Practical UNIX security
KQML as an agent communication language
CIKM '94 Proceedings of the third international conference on Information and knowledge management
Firewalls and Internet security: repelling the wily hacker
Firewalls and Internet security: repelling the wily hacker
Internet security: firewalls and beyond
Communications of the ACM
Solaris Advanced System Administrator's Guide
Solaris Advanced System Administrator's Guide
Building Internet Firewalls
Windows NT Security Handbook
Security Constraint Processing in a Multilevel Secure Distributed Database Management System
IEEE Transactions on Knowledge and Data Engineering
Sharing Metainformation to Guide Cooperative Search Among Heterogeneous Reusable Agents
IEEE Transactions on Knowledge and Data Engineering
Firewall placement in a large network topology
FTDCS '97 Proceedings of the 6th IEEE Workshop on Future Trends of Distributed Computing Systems
Optimal Redundancy Allocation for Information Technology Disaster Recovery in the Network Economy
IEEE Transactions on Dependable and Secure Computing
Tools protecting stakeholders against hackers and crackers: an insight review
International Journal of Electronic Security and Digital Forensics
A distributed firewall and active response architecture providing preemptive protection
Proceedings of the 46th Annual Southeast Regional Conference on XX
Hi-index | 0.00 |
Security issues are critical in networked information systems, e.g., with financial information, corporate proprietary information, contractual and legal information, human resource data, medical records, etc. The theme of this paper is to address such diversity of security needs among the different information and resources connected over a secure data network. Installation of firewalls across the data network is a popular approach to providing a secure data network. However, single, individual firewalls may not provide adequate security protection to meet the user's needs. The cost of super firewalls, design flaws, as well as implementation inappropriateness with such firewalls may retain security loopholes. Toward this, the idea proposed in this paper is to introduce a cascade of (potentially simpler and less expensive) firewalls in the secure data network驴where, between the attacker node and the attacked node, multiple firewalls are expected to provide an added degree of protection. This approach, broadly following the theme of redundancy in Engineering Systems' Design, will increase the confidence and provide more completeness in the level of security protection by the firewalls. The cascade of (i.e., multiple) firewalls can be placed across the secure data network in many ways, not all of which are equally attractive from cost and end-to-end delay perspectives. Toward this, we present heuristics for placement of these firewalls across the different nodes and links of the network in a way that different users can have the level of security they individually need, without having to pay added hardware costs or excess network delay. Three metrics are proposed to evaluate these heuristics: cost, delay, and reduction of attacker's traffic. Performance of these heuristics is presented using simulation, along with some early analytical results. Our research also extends the firewall technology into the well-known advantages of distributed firewalls. Furthermore, the distributed firewalls can be designed to cooperate and stop an attacker's traffic closest to the attack point驴thereby reducing the amount of hacker's traffic into the network.