Modeling and Simulation for Detecting a Distributed Denial of Service Attack
AI '02 Proceedings of the 15th Australian Joint Conference on Artificial Intelligence: Advances in Artificial Intelligence
Multi-constraint Security Policies for Delegated Firewall Administration
DSOM '08 Proceedings of the 19th IFIP/IEEE international workshop on Distributed Systems: Operations and Management: Managing Large-Scale Service Deployment
| Hi-index | 0.00 |
Efforts of this paper focus on the issues about management and throughput of firewalls (or screening routers) applied in transit networks. On the one hand, manual configuration of large amount of firewalls distributed in many access points cannot meet the global security requirements in the open and dynamic environment. On the other hand, the ordinal lookup of filtering rules in each individual firewall results in great decrease of throughput. Aimed at a typical transit network and its security policy requirements, a policy-based access control framework (PACF) is proposed in this paper. This framework is based on three levels of abstract access control policy: organizational access control policy (OACP), global access control policy (GACP) and local access control policy (LACP). The GACP, which comes from the results of IDSes and search engines according to OACP, is automatically and dynamically distributed to firewalls as LACPs. Each LACP is then enforced by an individual firewall. Some key algorithms for distribution of GACP and enforcement of LACP are described. A hash-based algorithm is proposed, for lookup of filtering rules in LACP. Under the environment with policy requirements described in this paper, the new algorithm reduces the time complexity of lookup from O(N) of traditional sequential algorithm to O(1), which therefore increases largely the throughput of firewalls.