Chapter 2: Literature Survey

CHAPTER 2
L ITERATURE SURVEY

In an era of proliferation of the compute r networks and with the rise in the
internet based communication, the networking devices such as switch, routers have
become obligatory entities in any organization. Nevertheless, the positive aspects of
the computer networks such as information sharing and ease of voluminous data
transfer has been obscured with some of the negative aspects such as the hacking and
cracking attacks which have been poised as serious security woes. As a
countermeasure to all such nuisance the security devices have emerged on the
networking canvass. Firewall is one such useful device employed in almost each and
every network for security purpose. With the networking industries existence for
nearly last three decades, the firewall technology has also seen various
implementation platforms. Traditionally, it was implemented as hardware and/or
software and many commercial players came with such devices. However, with the
wide spreading and diversified nature of the attacks, there has been a constant need to
configure these devices and also to cater them with the present gigabit network
technology. The implied latency aspects along with the rapid reconfiguration and
deployment can only be addressed with the state-of-art FPGA based solutions.
Embedding the reconfigurable networking technology and the emerging Network on
Chip (NoC) paradigm within the hub of the Internet thus offers superior levels of
performance to users of the network. Since many aspects of this development are still
regarded as an open problem, good number of research groups are working on this
theme. A review of the same is put forth in this chapter.

2.1 Network Security: An Interdisciplinary Subject Area

Computer security is an established field of Computer Science of both theoretical

and practical significance. In recent years, there has been increasing interest in logic-based
foundations for various methods in computer security, including the formal specification,
analysis and design of cryptographic protocols and their applications, the formal definition

1
 Chapter 2: Literature Survey

of various aspects of security such as access control mechanisms, mobile code security and
denial-of-service attacks, and the modeling of information flow and its application to
confidentiality policies, system composition, and covert channel analysis [112]. Thus the
domain of computer security is truly interdisciplinary and many researchers work in this
area. Moreover the security has come out to be a major issue in today’s communication
networks. This is bit natural as the security concerns of a networked machine are many
more times pronounced than the isolated ones. Further, the performance pressures on
implementing effective network security monitoring are growing fiercely due to rising
traffic rates, the need to perform much more sophisticated forms of analys is, the
requirement for inline processing, and the collapse of Moore’s law for sequential
processing. Given these growing pressures, it is time to fundamentally rethink the nature of
using hardware to support network security analysis [6]. Thus there is a vast scope to
undertake research work in this paradigm.
Further it is seen that the improvement of the firewall technology goes hand-in-
hand with the other related subject areas such as mathematics, statistics, algorithms, data
mining and soft computing. The historical perspectives covered in the next section also
evidence the same.

2.2 Firewalls Historical Perspectives and Generations

The term firewall originally referred to a wall intended to confine a fire or potential
fire within a building [113]. Though the term "firewall" has been around since 1764, and
the meaning has not changed. Firewalls stop or slow a hazardous event from spreading
between two locations. In the technology arena, we can trace the first use of the term
"firewall" to the late 1980s, when the Morris worm (the first real Internet virus) infiltrated
NASA, U.C. Berkeley, Lawrence Livermore Laboratory and Stanford University [106].
During those years, internet was still a fairly new technology in terms of its global usage
and connectivity. In 1988 an employee at the NASA Ames Research Center in California
sent a memo by email to his colleagues that read, "We are currently under attack from an
Internet VIRUS! It has hit Berkeley, UC San Diego, Lawrence Livermore, Stanford, and

2
 Chapter 2: Literature Survey

NASA Ames." This virus known as the Morris Worm was carried by e- mail and is now a
common nuisance for even the most ambiguous domestic user. The Morris Worm was the
first large scale attack on Internet security, of which the online community neither
expected, nor were prepared for. The internet community made it a top priority to combat
any future attacks from happening and began to collaborate on new ideas, systems and
software to make the internet safe again [115] and the same was marked as the birth of
‘firewall’.
The first paper published on firewall technology was in 1988, when Jeff Mogul
from Digital Equipment Corp. developed filter systems know as packet filter firewalls
[107]. This fairly basic system was the first generation of what would become a highly
evolved and technical internet security feature. From 1980-1990 two colleagues from
AT&T Bell Laboratories, Dave Presetto and Howard Trickey, developed the second
generation of firewalls known as circuit level firewalls. Publications by Gene Spafford of
Purdue University, Bill Cheswick at AT&T laboratories and Marcus Ranum described a
third generation firewall known as application layer firewall. Marcus Ranum's work on the
technology spearheaded the creation of the first commercial product [108]. The produc t
was released by Digital Equipment Corporation's (DEC) who named it the SEAL product.
DEC’s first major sale was on June 13, 1991 to a chemical company based on the East-Cost
of the USA.
Interestingly, at AT&T Bill Cheswick and Steve Bellovin were continuing their
research in packet filtering and developed a working model for their own company based
upon their original 1st generation architecture. Further, in 1992, Bob Braden and Annette
DeSchon at the University of Southern California developed their own fourth generation
packet filter firewall system [113]. The product known as “Visas” was the first system to
have a visual integration interface with colors and icons, which could be easily
implemented to and accessed on a computer operating system such as Microsoft's Windows
or Apple's Mac/OS. In 1994 a US company called “Check Point” built this in to readily
available software platform [114].
In 1996 The CERT Coordination Center had received reports of programs that
launched denial-of-service attacks by creating a "UDP packet storm" either on a system or

3
 Chapter 2: Literature Survey

between two systems. An attack on one host causes that host to perform poorly. An attack
between two hosts caused extreme network congestion in addition to adversely affected
host performance. To overcome that problem they used to disable and filter change an echo
services as well as disable and filter other unused UDP services [94]. This led to the
development of the next generation firewall technology. Thus the fifth and final generation
of firewall was based on Kernel Proxy technology. This design is constantly evolving but
its basic features and codes are currently in widespread use in both commercial and
domestic computer systems. Cisco, one of the largest internet security companies on a
global scale released the product to the public in 1997 and it remains one of the top sellers
of internet firewall technology on the market [111]. With so many generations and
demystified specifications, choosing a firewall for your network can be a difficult task and
needs to be balanced security, capacity, flexibility and functionality in a unique manner for
the network.

2.3 Successions of Firewalls with Diversified Attack Types

As discussed in the previous section, the firewall technology underwent five

generations. Truly speaking the technology was forced to upgrade to cater to the different
and diversified types of attacks encountered by the network setups. Table 2.1 summarizes
various references reported in the literature regarding the different attack types.
Amongst the attacks summarized in table 2.1, ‘Denial of Service (DoS)’ is single greatest
threats on the internet as evidenced by recent assaults on commercial servers and ISPs and
their consequent disruption of services [96]. DoS attacks consume resources associated
with various network devices like Web servers, routers, firewalls, and end hosts, which
impedes the efficient functioning and provisioning of services in accordance with their
intended purpose [97, 98, and 99]. Their impact is more pronounced than network
congestion due to the concentrated and targeted nature of resource depletion and clogging,
which not only impacts quality of service (QoS) but can affect the very availability of
services [77, 82,100]. Meadows’s work on cost-based analysis of DOS discusses how costs
can be assigned to an attacker’s actions using categories such as cheap, medium, expensive,

4
 Chapter 2: Literature Survey

and very expensive [129]. Susceptibility to DoS is an intrinsic problem of any service
provisioning system albeit amplified in the networked digital environment due to speed and
automation where, at a minimum, the occurrence of a potentially valid event (e.g., service
request, TCP SYN packet) must be processed to ascertain its validity. It is further reported
in [130] that almost all of the tools used on the distributed denial of service (DDOS) attacks
on Yahoo, Amazon, eBay, and E-Trade internet sites, have used ICMP for covert
communications between the DDOS clients and the attacker’s handler program. Some of
the most widely known distributed denial of service attack tools like Tribe Flood Net2K
[131] and Stacheldraht rely on ICMP tunneling to establish communication channels
between the compromised machines and the hacker’s machine. Since ICMP tunneling is
very simple to deploy and can cause a significant amount of damage it has been classified
as a high risk security threat by Internet Security Services [132] and SANS [133].

Table 2.1 Different types of Attacks Reported in the Literature

Type of attacks Details

DOS Attacks [128] Denial of Service (Hard to Prevent, But These Draw Immediate
Attention To The Attacker)
Example: Flooding Attacks, Disassociation Attacks
Disclosure Attacks Reading/Revealing Information
[127] Example: MITM Attacks
Modification Attacks Changing Information
[120] Example: We just modified your HomePage!
Escalation of Is an act of exploiting a bug, design flaw or configuration
Privilege [90] oversight in an operating system or software application to gain
elevated access to resources that are normally protected from an
application or user
Network Security ? Sniffing: password grabbing
Architectures [121, ? Brute Force: password attempts
122] ? Buffer Overflows: httpd, ftpd, rpc/dcom
? Spoofing Attacks: forging IP/MAC/Etc.
? Flooding: SYN, UDP, ICMP Flooding
? Redirection: using ICMP, ARP, STP, MITM Attacks
? Anti-Virus: Worms, Viruses, Trojans
? Masquerading
? Social Engineering

5
 Chapter 2: Literature Survey

Eavesdropping ? get MAC Address

Attacks [123] ? get IP Address
? get Base Station Address
? sniff clear text passwords and keys
? crack password hashes
? crack wep keys
? get SSIDs
DOS (Denial of ? Radio Signal Interference
Service Attacks) ? AP Interference, example: steal MAC, steal IP
? Channel Hogging
? Disassociation Attacks
? Flooding Packets
? ARP Poising
? RST Packets
? Window Size Changes
? UDP Flooding
? ICMP Flooding
? BROADCAST Flooding
Masquerade Attacks Pretending that You are Someone Else!
[124] MAC Address Spoofing
IP/MAC Address Spoofing
DNS Attacks
WPAD Web Proxy Hi-Jacking
Website Spoofing
Portal Spoofing
Phishing URLs [123] A Fake Version of the University of Oregon
Account Login Page, Type your Password Here
Cell Phone SMS SMS Phone Messages, saying: “Call This Number
Scams [125] At Once About Your Bank Account!”
Man- in-the-Middle ? Usually a combination of more than one type of
Attacks [126] attack at once
? Can involve ARP Poisoning, ARP Masquerading,
and Forwarding
? Can also include Masquerading as a Website

With the above referred emerging scenario, it is reported that the current trend of
the IT security industry is to move from software solutions to appliance based solutions has
resulted in a shift of emphasis for example in the firewall industry, which in some instances
is providing IDS and IPS as part of their solutions [134]. In our work too we resorted to the
appliance based firewall solution on the FPGA platform.

6
 Chapter 2: Literature Survey

2.4 Major Architectural Trends Pertaining to Firewalls

The first network firewalls appeared in the late 1980s and was architecturally
similar to routers used to separate a network into smaller LANs. The first security firewalls
were used in the early 1990s. They were IP routers with filtering rules. The first security
policy was something like the following: allow anyone "in here" to access "out there."
Also, keep anyone (or anything I don't like) "out there" from getting "in here." These
firewalls were effective, but limited [11]. It was often very difficult to get the filtering rules
right, for example. In some cases, it was difficult to identify all the parts of an application
that needed to be restricted. In other cases, people would move around and the rules would
have to be changed.
The next security firewalls were more elaborate and more tunable. There were
firewalls built on so-called bastion hosts. Probably the first commercial firewall of this
type, using filters and application gateways (proxies), was from Digital Equipment
Corporation, and was based on the DEC corporate firewall. Brian Reid and the engineering
team at DEC's Network Systems Lab in Palo Alto originally invented the DEC firewall.
The first commercial firewall [116] was configured for and delivered to the first customer,
a large East Coast-based chemical company, on June 13, 1991. During the next few
months, Marcus Ranum at Digital invented security proxies and rewrote much of the rest of
the firewall code. The firewall product was produced and dubbed DEC SEAL (for Secure
External Access Link). The DEC SEAL was made up of an external system, called
Gatekeeper, the only system the Internet could talk to, a filtering gateway, called Gate, and
an internal Mailhub.

2.5 Firewalls Catering to Different Protocols:

Now a day’s need of Firewall is significantly increased for the security of any
computer network. Secured machines or networks connected to internet are now frequently
attacked by the malicious machines around the world. These ca n be protected from those
attacks by denying the access to those machines through a firewall. The harmful attacks can
be reduced by limiting the rate of unwanted traffic or by dropping the harmful packets.
Firewall can manage the protocols, which are the programs specifically designed for the

7
 Chapter 2: Literature Survey

communication with the services running on the computer. The attacker can try to use these
protocols to get the access of computer for the malicious activity. For example FTP (file
transfer protocol).These network protocols are organized in Layers. IP packets are routed
through multiple, physically separated networks by the Network layer. Components have
been developed for the FPX (Field Programmable Port Extender) that allow applications to
handle data on several protocol layers [1]. For ATM to implement IP over Ethernet in
statistic systems similar circuits are used [2].
Jun Li and Jelena Mirkovic et. al. (2002) developed the source address validity
enforcement protocol (SAVE) protocol to enable routers to check source address validity
[95]. SAVE is incoming-table-based filtering to filter packets that carry forged source
addresses. In this approach, a router on the internet builds an incoming table that specifies
the correct incoming interface for a given source address, even with asymmetric routing
present. When a packet arrives on an interface, a router can consult its incoming table to
determine whether this packet comes from the proper direction this protocol handles cases
of asymmetric routing correctly. This was demonstrated through simulation that the
incoming table built by the protocol properly detects forged IP addresses, except during
transient periods following routing changes [110]. The incoming table produced by the
SAVE protocol can be used for other than filtering. Valid incoming interface information is
also beneficial for many techniques that currently assume symmetric routing and forward
packets on non-optimal routes x
The series of malicious worm attack like “MS Blaster” and “SoBig- f” caused
treme ndous economical damage worldwide. Lonely “SoBig- f” damaged estimated about
$29.7 billion [3]. Most of the built- in-firewalls have ability to examine the packet headers
but hidden application level attacks are undetected and pass through those firewalls.
Application level attacks are usually hidden in the payload packet headers [4]. IP packet
flooding is one of the major problems which congest the network link. Host is unable to
stop the packets addressed to it and the IP router arbitrarily drops packets in response to the
overload. To overcome this host may reject new connections and avoid the overload. This
flooding attack can be controlled by setting the priorities to some services and providing
lower quality service rather than reject the request (service degradation) [5].

8
 Chapter 2: Literature Survey

2.6 Rules Management in a Firewall:

The literature survey reveals that researchers have rated firewall security as the
most focal issue. The emphasis was found to be mostly on the filtering performance issues
[13-15]. On the other hand, a few related works [16, 17] attempt to address only one of the
conflict problems which is the rule correlation in filtering policies. Other approaches [18,
19] propose using a high- level policy language to define and analyze firewall policies and
then map this language to filtering rules. Although using such high-level languages might
avoid rule anomalies, they are not practical for the most widely used firewalls that contain
low-level filtering rules. It is simply because redefining already existing policies using
high- level languages require far more effort than just analyzing existing rules using stand -
alone tools such as the Firewall Policy Advisor.

Effective mitigation of DoS attack is a pressing problem on the internet. In many

instances, DoS attacks can be prevented if the spoofed source IP address is traced back to
its origin which allows assigning penalties to the offending party or isolating the
compromised hosts and domains from the rest of the network. Kihong Park and Heejo Lee
[78] showed IP traceback mechanisms based on probabilistic packet marking (PPM) for
achieving trace back of DoS attacks. They reported that probabilistic packet marking of
interest due to its efficiency and implement-ability like deterministic packet marking and
logging or messaging based schemes suffers under spoofing of the marking field in the IP
header by the attacker which can impede trace back by the victim.

Further work on managing firewall rules, particularly in multi- firewall enterprise

networks, has been reported by many authors [20-25]. They have reported a methodology
for firewall filtering rules in a systematically written, ordered and distributed carefully in
order to avoid firewall policy anomalies that might cause network vulnerability. The
authors have id entified all the anomalies that could exist in a single- or multi-firewall
environment and presented a set of techniques and algorithms to automatically discover
policy anomalies in centralized and distributed firewalls. These techniques are
implemented in a software tool named as the “Firewall Policy Advisor” that simplifies the
management of filtering rules and maintains the security of next-generation firewalls.

9
 Chapter 2: Literature Survey

2.7 Current Approaches for Rules Management in Firewalls

In recent years firewalls have seen some impressive technological advances (e.g.,
stateful inspection, transparency, performance, etc) and wide-spread deployment. In
contrast, firewall and security management technology is lacking.

Management of the firewall rules has been proven to be complex, error-prone,

costly and inefficient for many large-networked organizations. These firewall rules are
mostly custom-designed and hand-written thus in constant need for tuning and validation,
due to the dynamic nature of the traffic characteristics, ever-changing network environment
and its market demands. This problem has been addressed by a number of researchers [26-
30].Ordered binary decision diagram is used as a model to optimize packet classification in
[26]. Another model using tuple space is deve loped in [27], which combines a set of filters
in one tuple and stored in a hash table. The model in [28] uses bucket filters indexed by
search trees. Multi-dimensional binary trees are also used to model filters [25]. In [26] a
geometric mode is used to represent 2-tuple filtering rules. The reason is that these models
were designed particularly to optimize packet classification in high-speed networks too
complex to use for firewall policy analysis.

Yair Bartal and Alain Mayer [100], presented “Firmato”, which is firewall
management toolkit, for successful firewall management at an appropriate level of
abstraction with the distinguishing properties and components such as

? An entity-relationship model global knowledge of the security policy and of the

network topology;
? A model definition language, which used as an interface to define an instance of the
entity-relationship model.
? A model compiler, translating the global knowledge of the model into firewall-
specific configuration files.
? A graphical firewall rule illustrator.

10
 Chapter 2: Literature Survey

Today, even a moderately sized corporate intranet contains multiple firewalls and
routers, which are all used to enforce various aspects of the global corporate security
policy. Configuring these devices to work in unison is difficult, especially if they are made
by different vendors. Even testing or reverse-engineering an existing configuration is hard.
Firewall configuration files are written in low- level formalisms, whose readability is
comparable to assembly code, and the global policy is spread over all the firewalls that are
involved. To minimize, some of these difficulties researchers Alain Mayer and Avishai
Wool designed and implemented a novel firewall analysis software tool “Fang”, which
allows the administrator to easily discover and test the global firewall policy [79]. The tool
uses a minimal description of the network topology, and directly parses the various vendor-
specific low level configuration files. It interacts with the user through a query-and-answer
session, which is conducted at a much higher level of abstraction. Gregory R. described a
prototype self-securing network interface (NI) for detecting such things as TTL abuse,
fragmentation abuse, "SYN bomb" attacks, and random-propagation worms like Code-Red
[80].

Existing tools for analyzing firewall configurations usually rely on hard-coded

algorithms for analyzing access lists. Pasi Eronen and Jukka Zitting presented a tool based
on constraint logic programming (CLP) which allows the user to write higher level
operations for detecting common configuration mistakes [81]. This tool understands Cisco
router access lists, and it is implemented using Eclipse, a constraint logic programming
language. The problem of analyzing firewall configurations lends itself quite naturally to be
solved by an expert system.

For proper configuration of both firewalls and NIDSs, it is necessary to use several
sets of filtering and alerting rules. Nevertheless, the existence of anomalies between those
rules, particularly in distributed multi-component scenarios, is very likely to degrade the
network security policy. The discovering and removal of these anomalies is a serious and
complex problem to solve [83]. Lihua Yuan introduces a static analysis toolkit
“FIREMAN” for firewall modeling and analysis [84]. By treating firewall configurations as
specialized programs, FIREMAN applies static analysis techniques to check mis-

11
 Chapter 2: Literature Survey

configurations, such as policy violations, inconsistencies, and inefficiencies, in individual

firewalls as well as among distributed firewalls.

Although firewall security has been given strong attention in the research
community, the emphasis was mostly on the filtering performance and hardware support
issues [29-33]. On the other hand, few related work [30] present a resolution for the
correlation conflict problem only. Other approaches [29-33] propose using a high- level
policy language to define and analyze firewall policies and then map this language to
filtering rules. Firewall query-based languages based on filtering rule s are also proposed in
[33].

There are also research papers reporting ASIC based packet classification co
processors [24]. The advantage of FPGA based co processing approach is due to the
reconfigurable nature of the FPGA that adds additional flexibility in filtering mechanisms
compared to ASIC solutions [25].

2.8 Prominence of the Established Software Firewalls

Anti- virus protection, firewall and patches to cover security holes in critical
software are perhaps among the top security mechanisms that a consumer can use to protect
one's home computing environment. Of these security mechanisms, a firewall is considered
the most effective in protecting computers and is the most widely used form of protection
in businesses [68]. Nanda Kumar and Kannan Mohan et.al.(2008) specifically investigate
factors that impact the adoption of firewalls by home computer users [67]. The
aforementioned AOL survey specifically indicated that among these security technologies,
firewall is the least understood and least used in home computing environments. According
to this survey, while more than 80% of respondents had anti-virus programs installed in
their computers, only 37% had firewall solutions installed [89]. One of the possible reasons
for the low use of firewalls is the difficulty faced by individuals using and maintaining
firewall applications when compared to keeping their critical software (such as operating
systems and internet browser) and anti-virus protection up-to date. The relative difficulty of

12
 Chapter 2: Literature Survey

using the firewa ll and the low installed base in home environments provides the motivation
for this research.
By empirical studies of the application of the technique, researchers observed that
selected fewer tests and required a simpler, less costly, analysis [59]. The technique, which
they refer to as the Change-based regression test selection technique, is basically the Class
firewall technique, but with the class firewall removed. In their research paper they
formulate a hypothesis stating that these empirical observations are not incidental, but an
inherent property of the Class firewall technique. Also prove that the hypothesis holds for
Java in a stable testing environment, and conclude that the effectiveness of the Class
firewall regression testing technique can be improved without sacrificing the defect
detection capability of the technique, by removing the class firewall.
Today's personal firewall software solutions can make it easy for novices and
experts to keep personal information safe. We can find various web articles related to
personal firewall protection and comprehensive reviews to help and giving information to
purchasing decision. For selection of the Personal Firewall Program what specification one
should consider is given by various online reports. Als o there are various personal firewall
software available in the market [62].
White, Lee et. al. (2008) reported that Testing firewalls (TFW) have proven to be a
useful approach for regression testing in both functional and object-oriented software [63].
They involve only the modules that are closely related to the changed modules. They lead
to substantially reduced regression tests but still are very effective in detecting regression
faults. They investigates situations when data-flow paths are longer, and the testing of
modules and components only one level away from the changed elements may not detect
certain regression faults; an extended firewall considers these longer data paths. They
reported empirical studies that show the degree to which an extended firewall (EFW)
detected more faults, and how much more testing was required to achieve this increased
detection introduced the EFW and conducted the case studies where the extra cost for EFW
over TFW was about 30% in additional tests, and 30–50% in extra time for analysis and
test execution.

13
 Chapter 2: Literature Survey

The growth of the software or personal firewalls is attributed to "Tamper resistant"

from an architecture perspective. Some within the security community have recognized the
value of moving the firewall function close to the host [135]. Ironically, these software-
based firewalls have been disabled by other security software. Symantec's anti- virus
software misidentified Network ICE's BlackICE firewall as a Trojan horse. The result: The
anti-virus software disabled the firewall and left many home users' PCs vulnerable. [136] t
is therefore always recommended to employ the hardware firewall; the approach adopted in
the present work.

2.9 Alleviating the Difficulty in Rules management with Emerging Parallel NIDS

The design and management of firewall rule sets is a very difficult and error-prone
task because of the difficulty of translating access control requirements into complex low-
level firewall languages [64]. Although high- level languages have been proposed to model
firewall access control lists, none has been widely adopted by the industry. According to
Pozo et. al. (2009) the main reason is that their complexity is close to that of many existing
low- level languages. In addition, none of the high- level languages that automatically
generate firewall rule sets verifies the model prior to the code-generation phase. Error
correction in the early stages of the development process is cheaper compared to the cost
associated with correcting errors in the production phase. In addition, errors generated in
the production phase usually have a huge impact on the reliability and robustness of the
generated code and final system. They proposed the application of the ideas of Model-
Based Development to firewall access control list modeling and automatic rule set
generation. In view of the difficulty in rules management researchers Michele Colajanni,
Mirco Marchetti (2006) proposed a parallel NIDS architecture that is able to provide with
fully reliable analysis, high performance and scalability [71]. These properties come
together with the low costs and high ?exibility that are guaranteed by a total software
implementation. The load balancing mechanism of the proposed NIDS distributes the
traffic among a con?gurable number of parallel se nsors, so that each of them is reached by

14
 Chapter 2: Literature Survey

a manageable amount of traffic. The parallelism and traffic distribution do not alter the
results of the traffic analysis that remains reliable and stateful.

2.10 Significant Suc cessful Technology Developments Worth Mentioning

The award winning Sunbelt Personal Firewall used to be called the Kerio Personal
Firewall (KPF) Firewall is a very good piece of code which relies on windows firewall
[65]. Tucows gave it their 5-Cow Rating. McAfee Firewall Enterprise is another major
player in the security field offers unprecedented levels of application control and threat
protection. Advanced capabilities, such as application visualization, reputation-based
global intelligence, automated threat feeds, encrypted traffic inspection, intrusion
prevention, anti- virus, and content filtering, block attacks before they occur [76]. The Cisco
PIX (Private Internet exchange) is a popular IP firewall and network address translation
(NAT) appliance. It was one of the first products in this market segment. In 2005, Cisco
introduced the newer Adaptive Security Appliance (ASA), which inherited much of PIX
features, and in 2008 announced PIX end-of-sale. The PIX technology is still sold in a
blade, the Firewall Services Module (FWSM), for the Cisco Catalyst 6500 switch series
and the 7600 Router series [93].

2.11 Importance of Firewall Management

The sophistication and advancement of technology doesn’t merely provide the

security strength to the firewall. Unless the system administrator put in efforts towards its
management, whatsoever may be the technology, the firewall becomes ineffective. This has
seen reiterated in the literature also. Although firewall security has been given strong
attention in the research community, the emphasis was mostly on the filtering performance
issues [138]–[140]. On the other hand, a few related works [141], [142] attempt to address
only one of the conflict problems which is the rule correlation in filtering policies. Other
approaches [143]–[144] propose using a high- level policy language to define and analyze
firewall policies and then map this language to filtering rules. Although using such high-

15
 Chapter 2: Literature Survey

level languages might avoid rule anomalies, they are not practical for the most widely used
firewalls that contain low level filtering rules. It is simply because redefining already
existing policies using high- level languages require far more effort than just analyzing
existing rules using stand-alone tools such as the Firewall Policy Advisor. Therefore, in
[146] a significant approach and comprehensive framework to automate anomaly discovery
and rule editing in legacy firewalls has been suggested. As reported in [137], firewall
management ranges from command line to sophisticated GUI-based and secured remote
access. Security management and administration, particularly as it applies to different
firewalls using different technologies and provided by different vendors, is a critical
problem. As more and more security services are introduced and applied to different
firewall components, properly configuring and maintaining the services consistently
becomes increasingly difficult. An error by an administrator in maintaining a consistent
configuration of security services can easily lead to security vulnerability [137]. Notable in
this context is the BullGuard [61] Internet Security 10 that has been regarded as a
comprehensive interne t security suite that allows keeping the computer passwords, private
documents and important files secure. As a security suite, BullGuard includes antivirus,
antispyware and firewall technologies. It also includes many effective modes of protection
against Trojans, worms and other viruses with ease of use as well as the extra features, such
as online backup, gaming mode and the vulnerability scanner.
The security system designed by Labs’ WatchGuard Security System 2.0 is suited
for mid-size organizations and networks [59]. It consists of two components: a hardware-
based packet filter, a graphical configuration and management tool. The product provides
general administration, configuration and monitoring services. The configuration is stored
on the hardware component, which acts independently of the system used for the
configuration and administration tasks. Once the firewall’s configuration has been defined,
it is downloaded to the hardware based packet filter, where it is executed independently of
the administration program. The hardware component, Firebox has a serial console port
and three Ethernet ports [117]. The Ethernet ports are for internal trusted, external un-
trusted and bastion networks, respectively. The software component, the Security

16
 Chapter 2: Literature Survey

Management System (SMS), provides the Firebox configuration services. The SMS
program can connect to the Firebox over the serial port or over a network connection.
Check Point Security Gateways provide comprehensive, flexible and extensible
security solutions, while keeping security operations simple and affordable [118, 119].
With integrated hardware appliances, independent or pre-defined bundles of software
blades, and virtualization options, a Check Point Security Gateway solution can be
customized to fit the needs and budget of any size or type of business.

2.12 Importance of User Awareness

It is of utmost important to make the users aware as regards to the security

strategies of the firewall implemented and its configuration. Kumar, N. and K. Mohan
investigate the factors that affect the use of security protection strategies by home computer
users in relation to a specific, but crucial security technology for home - a software firewall
[67]. They present a set of guidelines to home computer users, Internet Service Providers,
e-commerce companies, and the government to increase home users' adoption rate of
privacy and security protection technologies. They proposes individuals' concern for
privacy, awareness of common security measures, attitude towards security and privacy
protection technologies, and computer anxiety as important antecedents that have an impact
on the users' decision to adopt a software firewall.
As more and more development-related networks, both instructional and industry
related, are being attached to the Internet, the need for protection from hackers becomes
evident. This is largely due to the fact that security breache s have reached epidemic
proportions [87]. Maskey examines these issues as well as presents a case study for a basic
firewall configuration. The logic behind the case study is based on four different modules
containing one or more sections: environmental, forward rules, allow ping, and post-
routing rules.
After a detailed presentation of the different facets of the firewall technology, it is
now appropriate to focus on the FPGA based firewall, which is the main focus of our

17
 Chapter 2: Literature Survey

research work. However since the FPGA based firewalls come under the hardware type, a
comparison of hardware firewall Vs their software counterpart is described below.

2.13 Hardware and Software firewalls

There are various pros and corns of both the hardware and software firewalls
therefore the features of both get the combined effect in the security issue. Karagiannis and
Matthew give various issues about selection of hardware or software firewall for the
particular application.
Because of limitations of both, selection of software or hardware firewall becomes
very critical [60]. Each type has its pros and cons, but to go unprotected is an appalling
idea. For mobile worker, the choice is obviously the software firewall because it's
impractical to lug a hardware firewall around [109]. If the machine is stationary, the choice
is more difficult. A hardware router with an SPI firewall, typically considered only for
networks, is a simple and inexpensive way to protect a PC. But a software firewall's
application- level protection may be more practical protection against today's most common
threats. And a few companies, including Network Associates and Symantec, bundle their
firewalls with security suites that include antivirus, ad-blocking, privacy-control, and spam-
removal software. For multiple machines, a router will typically be cheaper than multiple
software licenses, especially since the firewall adds very little to the cost of this nearly
mandatory piece of networking equipment. For the best security, get both. The hardware
guards the network, while the software provides a second line of defense and keeps an eye
on internet-enabled applications.
As consider feature of the hardware and software firewalls summarized in table above [66].
The Robert N. Smith and Yu Chen addressed diversity of security needs among the
different information and resources connected over a secure data network their one of the
research article [69]. Installation of firewalls across the data network is a popular approach
to providing a secure data network. However, single, individual firewalls may not provide
adequate security protection to meet the user's needs. The cost of super firewalls, design
flaws, as well as implementation inappropriateness with such firewalls may retain security
loopholes. Towards this heuristics placement and of these firewalls across the different

18
 Chapter 2: Literature Survey

nodes and links of the network in a way that different user can have the level of security
they individually need, without having to pay added hardware costs or excess network
delay.
Table 2.2 Hardware Vs Software Firewalls: Pros and Cons
Hardware Firewalls Software Firewalls
PROS PROS
? Inexpensive ? Works at the application level
? Works at the port level ? Ideal for one machine with many users
? Can protect multiple PCs ? Analyzes incoming and outgoing traffic
? Nonintrusive ? Convenient for travelers, mobile
? Uses a dedicated, secure platform workers
? Hides PCs from the outside world ? Easy to update
? Doesn't affect PC performa nce
CONS CONS
? Difficult to customize ? Doesn't hide a PC from the outside
? Ignores most outgoing traffic world

? Inconvenient for travelers ? Can be intrusive

? Upgrades only via firmware ? Shares OS vulnerabilities

? Creates a potential bandwidth ? Affects PC performance

bottleneck ? Must be uninstalled in case of a
conflict

As consider feature of the hardware and software firewalls summarized in table above [66].
The Robert N. Smith and Yu Chen addressed diversity of security needs among the
different information and resources connected over a secure data network their one of the
research article [69]. Installation of firewalls across the data network is a popular approach
to providing a secure data network. However, single, individual firewalls may not provide
adequate security protection to meet the user's needs. The cost of super firewalls, design
flaws, as well as implementation inappropriateness with such firewalls may retain security
loopholes. Towards this heuristics placement and of these firewalls across the different

19
 Chapter 2: Literature Survey

nodes and links of the network in a way that different user can have the level of security
they individually need, without having to pay added hardware costs or excess network
delay.

2.14 Computational Complexity in the firewalls

Qiu, Lili and George Varghese et.al. (2001) find that using real databases that the
time for backtracking search is much better than the worst-case bound; instead of an
Omega;((logN)k-1 ), the search time is only roughly twice the optimal search time1.
Similarly, they find that set pruning tries having much better storage costs than the worst
case bound and also proposing several new techniques to further improve the two basic
mechanisms [88].
Check Point one of the leading security device manufacturer launched new
modular, centrally managed software blades for Security Gateways to tailor targeted
network security solutions specific to business security needs. Firewall, intrusion
prevention, Web security, anti- malware, and other security gateway software blades can be
combined for a customized solution [70]. Alternatively, Check Point Security Gateway
Systems are turnkey appliances that have been configured with pre-defined bundles of
security gateway software blades to produce comprehensive network security solutions for
a wide range of company sizes and network environments.
The differences between a software and hardware firewall are vast, and the best
protection for computer and network is to use both, as each offers different but much-
needed security features and benefits. Updating your firewall and your operating system is
essential to maintaining optimal protection, as is testing your firewall to ensure it is
connected and working correctly.
There is no main difference between hardware and software firewalls in the end
they both do the same task. They both act as barriers between the internet and the computer
and they both help protect them from anything harmful that can harm the computer from
the outside connection. The choice between choosing the firewall is purely preference, but
there should be some thought when choosing [101,102,103,104,105]. The best and most

20
 Chapter 2: Literature Survey

minimum that one should do to protect a computer is to have a hardware firewall in place.
The ease of setting up and the range of protection for various numbers of computers is an
obvious choice. To improve the protection, adding a software firewall can pretty much
eliminate most if not all incoming or outgoing harmful materials from the internet.
Although more configurations are required with a software firewall, there is more
flexibility and control for the user. In the ideal situation the best would be to have both
hardware and software firewalls they both will give the good protection from the internet.

2.15 FPGA based hardware Firewall security systems

Many researchers looked several network applications of reconfigurable device

FPGA such as network processor, routers, protocol wrappers, switches etc. [37, 38, 39, 40,
41, and 42]. High performance pattern matching engine using FPGAs which are
programmable memories has been demonstrated in some implementations by Sivilotti, R
et.al. [43]. The bloom filters using hashed memory index can detect large number of
patterns using embedded memories [44]. As the bloom filter uses several hash functions it
needs to be compared against a set of strings to refine the result [45, 46]. After the several
efforts another type of effective pattern search using Content addressable memory (CAM)
and Ternary CAM (TCAM) is implemented. Jing Lu et. al. describes a encryption/
authentication module for an FPGA-based system-on-chip (SOC) CAM-based Firewall.
This module implements several IPSec standards including the Advanced Encryption
Standard (AES), Triple Data Encryption Standard (3DES), and keyed-hash message
authentication code (HMAC) using both MD5 and SHA-1. It can be securely managed
remotely via internet [51]. Basically TCAM is extended for pattern matching functionality
with variable length [47, 48, and 49]. As CAM is very expensive in terms of power and
size most of the designers focus on optimizing the bandwidth and fixed logic
implementatio n [50]. J. Ditmar and J.T. McHenry et.al. demonstrated that FPGA-based
firewall processors have been developed for high-throughput networks [53, 54, 55].
Researchers from American Univ. of Beirut [7] presented the design of a firewall
for IP networks us ing FPGA based hardware which accept or deny rules of the firewall.

21
 Chapter 2: Literature Survey

This hardware-based firewall offers the advantages of speed over a software firewall, in
addition to direct interfacing with network devices, such as an Ethernet or a serial line
transceiver. A firewall's complexity and processing time of firewall increases with increase
in the size of its rule set. Empirical studies show that as the rule set grows larger, power
consumption and delay time for processing IP Packets particularly on Hardware firewalls
increases extremely, and, therefore the performance of the firewall decreases
proportionally. Researchers Ezzati, S. and Naji, H.R present a new FPGA based firewall
with high performance, high processing speed, low power consumption, and low space
utilization [8]. They use Embedded Memories of FPGA instead of external memories, to
increase the processing speed and to decrease the mass of signaling and noise creation in
connection between FPGA and external memories. Beside that they applied pipeline
technique to the architecture to achieve high processing speed in addition to low power
consumption.
There are various approaches carried out by various researchers to build the speed,
space and power efficient system. The most common solutions to achieve high
performance NIDS rely on hardware-based components. For example, Application Specific
Integrated Circuits (ASIC) appliances can inspect high traffic throughput [71, 72, 73], but
they do not represent an exhaustive solution to scalability. Moreover, ASIC appliances are
characterized by high costs and low flexibility. Similar problems affect others hardware-
based architectures, such as FPGA [74, 75] and Network Processors (NP) [91, 92].
For some applications, patterns of interest are limited to a finite set of constant
strings but in some cases it may vary for these different ideas were implemented. One of
the idea for reducing resources while maintaining high throughput suggests factoring out
common logic and using attached, fast memory to trade logic for lookups [9]. D.
Pnevmatikatos et. al. tried another idea of using pipelining to search concurrently for
matches at various offsets in the data stream [11]. Automata-based approaches use state in
place of combinational logic to track matches in progress. One of the approaches deploys a
state-based algorithm (due to Knuth-Morris-Pratt) in hardware, but this approach does not
scale for high throughput on a given data stream, nor does it take advantage of
commonality among strings in the pattern set [51]. A similar approach [55] pipelines the

22
 Chapter 2: Literature Survey

algorithm and proves that a buffer of modest size allows their design to consume one byte
per cycle without stalling.
L. Tan and T. Sherwood suggest another interesting approach of splitting a byte
stream into 8 bit streams, with an (Aho-Corasick) automaton relegated to finding matches
on each bit stream [56]. This idea reduces the fanout from each state (from up to 256 to just
2), but the throughput is scaled only by increasing the clock rate. According M. Aldwairi’s
[57] approach which also based on the Aho-Corasick algorithm reorganizes the state tables
to decrease access time, and shows correspondingly improved throughput, but with an
ingest rate of just one byte per cycle. Strings can also be found using hashing techniques;
one source [58] suggests a circuit based on Bloom filters to control the false-positive rate.
The above approaches make progress in reducing resources or improving throughput for
pattern matching based on sets of constant strings.

2.16 Conclus ion

A detailed literature review pertaining to the firewall technology has been presented
in this chapter. As evident from the review the firewall technology is essentially an
interdisciplinary and still open in view of the growing epidemics of the attacks on computer
network. The technology has been progressed through many generations and finally came
to a stage wherein the reconfiguration has become an obligatory feature. Though there are
many reported instances of firewalls in the FPGA paradigm, very few have come to the
stage of successful deployment. Further, these approaches are still limited to the domain of
expertise of the hardware community and therefore lack the advantages of the algorithms
which could be well implemented in the soft computing domain. Further there is no
instance of hardware-software codesign to synergize the positive aspects of the duo.
These gaps identified from the literature review, pave s the way of our work towards
implementation of CAM, and further synergistic hardware-software codesign issues in
relation to the firewalls.

23
 Chapter 2: Literature Survey

References
1. Layered Protocol Wrappers for Internet Packet Processing in Reconfigurable
Hardware, Florian Braun, John Lockwood, Marcel Waldvogel, WUCS-01-10, July,
2001, Department of Computer Science ,Applied Research Lab, Washington
University.
2. Hamish Fallside and Michael J. S. Smith. Internet connected FPL. In Proceedings
of Field-Programmable Logic and Applications, pages 48–57, Villach, Austria,
August 2000.
3. Gaudin, S. 2003. Virus Damage Worst on Record for August 2003. Cyber Atlas.
4. Allen, J., Christie, A., Fithen, W., McHugh, J., Pickel, J., and Stoner, E. 2001. Code
Red “Worm Exploiting Buffer Overflow In IIS Indexing Service DLL”. Tech. rep.,
Carnegie Mellon, Software Engineering Institute. Aug.
5. Taming IP Packet Flooding Attacks, Karthik Lakshminarayanan, Daniel Adkins,
Adrian Perrig, Ion Stoica, UC Berkeley , sponsored and Funded by NSF under grant
numbers Career Award ANI-0133811, and ITR Award ANI-0085879.
6. Vern Paxson, Krste Asanovic, Sarang Dharmapurikar, John Lockwood, Ruoming
Pang, Robin Sommer, Nick Weaver. Rethinking Hardware Support for Network
Analysis and Intrusion Prevention // USENIX First Workshop on Hot Topics in
Security (HotSec). – Vancouver, B.C. – July 31, 2006.
7. Kayssi, A.; Harik , L.; Ferzli, R.; Fawaz, M.; “FPGA-based Internet protocol
firewall chip”, The 7th IEEE International Conference, Electronics, Circuits and
Systems, 2000. ICECS 2000.
8. Ezzati, S.; Naji, H.R.; Chegini, A.; HabibiMehr, P., “A new method of hardware
firewall implementation on SOC”, IEE International Conference 2010, Internet
Technology and Secured Transactions (ICITST), pp. 1 – 7.
9. Y. Cho and W. Mangione -Smith. Deep packet lter with dedicated logic and read
only memories. In IEEE Symposium on Field -Programmable Custom Computing
Machines, April 2004.
10. Firewalls and Internet Security, the Second Hundred (Internet) Years by Frederic
Avolio, Avolio Consulting, The Internet Protocol Journal,

24
 Chapter 2: Literature Survey

http://www.cisco.com/web/about/ac123/ac147/ac174/ac200/about_cisco_ipj_archive_a
rticle09186a00800c85ae.html
11. I. Sourdis and D. Pnevmatikatos. “Fast, large-scale string match for a 10gbps
FPGA-based network intrusion detection system”, In Proceedings of 13th
International Conference on Field Programmable Logic and Applications, 2003.
12. L. Qiu, G. Varghese, and S. Suri. “Fast Firewall Implementations for Software and
Hardware-based Routers.” Proceedings of 9th International Conference on Network
Protocols (ICNP’2001), November 2001.
13. V. Srinivasan, S. Suri and G. Varghese. “Packet Classification Using Tuple Space
Search.” Computer ACM SIGCOMM Communication Review, October 1999.
14. T. Woo. “A Modular Approach to Packet Classification: Algorithms and Results.”
Proceedings of IEEE INFOCOM’00, March 2000.
15. D. Chapman and E. Zwicky. Building Internet Firewalls, Second Edition, Orielly &
Associates Inc., 2000.
16. W. Cheswick and S. Belovin. Firewalls and Internet Security, Addison-Wesley,
1995.
17. Cisco Secure Policy Manager 2.3 Data Sheet.”
http://www.cisco.com/warp/public/cc/pd/sqsw/sqppmn/prodlit/spmgr ds.pdf
18. “Check Point Visual Policy Editor Data Sheet.”
http://www.checkpoint.com/products/downloads/vpe datasheet.pdf
19. Ehab Al-Shaer and Hazem Hamed, “Taxonomy of Conflicts in Network Security
Policies”, IEEE Communications Magazine, Vol. 44, No. 3, March 2006
20. Lopamudra Roychoudhuri, Ehab Al-Shaer and Gregory B. Brewster, “On the
Impact of Loss and Delay Variation on Internet Packet Audio Transmission.” In
Journal of Computer Communications, Volume 28, 2005.
21. Lopamudra Roychoudhuri and Ehab Al-Shaer, “Real-Time Packet Loss Prediction
based on End-to-end Delay Variation.” In IEEE Transactions on Network and
System Management (TNSM), Volume 2, No. 1, November 2005.
22. Ehab Al-Shaer, Hazem Hamed, Raouf Boutaba and Masum Hasan, "Conflict
Classification and Analysis of Distributed Firewall Policies." In IEEE Journal on

25
 Chapter 2: Literature Survey

Selected Areas in Communications (JSAC), Volume 23, Issue 10, October 2005.
(Nominated for Best JSAC Award paper for year 2005)
23. Hazem Hamed and Ehab Al-Shaer, " Dynamic Rule-ordering Optimization for
High-speed Firewall Filtering", ACM Symposium on InformAtion, Computer and
Communications Security (ASIACCS'06), March 2006.
24. Korosh Golnabi, Richard Min, Latifur Khan, Ehab Al-Shaer, " Analysis of Firewall
Policy Rule Using Data Mining Techniques", In the 10th IEEE/IFIP Network
Operations and Management Symposium (NOMS 2006), April 2006.
25. Mitchell, T.M., Machine Learning. 1997, Sydney: McGraw-Hill.
26. Piatetsky-Shapiro, G., Discovery, analysis, and presentation of strong rules.
Knowledge Discovery in Databases, 1991: p. 229-248.
27. Webb, G.I. Discovering Associations with Numeric Variables. In Proceedings of
the International Conference on Knowledge Discovery and Data Mining. 2001:
ACM Press.
28. S. Cobb. “ICSA Firewall Policy Guide v2.0.” NCSA Security White Paper Series,
1997.
29. Z. Fu, F. Wu, H. Huang, K. Loh, F. Gong, I. Baldine and C. Xu. “IPSec/VPN
Security Policy: Correctness, Conflict Detection and Resolution.” Proceedings of
Policy’2001 Workshop, January 2001.
30. B. Hari, S. Suri and G. Parulkar. “Detecting and Resolving Packet Filter Conflicts.”
Proceed ings ofIEEE INFOCOM’00, March 2000.
31. S. Hazelhusrt. “Algorithms for Analyzing Firewall and Router Access Lists.”
Technical Report TRWitsCS-1999, Department of Computer Science, University of
theWitwatersrand, South Africa, July 1999.
32. T. Woo. “A Modular Approach to Packet Classification: Algorithms and Results.”
Proceedings of IEEE INFOCOM’00, March 2000.
33. Specialized Hardware for Deep Network Packet Filtering (2002) Young H. Cho,
Shiva Navab, William H. Mangione -Smith at
http://citeseer.ifi.unizh.ch/cho02specialized.html

26
 Chapter 2: Literature Survey

34. P.W. Dowd, J.T. McHenry, F.A. Pellegrino, T.M. Carrozzi and W.B. Cocks, "An
FPGA-Based Coprocessor for ATM Firewalls,"Proceedings of the IEEE
Symposium on FPGA's for Custom Computing Machines (FCCM97), April 1997
35. “Design and Implementation of a Full Bandwidth ATM Firewall”, O. PAUL, M.
LAURENT, S. GOMBAULT ENST, C. DURET, H. GUESDON, V. LASPRESES,
J. LATTMAN, J. LE MOAL, P. ROLIN, J-L. SIMON at http://www- lor.int-
evry.fr/~paul_o/tissec01.pdf
36. Iliopoulos, M. and Antonakopoulos, T. 2000. Reconfigurable network processors
based on field programmable system level integrated circuits. In 10th Conference
on Field Programmable Logic and Applications. Springer-Verlag, Villach, Austria,
39–47.
37. Braun, F., Lockwood, J., and Waldvogel, M. 2001. Reconfigurable router modules
using network protocol wrappers. In 11th Conference on Field Programmable Logic
and Applications. Springer-Verlag, Belfast, Northern Ireland, 254–263.
38. Fallside, H. and Smith, M. J. 2000. Internet connected FPL. In 10th Conference on
Field Programmable Logic and Applications. Springer-Verlag, Villach, Austria, 48–
57.
39. Braun, F., Lockwood, J., and Waldvogel, M. 2002. Protocol wrappers for layered
network packet processing in reconfigurable hardware. IEEE Micro 22, 1 (Jan.),
66–74.
40. Dowd, P. W., McHenry, J. T., Pellegrino, F. A., Carrozzi, T. M., and Cocks, W.
1997. An FPGA-Based Coprocessor for ATM Firewalls. In Proceedings of the
IEEE Symposium on FPGA’s for Custom Computing Machines. IEEE, Napa
Valley, CA.
41. Sinnappan, R. and Hazelhurst, S. 2001. A Reconfigurable Approach to Packet
Filtering. In 11th International Conference on Field Programmable Logic and
Applications. Springer-Verlag, Belfast, Northern Ireland.
42. Sivilotti, R., Cho, Y., Su, W., Cohen, D., and Bray, B. 1998. Scalable Network
Based FPGA Accelerators for an Automatic Target Recognition Application. In

27
 Chapter 2: Literature Survey

IEEE Symposium on Field -Programmable Custom Computing Machines. IEEE,

Napa Valley, CA.
43. Bloom, B. H. 1970. Space/Time Trade-Offs in Hash Coding with Allowable Errors.
In Communications of the ACM. ACM.
44. Dharmapurikar, S., Krishnamurthy, P., Sproull, T., and Lockwood, J. 2003. Deep
Packet Inspection using Parallel Bloom Filters. In IEEE Hot Interconnects 12. IEEE
Computer Society Press, Stanford, CA.
45. Lockwood, J., Moscola, J., Kulig, M., Reddick, D., and Brooks, T. 2003. Internet
Worm and Virus Protection in Dynamically Reconfigurable Hardware. In Military
and Aerospace Programmable Logic Device (MAPLD). NASA Office of Logic
Design, Washington DC.
46. Gokhale, M., Dubois, D., Dubois, A., Boorman, M., Poole, S., and Hogsett, V.
2002. Granidt: Towards Gigabit Rate Network Intrusion Detection Technology. In
12th Conference on Field Programmable Logic and Applications. Springer-Verlag,
Montpellier, France, 404–413.
47. Yu, F., Katz, R., and Lakshman, T. 2004. Gigabit Rate Packet Pattern-Matching
Using TCAM. In 12th IEEE International Conference on Network Protocols. IEEE,
Berlin, Germany.
48. Yusuf, S. and Luk, W. 2005. Reconfigurable network processors based on field
programmable system level integrated circuits. In 10th Conference on Field
Programmable Logic and Applications. Springer-Verlag, Tempere, Finland.
49. Singaraju, J., Bu, L., and Chandy, J. A. 2005. A Signature Match Processor
Architecture for Network Intrusion Detection. In IEEE Symposium on Field-
Programmable Custom Computing Machines. IEEE, Napa Valley, CA.
50. Jing Lu et. al., Control Packet Security for CAM based Firewall, Dept of CS, St.
Louis, MO, Washington University.
51. R. P. S. Sidhu, A. Mei, and V. K. Prasanna, “String matching on multicontext
FPGAs using self-reconguration”, In FPGA '99: Proceedings of the 1999
ACM/SIGDA seventh international symposium on Field programmable gate arrays,
pages 217–226, New York, NY, USA, 1999. ACM Press

28
 Chapter 2: Literature Survey

52. J. Ditmar, K. Torkelsson and A. Jantsch, “A Dynamically Reconfigurable FPGA

based Content Addressable Memory for Internet Protocol Characterization”, Field
Programmable Logic and Applications, LNCS 1896, Springer, 2000.
53. J.T. McHenry and P.W. Dowd, “An FPGA-Based Coprocessor for ATM Firewalls”
in Proc. IEEE Symp. on Field -Programmable Custom Computing Machines, IEEE
Computer Society Press, 1997.
54. R. Sinnappan and S. Hazelhurst, “A Reconfigurable Approach to Packet Filtering”,
Field Programmable Logic and Applications, LNCS 2147, Springer, 2001.
55. Z. K. Baker and V. K. Prasanna. High-throughput linkedpattern matching for
intrusion detection systems. In ANCS '05: Proceedings of the 2005 symposium on
Architecture for networking and communications systems, pages 193–202, New
York, NY, USA, 2005. ACM Press.
56. L. Tan and T. Sherwood. “A high throughput string matching architecture for
intrusion detection and prevention”, In ISCA'05: 32nd Annual International
Symposium on Computer Architecture, pages 112–122, 2005.
57. M. Aldwairi, T. Conte, and P. Franzon., ”Configurable string matching hardware
for speeding up intrusion detection”, SIGARCH Comput. Archit. News, 33(1):99–
107, 2005.
58. S. Dharmapurikar, M. Attig, and J. Lockwood. Deep packet inspection using
parallel bloom filters. IEEE Micro, 24(1):52–61, 2004.
59. Meyer, H. "Seattle Software's Firewall Keeps Watch." Computers & Security 15.6
(1996): 517.
60. "Software Firewalls - Keep Hackers Out: Part One, Personal Edition |
PCMag.com." Technology Product Reviews, News, Prices & Downloads |
PCMag.com | PC Magazine. Web. 27 May 2011.
<http://www.pcmag.com/article2/0,2817,646304,00.asp>.
61. BullGuard Internet Security 10 Sponsored Ad Publisher: Bull Guard Ltd.,
http://internet-security-suite-review.toptenreviews.com/bullguard-review.html,
Web. 27 May 2011.

29
 Chapter 2: Literature Survey

62. Personal Firewall Software Review 2011 - TopTenREVIEWS. Web. 27 May 2011.
<http://personal-firewall-software-review.toptenreviews.com/>.
63. White, Lee, Khaled Jaber, Brian Robinson, and Václav Rajlich. "Extended Firewall
for Regression Testing: an Experience Report." Journal of Software Maintenance
and Evolution: Research and Practice 20.6 (2008): 419-33.
64. Pozo, S., R. Ceballos, and R.M. Gasca. "Model-Based Development of Firewall
Rule Sets: Diagnosing Model Inconsistencies." Information and Software
Technology 51.5 (2009): 894-915.
65. "Free Firewall Software – Sunbelt Personal Firewa ll." Endpoint Protection,
Antivirus Software, Email & Anti-Malware Protection - GFI Software. Web. 27
May 2011. <http://www.sunbeltsoftware.com/Home-Home-Office/Sunbelt-
Personal-Firewall/>.
66. "The Differences and Features of Hardware & Software Firewalls -
Webopedia.com." Webopedia: Online Computer Dictionary for Computer and
Internet Terms and Definitions. Web. 27 May 2011.
<http://www.webopedia.com/DidYouKnow/Hardware_Software/2004/firewall_typ
es.asp>.
67. Kumar, N., K. Mohan, and R. Holowczak. "Locking the Door but Leaving the
Computer Vulnerable: Factors Inhibiting Home Users' Adoption of Software
Firewalls." Decision Support Systems 46.1 (2008): 254-64.
68. CERT/CC, 2004 E-Crime Watch Survey: Summary of Findings, CSO Magazine
and Computer Emergency Response Team/Coordination Center, Carnegie Mellon
Software Engineering Institute, 2004.Xx
69. Robert N. Smith, Yu Chen , Sourav Bhattacharya, “Cascade of Distributed and
Cooperating Firewalls in a Secure Data Network”, IEEE Transactions on
Knowledge and Data Engineering archive , Volume 15 Issue 5, September 2003
70. Check point Security Gateways,
http://www.checkpoint.com/products/index.html#gateways, Web. 27 May 2011.
71. Michele Colajanni, Mirco Marchetti (2006). A Parallel Architecture for Stateful
Intrusion Detection in High Traffic Networks. MonAM 2006 Workshop, IEEE /

30
 Chapter 2: Literature Survey

IST Workshop on Monitoring, Attack Detection and Mitigation, Tuebingen,

Germany
72. “Top layer networks.” [Online]. Available: http://tcpreplay.sourceforge.net
73. “Juniper networks.” [Online]. Available: http://www.juniper.net
74. H. Song, T. Sproull, M. Attig, and J. Lockwood, “Snort of?oader: A recon?gurable
hardware NIDS ?lter,” in 15th International Conference on Field Programmable
Logic and Applications (FPL), Tampere, Finland, Aug. 2005.
75. H. Song and J. W. Lockwood, “Ef?cient packet classi?cation for network intrusion
detection using fpga,” in FPGA ’05: Proceedings of the 2005 ACM/SIGDA 13th
international symposium on Field-programmable gate arrays. New York, NY, USA:
ACM Press, 2005, pp. 238–245.
76. McAfee Firewall Enterprise, next-generation firewall,
http://www.mcafee.com/us/products/firewall-enterprise.aspx
77. NightAxis and Rain Forest Puppy, “Purgatory 101: Learning to cope with the SYNs
of the Internet,” 2000, Some practical approaches to introducing accountability and
responsibility on the public internet,
http://packetstorm.securify.com/papers/contest/ RFP.doc..
78. K. Park and H. Lee (2001). On the effectiveness of probabilistic packet marking for
IP traceback under denial of service attack". In Proceedings of IEEE INFOCOM
2001, pp. 338-347.
79. Alain Mayer , Avishai Wool , Elisha Ziskind , “Fang: A firewall analysis engine”,
Proceedings of 2000 IEEE Symposium on Security and Privacy (2000), web
http://www.cs.rutgers.edu/~tdnguyen/classes/cs671/.
80. Gregory R. Ganger , Gregg Economou , Stanley M. Bielski , “Finding and
Containing Enemies Within the Walls With Self-Securing Network Interfaces”,
(2003) http://www.pdl.cmu.edu/PDL-FTP/Secure/CMU-CS-03-10.
81. Pasi Eronen , Jukka Zitting, “An Expert System for Analyzing Firewall Rules”,
(2001) , web: http://www.cs.hut.fi/~peronen/publications/nordsec.
82. Computer Emergency Response Team, “Denial of service,” Feb. 1999, Tech Tips,
http://www.cert.org/tech tips/denial of service.html.

31
 Chapter 2: Literature Survey

83. J. G. Alfaro,“Analysis of Policy Anomalies on Distributed Network Security

Setups”, 11th European Symposium on Research in Computer Security
(ESORICS), LNCS 4189, (2006) ,web: http://www.rennes.enst-
bretagne.fr/~fcuppens/artic. Schultz, E. "Internet Security: Risk Analysis,
Strategies, and Firewalls Othmar Kyas Internationa l Thomson Computer Press,
1997." Network Security 1997.7 (1997): 15
84. Lihua Yuan , Hao Chen, “FIREMAN: a toolkit for FIREwall Modeling and
Analysis”, In Proceedings of IEEE Symposium on Security and Privacy (2006),
web: http://www.ece.ucdavis.edu/~chuah/paper/2006/sosp0.
85. Ricky Panchal, Firewalls: Hardware vs. Software (2005),
http://www4.ncsu.edu/~kksivara/sfwr4c03/projects/4
86. Maskey, Sujan, Brittany Jansen, Dennis Guster, and Charles Hall. "A Basic
Firewall Configuration Strategy for the Protection of Development-related
Computer Networks and Subnetworks." Information Systems Security 16.5 (2007):
281-90.
87. Qiu, Lili, George Varghese, and Subhash Suri. "Fast Firewall Implementations for
Software-based and Hardware-based Routers." ACM SIGMETRICS Performance
Evaluation Review 29.1 (2001): 344-45.
88. AOL/NCSA, Online Safety Study, 2004, last accessed on, at: http://www.
staysafeonline.info/news/safety_study_v04.pdf.
89. Privilege escalation, From Wikipedia, the free encyclopedia,
http://en.wikipedia.org/wiki/Privilege_escalation, Web. 27 May 2011.
90. L. Bu and J. A. Chandy, “Fpga based network intrusion detection using content
addressable memories,” fccm, vol. 00, pp. 316–317, 2004.
91. 8 C. R. Clark, W. Lee, D. E. Schimmel, D. Contis, M. Kon, and A. Thomas, “A
hardware platform for network intrusion detection and prevention,” in Workshop on
Network Processors and Applications at HPCA (NP-3), Madrid, Spain, 2004, pp.
136–145.

32
 Chapter 2: Literature Survey

92. Cisco Firewall, online info, retrieved on march 2011,

http://www.cisco.com/en/US/products/ps5708/Products_Sub_Category_Home.html
.
93. CERT Advisory CA-1996-01: UDP Port Denial-of-Service Attack, Retrieved on
June 2007 from URL http://www.cert.org/advisories/CA-1996-01.html.
94. J. Li, J. Mirkovic, M. Wang, P. Reither, and L. Zhang (2002). Save: Source address
validity enforcement protocol. In Proceedings of IEEE INFOCOM 2002, pp.1557-
1566.
95. Lee Garber, “Denial-of-service attacks rip the Internet,” Computer, pp. 12–17, Apr.
2000.
96. John Elliott, “Distributed denial of service attack and the zombie ant effect,” IT
Professional, pp. 55–57, March/April 2000.
97. Jari Hautio and Tom Weckstrom, “Denial of service attacks,” Mar. 1999,
http://www.hut.fi/u/tweckstr/hakkeri/DoS paper.html.
98. John D. Howard, An Analysis of Security Incidents on the Internet, Ph.D. thesis,
Carnegie Mellon Univerisity, Aug. 1998.
99. Computer Emergency Response Team (CERT), “CERT Advisory CA-2000-01
Denial-of-service developments,” Jan. 2000, http://www.cert.org/advisories/CA-
2000-01.html.
100. Yair Bartal , Alain Mayer , Kobbi Nissim , Avishai Wool, “Firmato: A
Novel Firewall Management Toolkit”, In ACM Workshop on Formal Methods in
Security Engineering, http://www.wisdom.weizmann.ac.il/~kobbi/papers/fir,
(1999).
101. Blekinge Institute of Technology, Sweden, Firewalls,
http://www.its.bth.se/staff/hjo/
102. Ronald Pacchiano, Firewall Debate: Hardware vs. Software,
http://www.smallbusinesscomputing.com/webmaster/article.php/310343.
103. Design the Firewall System,
http://ww w.cert.org/security- improvement/practices/p053.html

33
 Chapter 2: Literature Survey

104. D.E. Comer, Internetworking with TCP/IP: Principles, Protocols, and

Architectures, 4th edition, Prentice Hall, NJ, 2000.
105. Tomas Olovsson, A Secure Network Architecture,
http://www.appgate.com/knowledge_center/tomas.pdf.
106. History of Firewalls retrieved from
http://firewall.int24.net/history- firewalls.php.
107. Dalia-Elkhamesys, History of Firewalls, Wednesday, September 13, 2006,
retrieved from
http://dalia-elkhamesy.blogspot.com/2006/09/history-of-firewallsfirewall.html.
108. Firewall YOUR ONLY LINE OF DEFENSE, retrieved from
http://www.angelfire.com/planet/firewallforclass/.
109. Set up a wireless network, retrieved from
http://www.scribd.com/doc/36120796/Set-up-a-wireless-network.
110. Jun Li, Jelena Mirkovic, Mengqiu Wang, Peter Reiher, and Lixia Zhang ,
SAVE: Source Address Validity Enforcement Protocol, retrieved from
http://lasr.cs.ucla.edu/save/save_to_infocom.pdf.
111. Firewall, retrieved from http://www.web-hosting-top.com/glossary/firewall.
112. Iliano Cervesato, Proceedings Foundations of Computer Security, Affiliated
with LICS’02, Copenhagen, Denmark, July 25–26, 2002
113. Firewall (computing), From Wikipedia, the free encyclopedia, retrieved
from http://en. wikipedia.org/wiki/Firewall_%28computing%29.
114. Weird, Wacky, Wonderful, Interesting, Dark and downright Mental Facts,
retrieved from http://making- history.com/forum/thread/349923/1.
115. History of Firewalls, retrieved from
http://www.scribd.com/doc/6669985/Firewall.
116. Firewalls: Networks, retrieved from
http://www.lycos.com/info/firewalls--networks.html.
117. Hall E., Computers and Security, Volume 15, Number 6, 1996 , pp. 517-
517(1), Publisher: Elsevier
118. Security Gateways, retrieved from http://www.checkpoint.com/products/.

34
 Chapter 2: Literature Survey

119. Check Point, retrieved from

http://www.ion- us.com/partners/checkpoint/index.php.
120. The Base Java Security Model: The Original Applet Sandbox, retrieved
from http://www.securingjava.com/chapter-two/chapter-two-1.html.
121. Common attacks and security threats, retrieved from
http://www.esds.co.in/forum/f19/common-attacks-security-threats-1229/.
122. Sean Convery, Network Security Architectures widgetwidgetNetwork
Security Architectures, Published by Cisco Press, Series: Networking
Technology.Published: Apr 19, 2004
123. List of network attacks, retrieved from
http://www.webtechnicist.com/list-of- network-attacks.
124. Common Network Attacks and Exploits, retrieved from
https://nsrc.org/workshops/2008/ait-wireless/kemp/network-attacks.pdf..
125. Mobile phone scams, retrieved from
http://www.scamwatch.gov.au/content/index.phtml/tag/MobilePhoneScams.
126. N. Asokan, Valtteri Niemi and Kaisa Nyberg, Man-in-the-Middle in
Tunnelled Authentication Protocols Extended Abstract, Security Protocols Lecture
Notes in Computer Science, 2005, Volume 3364/2005, 28-41, DOI:
10.1007/11542322_6.
127. Dimitris Gritzalis, Pierangela Samarati, Security and privacy in the age of
uncertainty: IFIP TC11 18th International. Retrieved from google books,
http://books.google.co.in/books?hl=en&lr=&id=7MjwJ50TBo4C&oi=fnd&pg=PA4
21&dq=Disclosure+Attacks.
128. Haining Wang , Danlu Zhang , Kang G. Shin Detecting SYN Flooding
Attacks (2002) , In Proceedings of the IEEE Infocom retrieved from
http://www.ieee-infocom.org/2002/papers/800.pdf
129. C. Meadows. A cost-based framework for analysis of denial of service in
networks. Journal of Computer Security, 9(1–2):143–164, 2001.
130. Sans. Icmp attacks illustrated. http://www.sans.org/rr/threats/ICMP
attacks.php.

35
 Chapter 2: Literature Survey

131. CERT Advisory. Denial of service attack tools.

http://www.cert.org/advisories/CA-1999-17.html
132. ISS. Loki icmp tunneling back door.
http://www.iss.net/securitycenter/static/1452.php
133. Sans. Intrusion detection faqs.
http://www.sans.org/resources/dfaq/icmp misuses.php
134. Andreas Fuchsberger, Intrusion Detection Systems and Intrusion Prevention
Systems, Information Security Technical Report (2005) 10, 134-139
135. Security at the Network Edge: A Distributed Firewall ArchitectureDISCEX-
II 2001, The Institute of Electrical and Electronics Engineers, Inc. (the “IEEE”).
Presented at the DARPA Information Survivability Conference II, June 12-14,in
Anaheim, CA
136. Robert Lemos, "Microsoft -- burned by antivirus tools?," ZDNet News,
Friday October 27 2000.
http://www.zdnet.com/zdnn/stories/news/0,4586,2646200,00.html
137. Habtamu Abie, An Overview of Firewall Technologies, Retrieved from
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.20.9215&rep=rep1&type
=pdf
138. L. Qiu, G. Varghese, and S. Suri. “Fast Firewall Implementations for
Software and Hardware-based Routers.” Proceedings of 9th International
Conference on Network Protocols (ICNP’2001), November 2001.
139. V. Srinivasan, S. Suri and G. Varghese. “Packet Classification Using Tuple
Space Search.” Computer ACM SIGCOMM Communication Review, October
1999.
140. T. Woo. “A Modular Approach to Packet Classification: Algorithms and
Results.” Proceedings of IEEE INFOCOM’00, March 2000
141. D. Eppstein and S. Muthukrishnan. “Internet Packet Filter Management and
Rectangle Geometry.” Proceedings of 12th Annual ACM-SIAM Symposium on
Discrete Algorithms (SODA), January 2001.

36
 Chapter 2: Literature Survey

142. B. Hari, S. Suri and G. Parulkar. “Detecting and Resolving Packet Filter
Conflicts.” Proceedings of IEEE INFOCOM’00, March 2000.
143. Y. Bartal, A. Mayer, K. Nissim and A. Wool. “Firmato: A Novel Firewall
Management Toolkit.” ”Proceedings of 1999 IEEE Symposium on Security and
Privacy, May 1999.
144. A. Mayer, A. Wool and E. Ziskind. “Fang: A Firewall Analysis Engine.”
Proceedings of 2000 IEEE Symposium on Security and Privacy, May 2000.
145. A. Wool. “Architecting the Lumeta Firewall Analyzer.” Proceedings of 10th
USENIX Security Symposium, August 2001.
146. Ehab S. Al-Shaer and Hazem H. Hamed, Modeling and Management of
Firewall Policies Network and Service Management, IEEE Transactions on Issue
Date: April 2004, Volume: 1 Issue:1, On page(s): 2 - 10

37