Security facilities such as firewall system and IDS/IPS (Intrusion Detection System/Intrusion Prevention System) have become fundamental solutions against cyber threats. With the rapid change of cyber attack tactics, detail investigations like DPI (Deep Packet Inspection) and SPI (Stateful Packet Inspection) for incoming traffic become necessary while they also cause the decrease of network throughput. In this paper, we propose an SDN (Software Defined Network) - based proactive firewall system in collaboration with domain name resolution to solve the problem. The system consists of two firewall units (lightweight and normal) and a proper one will be assigned for checking the client of incoming traffic by the collaboration of SDN controller and internal authoritative DNS server. The internal authoritative DNS server obtains the client IP address using EDNS (Extension Mechanisms for DNS) Client Subnet Option from the external DNS full resolver during the name resolution stage and notifies the client IP address to the SDN controller. By checking the client IP address on the whitelist and blacklist, the SDN controller assigns a proper firewall unit for investigating the incoming traffic from the client. Consequently, the incoming traffic from a trusted client will be directed to the lightweight firewall unit while from others to the normal firewall unit. As a result, the incoming traffic can be distributed properly to the firewall units and the congestion can be mitigated. We implemented a prototype system and evaluated its performance in a local experimental network. Based on the results, we confirmed that the prototype system presented expected features and acceptable performance when there was no flooding attack. We also confirmed that the prototype system showed better performance than conventional firewall system under ICMP flooding attack.

Network Functions Virtualization (NFV) is expected to provide network systems that offer significantly lower cost and greatly flexibility to network service providers and their users. Unfortunately, it is extremely difficult to implement Virtualized Network Functions (VNFs) that can equal the performance of Physical Network Functions. To realize NFV systems that have adequate performance, it is critical to accurately grasp VNF workload. In this paper, we focus on the virtual firewall as a representative VNF. The workload of the virtual firewall is mostly determined by firewall rule processing and the Access Control List (ACL) configurations. Therefore, we first reveal the major factors influencing the workload of the virtual firewall and some issues of monitoring CPU load as a traditional way of understanding the workload of virtual firewalls through preliminary experiments. Additionally, we propose a new workload metric for the virtual firewall that is derived by mathematical models of the firewall workload in consideration of the packet processing in each rule and the ACL configurations. Furthermore, we show the effectiveness of the proposed workload metric through various experiments.

In differentiated services, packet classification is used to categorize incoming packets into multiple forwarding classes based on pre-defined filters and make information accessible for quality of service. Although numerous algorithms have presented novel data structures to improve the search performance of packet classification, the performance of these algorithms are usually limited by the characteristics of filter databases. In this paper, we use a different approach of filter preprocessing to enhance the search performance of packet classification. Before generating the searchable data structures, we cluster filters in a bottom-up manner. The procedure of the filter clustering merges filters with high degrees of similarity. The experimental results show that the technique of filter clustering could significantly improve the search performance of Pruned Tuple Space Search, a notable hash-based algorithm. As compared to the prominent existing algorithms, our enhanced Pruned Tuple Space Search also has superior performance in terms of speed and space.

Packet classification has become one of the most important application techniques in network security since the last decade. The technique involves a traffic descriptor or user-defined criteria to categorize packets to a specific forwarding class which will be accessible for future security handling. To achieve fast packet classification, we propose a new scheme, Hierarchical Cross-Producting. This approach simplifies the classification procedure and decreases the distinct combinations of fields by hierarchically decomposing the multi-dimensional space based on the concept of telescopic search. Analogous to the use of telescopes with different powers**, a multiple-step process is used to search for targets. In our scheme, the multi-dimensional space is endowed with a hierarchical property which self-divides into several smaller subspaces, whereas the procedure of packet classification is translated into recursive searching for matching subspaces. The required storage of our scheme could be significantly reduced since the distinct field specifications of subspaces is manageable. The performance are evaluated based on both real and synthetic filter databases. The experimental results demonstrate the effectiveness and scalability of the proposed scheme.

In the last decade, the technique of packet classification has been widely deployed in various network devices, including routers, firewalls and network intrusion detection systems. In this work, we improve the performance of packet classification by using multiple hash tables. The existing hash-based algorithms have superior scalability with respect to the required space; however, their search performance may not be comparable to other algorithms. To improve the search performance, we propose a tuple reordering algorithm to minimize the number of accessed hash tables with the aid of bitmaps. We also use pre-computation to ensure the accuracy of our search procedure. Performance evaluation based on both real and synthetic filter databases shows that our scheme is effective and scalable and the pre-computation cost is moderate.

Policy in security devices such as firewalls and Network Intrusion Prevention Systems (NIPS) is usually implemented as a sequence of rules. This allows network packets to proceed or to be discarded based on rule's decision. Since attack methods are increasing rapidly, a huge number of security rules are generated and maintained in security devices. Under attack or during heavy traffic, the policy configured wrong creates security holes and prevents the system from deciding quickly whether to allow or deny a packet. Anomalies between the rules occur when there is overlap among the rules. In this paper, we propose a new method to detect anomalies among rules and generate new rules without configuration error in multiple security devices as well as in a single security device. The proposed method cuts the overlap regions among rules into minimum overlap regions and finds the abnormal domain regions of rules' predicates. Classifying rules by the network traffic flow, the proposed method not only reduces computation overhead but blocks unnecessary traffic among distributed devices.

Packet classification categorizes incoming packets into multiple forwarding classes based on pre-defined filters. This categorization makes information accessible for quality of service or security handling in the network. In this paper, we propose a scheme which combines the Aggregate Bit Vector algorithm and the Pruned Tuple Space Search algorithm to improve the performance of packet classification in terms of speed and storage. We also present the procedures of incremental update. Our scheme is evaluated with filter databases of varying sizes and characteristics. The experimental results demonstrate that our scheme is feasible and scalable.

In this paper, we propose a packet-scheduling algorithm, called the Class-level Service Lagging (CSL) algorithm, that guarantees multiple delay bounds for multi-class traffic in packet networks. We derive the associated schedulability test conditions, which are used to determine call admission. We first introduce a novel implementation of priority control, which has a conventional and simple form. We show how the efforts to confirm the logical validity of that implementation are managed to reach the definition of the CSL algorithm. The priority control is realized by imposing class-level unfairness in service provisioning, while the underlying service mechanism is carried out using the notion of fair queueing. The adoption of fair queueing allows the capability to maintain the service quality of the well-behaving traffic even in the presence of misbehaving traffic. We call this the firewall property. Simulation results demonstrate the superiority of the CSL algorithm in both priority control and firewall functionality. We also describe how the CSL algorithm is implementable with a computational complexity of O(1). Those features as well as the enhanced scalability, which results from the class-level approach, confirm the adequacy of the CSL algorithm for the fast packet networks.

This paper proposes a protocol to support mobile hosts in IPv6 by introducing a new addressing architecture and a new hop-by-hop option. This protocol also allows a mobile host to communicate with another host via a firewall machine which drops packets from untrustworthy hosts. The new addressing scheme is based on the separation of the identifier and the location of a mobile host. This is a straightforward implementation of the basic concept of VIP, a protocol providing seamless mobility in IPv4. The new hop-by-hop option of IPv6 allows a firewall machine to authenticate the source host of the forwarded packet with negligible overhead. The author plans to implement this protocol on several operating systems in the near future.