02-01-2013, 10:37 AM
Performance Modeling and Analysis of Network Firewalls
1Performance Modeling.pdf (Size: 316.49 KB / Downloads: 44)
Abstract
Network firewalls act as the first line of defense
against unwanted and malicious traffic targeting Internet servers.
Predicting the overall firewall performance is crucial to network
security engineers and designers in assessing the effectiveness
and resiliency of network firewalls against DDoS (Distributed
Denial of Service) attacks as those commonly launched by today’s
Botnets. In this paper, we present an analytical queueing model
based on the embedded Markov chain to study and analyze the
performance of rule-based firewalls when subjected to normal
traffic flows as well as DoS attack flows targeting different rule
positions. We derive equations for key features and performance
measures of engineering and design significance. These features
and measures include throughput, packet loss, packet delay, and
firewall’s CPU utilization. In addition, we verify and validate
our analytical model using simulation and real experimental
measurements.
INTRODUCTION
NETWORK firewalls act as the first line of defense in
protecting network and server resources from unauthorized
access and malicious attacks. Firewalls are typically
deployed at the edge of the network or at the entry point
of a private network. Incoming and outgoing Internet traffic
is inspected by network firewalls. Based on a set of rules,
firewalls can allow or block incoming or outgoing traffic. To
accomplish this, network firewalls have a rule-based engine
that interrogates incoming packets sequentially rule by rule
until a match is found. In particular, commercial firewalls
such as the popular Cisco PIX in addition to PC-based opensource
network firewalls such as Linux Netfilter and FreeBSD
ipfw have a huge rulebase or ACL (Access Control List)
comprising a list of rules, where each rule represents a set
of conditions [1]–[5]. If an incoming packet matches all
conditions of a particular rule, then a certain action is taken,
e.g., to pass or drop the packet. A packet can match the
conditions of more than one rule. In such a case, the first rule
will have priority and its action will be applied to the packet.
Accordingly, the firewall checks the rules sequentially, one by
one, until a rule is matched.
RELATED WORK
The literature comprises little or no work on modeling
and performance analysis of network firewalls, particularly
under DoS attacks. The majority of research work that exists
in the literature is geared towards improving the overall
firewall performance by proposing techniques to optimize and
detect misconfiguration in firewall security policies as reported
in [9]–[19]. In [20], two optimization approaches on using
Ternary Content Addressable Memories (TCAM) chip have
been presented. TCAM chip is a hardware chip dedicated for
fast packet classification. Acharya, et al. in [7] developed a
simulation framework to study and analyze firewall operations
in order to improve its performance against dynamically
changing network traffic characteristics. In [21] and [22], an
experimental evaluation of firewall performance is presented
using firewall analysis tools. Some work has also been done
on the analysis of firewalls vulnerability to traffic-specific
attacks, such as IP spoofing attacks [23]. In [24], performance
metrics for vulnerabilities resulting from firewall operations
are presented and analyzed. In [25], a traceroute technique
was used to determine whether or not a particular packet can
pass from an outside remote host to a destination host behind
a firewall.
ANALYTICAL MODEL
In this section, we present a finite queueing model to
represent the behavior and study the performance of a rulebased
network firewall. Typically, and as shown in Figure 1,
incoming packets carrying requests arrive at the firewall and
get queued for processing in multiple stages. The first stage
involves performing data-link and network layer functionalities,
and subsequently the firewall rulebase search engine is
activated to process incoming packets. Specifically, in Linux
and FreeBSD [37]–[39], incoming packets are received by
the Rx NIC (Receiving Network Interface Card) and copied
using DMA (Direct Memory Access) into the Rx DMA Ring.
The Rx DMA Ring is the receiving buffer and is located
within the kernel memory. After successfully queueing the
received packet into the Rx DMA Ring, an interrupt is
generated to notify the device driver of the reception of a
new packet. The device driver starts executing Data Link
layer (known as Layer 2) functionalities and then invokes
the kernel IP processing task. The kernel packet processing
is responsible for performing IP Network layer (known as
Layer 3) functionalities which include checking headers for
errors, looking up routing tables, and forwarding the packet
to the next destination or delivering it to user application, or
in our case, to get processed or interrogated sequentially by
the firewall rulebase search engine one rule at a time until a
rule match occurs.
VERIFICATION AND VALIDATION
To verify the correctness of our analytical models, we
developed a discrete-event simulation taking into account the
same assumptions as those in the analysis. The simulation
followed closely the guidelines given in [45]. We used the
PMMLCG as our random number generator [45]. The simulation
was automated to produce independent replications with
different initial seeds that were ten million apart. During the
simulation run, we checked for overlapping in the random
number streams and ascertained that such a condition did
not exist. The simulation was terminated when achieving a
precision of no more than 10% of the mean with a confidence
of 95%. We employed and implemented dynamically the
replication/deletion approach for means discussed in [45]. In
such approach, only values beyond the warmup period from
each simulation replication are used to estimate the mean.
We computed the length of the initial transient period using
the MCR (Marginal Confidence Rule) heuristic developed by
White [46]. Each replication run lasts for five times of the
length of the initial transient period. Simulation results for all
performance metrics were very much in line with those of
analysis, which imply that our analytical model is correct.
CONCLUSION
We have presented and validated an analytical model to
study and analyze the performance of rule-based network
firewalls. From the model, we have derived key features and
performance measures of engineering and design significance.
These key features and measures include throughput, packet
loss, packet delay, and CPU utilization. The model can be used
to measure the performance when the firewall is subjected to
normal traffic flows as well as DoS attack flows targeting
different rule positions. It was demonstrated that targeting
rules at the bottom of a relatively large ruleset can be severely
detrimental to the performance of the firewall. As a good
design practice and vital countermeasure against DoS attacks
that target bottom rules, it is recommended to minimize
the size of the firewall ruleset or to rearrange dynamically
rules so that bottom rules can be served at the top of the
ruleset, thereby making it harder to launch such complexityalgorithmic
attacks that target bottom-rules.