21-05-2012, 01:53 PM
FIREWALL RULE-BASE STATISTICS APPLYING IN GEM ALGORITHM
FIRST GEM.docx (Size: 26.61 KB / Downloads: 29)
ABSTRACT
This project proposes a hardware security mechanism, which employs Galois Counter Mode (GCM) of advanced encryption standard (AES) and modifies it to work in an SMP environment. The paper focuses on why GCM is a better choice over cipher over cipher block chaining mode (CBC) which is used in current state of the art systems. It estimates the storage required by the additional hardware unit in both modes of operation. Since firewalls need to filter all the traffic crossing the network perimeter, they should be able to sustain a very high throughput, or risk becoming a bottleneck. Firewall packet matching can be viewed as a point location problem: Each packet (point) has five fields (dimensions), which need to be checked against every firewall rule in order to find the first matching rule. In this project, a classical algorithm has been adapted to the firewall domain. The resulting algorithm is called “Geometric Efficient Matching” (GEM). The GEM algorithm enjoys a logarithmic matching time performance. However, the algorithm’s theoretical worst-case space complexity is for a rule-base with n rules. Because of this perceived high space complexity, GEM-like algorithms were rejected as impractical by earlier works. Contrary to this conclusion, this project shows that GEM is actually an excellent choice. We evaluated GEM via extensive simulation using the Perimeter rules model. On such rule-bases, GEM uses near-linear space, and only needs approximately 13 MB of space for rule-bases of 5,000 rules. Moreover, with use of additional space improving heuristics, it has been able to reduce the space requirement to 2-3 MB for 5,000 rules. But most importantly, GEM is integrated into the code of the Linux iptables open-source firewall, and tested it on real traffic loads. GEM-iptables implementation managed to filter over 30,000 packets-per-second on a standard PC, even with 10,000 rules. Therefore, GEM is an efficient and practical algorithm for firewall packet matching.
Existing System:
Most first generation Firewalls used basic packet filtering. Basic Packet Filtering means that, it first keeps no state. The filtering decision is made separately for every packet, and does not take into account any earlier decisions made on related packets. Next the filtering decision I is based only of the five basic fields: Source and destination IP addresses, Protocol, and Source and Destination Port numbers (for protocols that have port numbers). The typical actions that a basic filter can take are Pass, that let the packet through, Drop, that do not forward the packet and no indication is send to the sender and the last is the Reject, which is same as Drop, except that a special ICMP packet is sent back to the sender informing it that the packet was filtered. TCP flow is characterized by four attributes: IP addresses of the two endpoints and the two ports being used. However, the specification of TCP service typically identifies only the destination port. If the firewall is a basic packet filter, the un-predictability of the client’s port number makes it almost impossible to let the flow cross the firewall without introducing risky side effects.
Proposed System:
In the proposed system we use the Stateful Packet filtering. Most modern firewalls are stateful. This means that after the first packet in a network flow is allowed to cross the firewall, all subsequent packets belonging to that flow, and especially the return traffic, is also allowed through the firewall. This statefulness has two advantages. First, the administrator does not need to write explicit rules for return traffic—and such return-traffic rules are inherently insecure since they rely on source-port filtering. So, stateful firewalls are fundamentally more secure than simpler, stateless, packet filters. Second, state lookup algorithms are typically simpler and faster than rule-match algorithms; hence, statefulness potentially offers important performance advantages. Firewall statefulness is commonly implemented by two separate search mechanisms: 1) a slow algorithm that implements the “first match” semantics and compares a packet to all the rules and 2) a fast state lookup mechanism that checks whether a packet belongs to an existing open flow.