Application of evolutionary algorithm in performance optimization of embedded network firewall

With the development of the network, the problem of network security is becoming increasingly serious. The importance of a firewall as the "first portal" to network security is obvious. In order to cope with a complex network environment, the firewall must formulate a large number of targeted rules to help it implement network security policies. Based on the characteristics of the cloud environment, this paper makes in-depth research on network security protection technology, and studies the network firewall system. The system implements unified configuration of firewall policy rules on the cloud management end and delivers them to the physical server where the virtual machine is located. Aiming at the characteristics of virtual machines sharing network resources through kernel bridges, a network threat model for virtual machines in a cloud environment is proposed. Through analysis of network security threats, a packet filtering firewall scheme based on kernel bridges is determined. Various conflict relationships between rules are defined, and a conflict detection algorithm is designed. Based on this, a rule order adjustment algorithm that does not destroy the original semantics of the rule table is proposed. Starting from the matching probability of the rules, simple rules are separated from the default rules according to the firewall logs, the relationships between these rules and the original rules are analyzed, and the rules are merged into new rules to evaluate the impact of these rules on the performance of the firewall. New rules are added to the firewall rule base to achieve linear firewall optimization. It can be seen from the experimental results that the optimization strategy proposed in this paper can effectively reduce the average number of matching rules and improve the performance of the firewall.     

防火墙在传输网络中的吞吐量与管理问题及解决方案

讨论防火墙在大型传输网络(Transit Network )应用中的管理和吞吐量问题：一是手工方式配置分布在各个接入点的多个防火墙,无法适应开放的、动态的网络环境;二是大量的过滤规则导致防火墙吞吐量下降.针对大量防火墙的管理问题,该文提出了一种访问控制政策的自动分配与动态配置模型,将全局过滤规则自动地分发到相应的防火墙;同时利用入侵监测系统和搜索引擎的结果,自动定位防火墙、动态配置过滤规则,实时地过滤不良站点,终止攻击行为.针对单个防火墙的吞吐量问题,提出了一种基于散列表的规则匹配算法,该算法可以将时间复杂度从O(N)降低到O(1),从而大大提高防火墙的吞吐量.     

基于云桌面实现网络安全隔离的应用

网络安全隔离技术是保护企业内部信息安全的重要手段,一般通过传统网络设备,如防火墙、网闸等实现隔离,但安全规则相对固化,无法较好满足灵活多变的业务需求。对实际外联需求进行分析,利用云桌面技术,结合合理的网络规划,设计并实现一种能够普遍推广的网络安全隔离应用方式。通过灵活运用更多安全手段,在确保网络安全隔离的基础上,进一步提升内外网使用体验。     

A novel three-tiered visualization approach for firewall rule validation

Firewall is one of the most critical elements of the current Internet, which can protect the entire network against attacks and threats. While configuring the firewalls, rule configuration has to conform to, or say be consistent with, the demands of the network security policies such that the network security would not be flawed. For the security consistency, firewall rule editing, ordering, and distribution must be done very carefully on each of the cooperative firewalls, especially in a large-scale and multifirewall-equipped network. Nevertheless, a network operator is prone to incorrectly configure the firewalls because there are typically thousands or hundreds of filtering/admission rules (i.e., rules in the Access Control List file, or ACL for short), which could be set up in a firewall; not mentioning these rules among firewalls affect mutually and can make the matter worse. Under this situation, the network operator would hardly know his/her misconfiguration until the network functions beyond the expectation. For this reason, our work is to build a visualized validation system for facilitating the check of security consistency between the rule configuration of firewalls and the demands of network security policies. To do so, the developed validation system utilizes a three-tiered visualization hierarchy along with different compound viewpoints to provide users with a complete picture of firewalls and relationships among them for error debugging and anomaly removal. In addition, in this paper, we also enumerate the source of security inconsistency while setting ACLs and make use of it as a basis of the design of our visualization model. Currently, part of the firewall configuration of our campus network has been used as our system's input to demonstrate our system's implementation.     

防火墙过滤规则的建模和全面优化

防火墙的管理在今天的企业网络环境中是一个复杂和易出错的任务,网络管理员不能仅仅依靠自己的经验和知识来配置防火墙,而必须使用有效的工具和技术,在系统的方法学的指导下来完成。论文采用几何技术对防火墙的配置进行建模,每个过滤规则被映射为多维空间中的一个几何体,从而使得防火墙的配置可视化和易于理解。该方法可以对防火墙的现有规则库进行彻底的重写,从而实现全面的优化。另外,该文还将通常定义在两个规则之间的规则冲突的概念和分类扩展到多个规则之间。     

On the use of open-source firewalls in ICS/SCADA systems

ABSTRACT

Firewalls are one of the most widely used security devices to protect a communications network. They help secure it by blocking unwanted traffic from entering or leaving the protected network. Several commercial vendors have extended their firewall capabilities to support SCADA protocols or designed SCADA-specific firewalls. Although open-source firewalls are used successfully in IT networks, their use in SCADA networks has not been properly investigated. In this research we investigate the major open-source firewalls for their use in SCADA networks and identify Linux iptables’ potential as an effective SCADA firewall. Iptables is a powerful open-source firewall solution available as part of most Linux distributions in use today. In general, use of iptables as a network-level firewall for SCADA systems has been limited to basic port and host filtering, without further inspection of control messages. We propose and demonstrate a novel methodology to use iptables as an effective firewall for SCADA systems. This is achieved by utilizing advanced iptables features that allow for dynamic inspection of packet data. It is noteworthy to mention that the proposed solution does not require any modification to the netfilter/iptables framework, making it possible to turn a Linux system into an effective SCADA firewall. The approach has been tested by defining filtering rules for the Modbus TCP protocol and validating its ability to defend against various attacks on the protocol.     

面向大规模网络的基于政策的访问控制框架

研究防火墙(或过滤路由器)应用于传输网络中的管理问题与吞吐量问题.一方面,手工配置分布在各个接入点的大量防火墙,无法满足开放的、动态的网络环境的安全管理需求;另一方面,大量过滤规则的顺序查找导致了防火墙吞吐量下降.针对一个典型的传输网络和它的安全政策需求,提出了一种基于政策的访问控制框架(PACF),该框架基于3个层次的访问控制政策的抽象:组织访问控制政策(OACP)、全局访问控制政策(GACP)和本地访问控制政策(LACP).根据OACP,GACP从入侵监测系统和搜索引擎产生,作为LACP自动地、动态地分配到各防火墙中,由防火墙实施LACP.描述了GACP的分配算法和LACP的实施算法,提出了一种基于散列表的过滤规则查找算法.PACF能够大量减轻管理员的安全管理工作,在描述的安全政策需求下,基于散列表的规则查找算法能够将传统顺序查找算法的时间复杂度从O(N)降低到O(1),从而提高了防火墙的吞吐量.     

Meta-firewall: A sixth generation firewall — Part 2

Terminology in the firewall area is still confusing. Proxies, packet filters, ‘stateful’ filters, hybrid approaches, fifth generation firewalls and many more rule the market, and thus rule the user's mind of what is good and what is bad. But few people have thought about the relationships between all those technologies, how they can interact, and how they can be integrated to increase security on a perimeter network to a maximum. Let us call this approach a ‘meta-firewall’, designed to provide maximum security for dedicated purposes. All of the issues involved in planning for a solution for any network cannot be discussed, but it is an approach to a new way of thinking what can be done with firewalls and the like. This concluding part of a two-part article continues to build the layers of security to make a ‘meta-firewall’.     

Operating system attacks from network resources

Network security firewalls provide a ‘bottleneck’ facility at strategic points on the network to prevent wholesale attacks of systems on a network. It's pretty common practice to put a firewall facility between known troublesome networks such as the Internet. Oddly enough, most companies do not implement firewall facilities between different company divisions, ‘sister’ company network connections, customer network connections and other third party or vendor supplied network connections. The funny part is that most of the documented network break-ins are from the non-Internet connections (although the Internet break-ins are accelerating).     

云火墙在校园网安全中的应用

本文从多个方面分析了校园网普遍存在的网络问题,同时也分析了传统网络安全技术和现在流行的网络安全技术＂云火墙＂。云火墙遵循了主动防御的思想,云火墙是防火墙的进一步发展,但它把防火墙提升到一个新的高度,给网络安全带来了新的生机。     

A new perspective on firewalls

No topic seems to have captured the fancy of information security professionals as has the topic of firewalls. Firewalls are commonly defined as security barriers between an internal network and other networks external to that network. The topic of firewalls is not only disproportionately represented in the agenda of information security conferences and workshops but is the focus of a number of net groups (e.g. Firewalls Digest) that generate a prolific number of postings. Indeed, firewalls are receiving so much attention today that it is difficult to imagine anything new that could be said. Corporations offering information security services now routinely advertise ‘state-of-the-art’ consulting in firewall design and evaluation.     

Practical firewall policy inspection using anomaly detection and its visualization

Due to the increasing cyber threats, firewall has become the one of the core elements in network security. The effectiveness of firewall security is dependent on providing policy management techniques. For this reason, it is highly required to have an automatic tool that is real applicable to running firewalls and it should help administrators use in easy. This paper represents a first step toward a practically applicable tool called Firewall Policy Checker for firewall policy inspection based on four anomaly types. It also focuses on detecting dangerous services such as telnet, ftp and so on which many administrators set as time goes and detecting illegal servers. In addition, this tool supports a large number of rules with the high speed using efficient N-ary tree module. The experimental results using real organizations’ rules are introduced. Finally, this paper illustrates an easy 3D visualization even for non experts.     

Meta-firewall: A sixth generation firewall — Part 1

Terminology in the firewall area is still confusing. Proxies, packet filters, ‘stateful’ filters, hybrid approaches, fifth generation firewalls and many more rule the market, and thus rule the user's mind of what is good and what is bad. But few people (1) have thought about the relationships between all those technologies, how they can interact, and how they can be integrated to increase security on a perimeter network to a maximum. Let us call this approach a ‘meta-firewall’, designed to provide maximum security for dedicated purposes. All of the issues involved in planning for a solution for any network cannot be discussed, but it is an approach to a new way of thinking what can be done with firewalls and the like. The first part of this two-part article begins to build the layers of security in a firewall for an imaginary company.     

DDFWS:一种新型分布式动态防火墙系统的研究与实现

文中对传统防火墙进行了深入的分析并指出了它们存在的问题和局限，在此基础上，提出了一种新型的分布式动态防火墙原型系统，并给出了系统的设计和实现，该原型系统具有广泛的适用性。     

一种分布式防火墙规则冲突的检测算法

为解决分布式防火墙中因规则冲突而导致策略异常问题,提出了一种基于XML的DFW策略异常的发现算法;该算法在分布式防火墙系统中,对于处在不同防火墙策略中的每条规则,设计一棵单根结点的树来表示分布式防火墙策略,即策略树(Policy Tree),然后通过集合全部的策略树,完成防火墙之间策略异常的发现过程;通过对算法的模拟运行,发现该算法在速度性能和可伸缩性方面较其他算法有很大的改进。     

防火墙规则配置错误快速检测算法

在防火墙的规则配置中潜伏着一些问题：安全管理员可能在最初配置规则表的时候，出现一些错误；随着规则表中规则数目的增长，不同的规则之间发生冲突的可能性也相应增加。该文对防火墙规则配置过程中可能出现的错误进行了分析，介绍了防火墙规则配置错误的几种常见类型，给出了发现错误的算法，并根据防火墙规则表的特点对算法进行了改进，提高了规则配置错误的检测效率。     

插件式网络安全集成防护框架

随着Internet的普及,网络安全问题越来越成为令人关注的问题。单一的入侵检测或者是防火墙系统很难对系统进行有效的防护。如果能整合入侵检测和防火墙形成一种有机的新系统,将能较好地克服两者的缺陷。这里面临了两个问题：一方面需要一种框架能集成新的子系统,即集成入侵检测系统,融合不同的检测技术,同时集成管理不同类型的防火墙,形成结合边界防火墙的分布式防火墙;另一方面需要一种机制,能自动判定入侵检测系统的告警,生成相应的防火墙规则阻断攻击。为了集成不同类型的子系统,我们提出了一种插件式的框架,通过添加插件,它能够集成管理不同类型的防火墙和入侵检测系统,通过该框架的抽象,提供了一种告警自动响应的机制。     

Firewall policy verification and troubleshooting

Firewalls are important elements of enterprise security and have been the most widely adopted technology for protecting private networks. The quality of protection provided by a firewall mainly depends on the quality of its policy (i.e., configuration). However, due to the lack of tools for verifying and troubleshooting firewall policies, most firewalls on the Internet have policy errors. A firewall policy can error either create security holes that will allow malicious traffic to sneak into a private network or block legitimate traffic disrupting normal traffic, which in turn could lead to diestrous consequences.We propose a firewall verification and troubleshooting tool in this paper. Our tool takes as input a firewall policy and a given property, then outputs whether the policy satisfies the property. Furthermore, in the case that a firewall policy does not satisfy the property, our tool outputs which rules cause the verification failure. This provides firewall administrators a basis for how to fix the policy errors.Despite of the importance of verifying firewall policies and finding troublesome rules, they have not been explored in previous work. Due to the complex nature of firewall policies, designing algorithms for such a verification and troubleshooting tool is challenging. In this paper, we designed and implemented a verification and troubleshooting algorithm using decision diagrams, and tested it on both real-life firewall policies and synthetic firewall policies of large sizes. The performance of the algorithm is sufficiently high that they can practically be used in the iterative process of firewall policy design, verification, and maintenance. The firewall policy troubleshooting algorithm proposed in this paper is not limited to firewalls. Rather, they can be potentially applied to other rule-based systems as well.     

一种基于MapReduce的防火墙策略冲突并行化检测及消解模型

防火墙在网络安全中起到很重要的作用,其中防火墙策略中的规则决定了网络数据包被“允许”或被“拒绝”进出网络。对于大型网络来说,由于规则太多,管理者很难保证其中不出现冲突,因此策略中规则冲突的检测及解决成为了保证网络安全的重要方面。提出了一种基于MapReduce模型的防火墙策略冲突检测解决算法,它对由基于规则的分段技术得到的片段进行自定义的排序,之后将其转化为规则的形式来代替原来的规则进行数据包的过滤。片段间两两不相交且匹配的包只执行一种动作,从而消除了冲突。     

Detection of firewall configuration errors with updatable tree

The fundamental goals of security policy are to allow uninterrupted access to the network resources for authenticated users and to deny access to unauthenticated users. For this purpose, firewalls are frequently deployed in every size network. However, bad configurations may cause serious security breaches and network vulnerabilities. In particular, conflicted filtering rules lead to block legitimate traffic and to accept unwanted packets. This fact troubles administrators who have to insert and delete filtering rules in a huge configuration file. We propose in this paper a quick method for managing a firewall configuration file. We represent the set of filtering rules by a firewall anomaly tree (FAT). Then, an administrator can update the FAT by inserting and deleting some filtering rules. The FAT modification automatically reveals emerged anomalies and helps the administrator to find the adequate position for a new added filtering rule. All the algorithms presented in the paper have been implemented, and computer experiments show the usefulness of updating the FAT data structure in order to quickly detect anomalies when dealing with a huge firewall configuration file.