of FPGA instead of external memories, to
increase the processing speed and to decrease the mass of signaling and noise creation in
connection between FPGA and external memories. Beside that they applied pipeline
technique to the architecture to achieve high processing speed in addition to low power
consumption.
There are various approaches carried out by various researchers to build the speed,
space and power efficient system. The most common solutions to achieve high
performance NIDS rely on hardware-based components. For example, Application Specific
Integrated Circuits (ASIC) appliances can inspect high traffic throughput [71, 72, 73], but
they do not represent an exhaustive solution to scalability. Moreover, ASIC appliances are
characterized by high costs and low flexibility. Similar problems affect others hardware-
based architectures, such as FPGA [74, 75] and Network Processors (NP) [91, 92].
For some applications, patterns of interest are limited to a finite set of constant
strings but in some cases it may vary for these different ideas were implemented. One of
the idea for reducing resources while maintaining high throughput suggests factoring out
common logic and using attached, fast memory to trade logic for lookups [9]. D.
Pnevmatikatos et. al. tried another idea of using pipelining to search concurrently for
matches at various offsets in the data stream [11]. Automata-based approaches use state in
place of combinational logic to track matches in progress. One of the approaches deploys a
state-based algorithm (due to Knuth-Morris-Pratt) in hardware, but this approach does not
scale for high throughput on a given data stream, nor does it take advantage of
commonality among strings in the pattern set [51]. A similar approach [55] pipelines the
22
Chapter 2: Literature Survey
algorithm and proves that a buffer of modest size allows their design to consume one byte
per cycle without stalling.
L. Tan and T. Sherwood suggest another interesting approach of splitting a byte
stream into 8 bit streams, with an (Aho-Corasick) automaton relegated to finding matches
on each bit stream [56]. This idea reduces the fanout from each state (from up to 256 to just
2), but the throughput is scaled only by increasing the clock rate. According M. Aldwairi’s
[57] approach which also based on the Aho-Corasick algorithm reorganizes the state tables
to decrease access time, and shows correspondingly improved throughput, but with an
ingest rate of just one byte per cycle. Strings can also be found using hashing techniques;
one source [58] suggests a circuit based on Bloom filters to control the false-positive rate.
The above approaches make progress in reducing resources or improving throughput for
pattern matching based on sets of constant strings.
A detailed literature review pertaining to the firewall technology has been presented
in this chapter. As evident from the review the firewall technology is essentially an
interdisciplinary and still open in view of the growing epidemics of the attacks on computer
network. The technology has been progressed through many generations and finally came
to a stage wherein the reconfiguration has become an obligatory feature. Though there are
many reported instances of firewalls in the FPGA paradigm, very few have come to the
stage of successful deployment. Further, these approaches are still limited to the domain of
expertise of the hardware community and therefore lack the advantages of the algorithms
which could be well implemented in the soft computing domain. Further there is no
instance of hardware-software codesign to synergize the positive aspects of the duo.
These gaps identified from the literature review, pave s the way of our work towards
implementation of CAM, and further synergistic hardware-software codesign issues in
relation to the firewalls.
23
Chapter 2: Literature Survey
References
1. Layered Protocol Wrappers for Internet Packet Processing in Reconfigurable
Hardware, Florian Braun, John Lockwood, Marcel Waldvogel, WUCS-01-10, July,
2001, Department of Computer Science ,Applied Research Lab, Washington
University.
2. Hamish Fallside and Michael J. S. Smith. Internet connected FPL. In Proceedings
of Field-Programmable Logic and Applications, pages 48–57, Villach, Austria,
August 2000.
3. Gaudin, S. 2003. Virus Damage Worst on Record for August 2003. Cyber Atlas.
4. Allen, J., Christie, A., Fithen, W., McHugh, J., Pickel, J., and Stoner, E. 2001. Code
Red “Worm Exploiting Buffer Overflow In IIS Indexing Service DLL”. Tech. rep.,
Carnegie Mellon, Software Engineering Institute. Aug.
5. Taming IP Packet Flooding Attacks, Karthik Lakshminarayanan, Daniel Adkins,
Adrian Perrig, Ion Stoica, UC Berkeley , sponsored and Funded by NSF under grant
numbers Career Award ANI-0133811, and ITR Award ANI-0085879.
6. Vern Paxson, Krste Asanovic, Sarang Dharmapurikar, John Lockwood, Ruoming
Pang, Robin Sommer, Nick Weaver. Rethinking Hardware Support for Network
Analysis and Intrusion Prevention // USENIX First Workshop on Hot Topics in
Security (HotSec). – Vancouver, B.C. – July 31, 2006.
7. Kayssi, A.; Harik , L.; Ferzli, R.; Fawaz, M.; “FPGA-based Internet protocol
firewall chip”, The 7th IEEE International Conference, Electronics, Circuits and
Systems, 2000. ICECS 2000.
8. Ezzati, S.; Naji, H.R.; Chegini, A.; HabibiMehr, P., “A new method of hardware
firewall implementation on SOC”, IEE International Conference 2010, Internet
Technology and Secured Transactions (ICITST), pp. 1 – 7.
9. Y. Cho and W. Mangione -Smith. Deep packet lter with dedicated logic and read
only memories. In IEEE Symposium on Field -Programmable Custom Computing
Machines, April 2004.
10. Firewalls and Internet Security, the Second Hundred (Internet) Years by Frederic
Avolio, Avolio Consulting, The Internet Protocol Journal,
24
Chapter 2: Literature Survey
http://www.cisco.com/web/about/ac123/ac147/ac174/ac200/about_cisco_ipj_archive_a
rticle09186a00800c85ae.html
11. I. Sourdis and D. Pnevmatikatos. “Fast, large-scale string match for a 10gbps
FPGA-based network intrusion detection system”, In Proceedings of 13th
International Conference on Field Programmable Logic and Applications, 2003.
12. L. Qiu, G. Varghese, and S. Suri. “Fast Firewall Implementations for Software and
Hardware-based Routers.” Proceedings of 9th International Conference on Network
Protocols (ICNP’2001), November 2001.
13. V. Srinivasan, S. Suri and G. Varghese. “Packet Classification Using Tuple Space
Search.” Computer ACM SIGCOMM Communication Review, October 1999.
14. T. Woo. “A Modular Approach to Packet Classification: Algorithms and Results.”
Proceedings of IEEE INFOCOM’00, March 2000.
15. D. Chapman and E. Zwicky. Building Internet Firewalls, Second Edition, Orielly &
Associates Inc., 2000.
16. W. Cheswick and S. Belovin. Firewalls and Internet Security, Addison-Wesley,
1995.
17. Cisco Secure Policy Manager 2.3 Data Sheet.”
http://www.cisco.com/warp/public/cc/pd/sqsw/sqppmn/prodlit/spmgr ds.pdf
18. “Check Point Visual Policy Editor Data Sheet.”
http://www.checkpoint.com/products/downloads/vpe datasheet.pdf
19. Ehab Al-Shaer and Hazem Hamed, “Taxonomy of Conflicts in Network Security
Policies”, IEEE Communications Magazine, Vol. 44, No. 3, March 2006
20. Lopamudra Roychoudhuri, Ehab Al-Shaer and Gregory B. Brewster, “On the
Impact of Loss and Delay Variation on Internet Packet Audio Transmission.” In
Journal of Computer Communications, Volume 28, 2005.
21. Lopamudra Roychoudhuri and Ehab Al-Shaer, “Real-Time Packet Loss Prediction
based on End-to-end Delay Variation.” In IEEE Transactions on Network and
System Management (TNSM), Volume 2, No. 1, November 2005.
22. Ehab Al-Shaer, Hazem Hamed, Raouf Boutaba and Masum Hasan, "Conflict
Classification and Analysis of Distributed Firewall Policies." In IEEE Journal on
25
Chapter 2: Literature Survey
Selected Areas in Communications (JSAC), Volume 23, Issue 10, October 2005.
(Nominated for Best JSAC Award paper for year 2005)
23. Hazem Hamed and Ehab Al-Shaer, " Dynamic Rule-ordering Optimization for
High-speed Firewall Filtering", ACM Symposium on InformAtion, Computer and
Communications Security (ASIACCS'06), March 2006.
24. Korosh Golnabi, Richard Min, Latifur Khan, Ehab Al-Shaer, " Analysis of Firewall
Policy Rule Using Data Mining Techniques", In the 10th IEEE/IFIP Network
Operations and Management Symposium (NOMS 2006), April 2006.
25. Mitchell, T.M., Machine Learning. 1997, Sydney: McGraw-Hill.
26. Piatetsky-Shapiro, G., Discovery, analysis, and presentation of strong rules.
Knowledge Discovery in Databases, 1991: p. 229-248.
27. Webb, G.I. Discovering Associations with Numeric Variables. In Proceedings of
the International Conference on Knowledge Discovery and Data Mining. 2001:
ACM Press.
28. S. Cobb. “ICSA Firewall Policy Guide v2.0.” NCSA Security White Paper Series,
1997.
29. Z. Fu, F. Wu, H. Huang, K. Loh, F. Gong, I. Baldine and C. Xu. “IPSec/VPN
Security Policy: Correctness, Conflict Detection and Resolution.” Proceedings of
Policy’2001 Workshop, January 2001.
30. B. Hari, S. Suri and G. Parulkar. “Detecting and Resolving Packet Filter Conflicts.”
Proceed ings ofIEEE INFOCOM’00, March 2000.
31. S. Hazelhusrt. “Algorithms for Analyzing Firewall and Router Access Lists.”
Technical Report TRWitsCS-1999, Department of Computer Science, University of
theWitwatersrand, South Africa, July 1999.
32. T. Woo. “A Modular Approach to Packet Classification: Algorithms and Results.”
Proceedings of IEEE INFOCOM’00, March 2000.
33. Specialized Hardware for Deep Network Packet Filtering (2002) Young H. Cho,
Shiva Navab, William H. Mangione -Smith at
http://citeseer.ifi.unizh.ch/cho02specialized.html
26
Chapter 2: Literature Survey
34. P.W. Dowd, J.T. McHenry, F.A. Pellegrino, T.M. Carrozzi and W.B. Cocks, "An
FPGA-Based Coprocessor for ATM Firewalls,"Proceedings of the IEEE
Symposium on FPGA's for Custom Computing Machines (FCCM97), April 1997
35. “Design and Implementation of a Full Bandwidth ATM Firewall”, O. PAUL, M.
LAURENT, S. GOMBAULT ENST, C. DURET, H. GUESDON, V. LASPRESES,
J. LATTMAN, J. LE MOAL, P. ROLIN, J-L. SIMON at http://www- lor.int-
evry.fr/~paul_o/tissec01.pdf
36. Iliopoulos, M. and Antonakopoulos, T. 2000. Reconfigurable network processors
based on field programmable system level integrated circuits. In 10th Conference
on Field Programmable Logic and Applications. Springer-Verlag, Villach, Austria,
39–47.
37. Braun, F., Lockwood, J., and Waldvogel, M. 2001. Reconfigurable router modules
using network protocol wrappers. In 11th Conference on Field Programmable Logic
and Applications. Springer-Verlag, Belfast, Northern Ireland, 254–263.
38. Fallside, H. and Smith, M. J. 2000. Internet connected FPL. In 10th Conference on
Field Programmable Logic and Applications. Springer-Verlag, Villach, Austria, 48–
57.
39. Braun, F., Lockwood, J., and Waldvogel, M. 2002. Protocol wrappers for layered
network packet processing in reconfigurable hardware. IEEE Micro 22, 1 (Jan.),
66–74.
40. Dowd, P. W., McHenry, J. T., Pellegrino, F. A., Carrozzi, T. M., and Cocks, W.
1997. An FPGA-Based Coprocessor for ATM Firewalls. In Proceedings of the
IEEE Symposium on FPGA’s for Custom Computing Machines. IEEE, Napa
Valley, CA.
41. Sinnappan, R. and Hazelhurst, S. 2001. A Reconfigurable Approach to Packet
Filtering. In 11th International Conference on Field Programmable Logic and
Applications. Springer-Verlag, Belfast, Northern Ireland.
42. Sivilotti, R., Cho, Y., Su, W., Cohen, D., and Bray, B. 1998. Scalable Network
Based FPGA Accelerators for an Automatic Target Recognition Application. In
27
Chapter 2: Literature Survey
28
Chapter 2: Literature Survey
29
Chapter 2: Literature Survey
62. Personal Firewall Software Review 2011 - TopTenREVIEWS. Web. 27 May 2011.
<http://personal-firewall-software-review.toptenreviews.com/>.
63. White, Lee, Khaled Jaber, Brian Robinson, and Václav Rajlich. "Extended Firewall
for Regression Testing: an Experience Report." Journal of Software Maintenance
and Evolution: Research and Practice 20.6 (2008): 419-33.
64. Pozo, S., R. Ceballos, and R.M. Gasca. "Model-Based Development of Firewall
Rule Sets: Diagnosing Model Inconsistencies." Information and Software
Technology 51.5 (2009): 894-915.
65. "Free Firewall Software – Sunbelt Personal Firewa ll." Endpoint Protection,
Antivirus Software, Email & Anti-Malware Protection - GFI Software. Web. 27
May 2011. <http://www.sunbeltsoftware.com/Home-Home-Office/Sunbelt-
Personal-Firewall/>.
66. "The Differences and Features of Hardware & Software Firewalls -
Webopedia.com." Webopedia: Online Computer Dictionary for Computer and
Internet Terms and Definitions. Web. 27 May 2011.
<http://www.webopedia.com/DidYouKnow/Hardware_Software/2004/firewall_typ
es.asp>.
67. Kumar, N., K. Mohan, and R. Holowczak. "Locking the Door but Leaving the
Computer Vulnerable: Factors Inhibiting Home Users' Adoption of Software
Firewalls." Decision Support Systems 46.1 (2008): 254-64.
68. CERT/CC, 2004 E-Crime Watch Survey: Summary of Findings, CSO Magazine
and Computer Emergency Response Team/Coordination Center, Carnegie Mellon
Software Engineering Institute, 2004.Xx
69. Robert N. Smith, Yu Chen , Sourav Bhattacharya, “Cascade of Distributed and
Cooperating Firewalls in a Secure Data Network”, IEEE Transactions on
Knowledge and Data Engineering archive , Volume 15 Issue 5, September 2003
70. Check point Security Gateways,
http://www.checkpoint.com/products/index.html#gateways, Web. 27 May 2011.
71. Michele Colajanni, Mirco Marchetti (2006). A Parallel Architecture for Stateful
Intrusion Detection in High Traffic Networks. MonAM 2006 Workshop, IEEE /
30
Chapter 2: Literature Survey
31
Chapter 2: Literature Survey
32
Chapter 2: Literature Survey
33
Chapter 2: Literature Survey
34
Chapter 2: Literature Survey
35
Chapter 2: Literature Survey
36
Chapter 2: Literature Survey
142. B. Hari, S. Suri and G. Parulkar. “Detecting and Resolving Packet Filter
Conflicts.” Proceedings of IEEE INFOCOM’00, March 2000.
143. Y. Bartal, A. Mayer, K. Nissim and A. Wool. “Firmato: A Novel Firewall
Management Toolkit.” ”Proceedings of 1999 IEEE Symposium on Security and
Privacy, May 1999.
144. A. Mayer, A. Wool and E. Ziskind. “Fang: A Firewall Analysis Engine.”
Proceedings of 2000 IEEE Symposium on Security and Privacy, May 2000.
145. A. Wool. “Architecting the Lumeta Firewall Analyzer.” Proceedings of 10th
USENIX Security Symposium, August 2001.
146. Ehab S. Al-Shaer and Hazem H. Hamed, Modeling and Management of
Firewall Policies Network and Service Management, IEEE Transactions on Issue
Date: April 2004, Volume: 1 Issue:1, On page(s): 2 - 10
37