Anticipatory distributed packet filter configurations for carrier-grade IP networks

Authors:
Birger Tödtmann;Erwin P. Rathgeb
Affiliations:
Computer Networking Technology Group, Institute for Experimental Mathematics, University of Duisburg-Essen, Germany;Computer Networking Technology Group, Institute for Experimental Mathematics, University of Duisburg-Essen, Germany
Venue:
Computer Networks: The International Journal of Computer and Telecommunications Networking
Year:
2007

Citing 10
Cited 0

Implementing a distributed firewall

Proceedings of the 7th ACM conference on Computer and communications security
New dynamic algorithms for shortest path tree computation

IEEE/ACM Transactions on Networking (TON)
Policy-Based Management: Bridging the Gap

ACSAC '99 Proceedings of the 15th Annual Computer Security Applications Conference
BRITE: An Approach to Universal Topology Generation

MASCOTS '01 Proceedings of the Ninth International Symposium in Modeling, Analysis and Simulation of Computer and Telecommunication Systems
Filtering postures: local enforcement for global policies

SP '97 Proceedings of the 1997 IEEE Symposium on Security and Privacy
Characteristics of internet background radiation

Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Firmato: A novel firewall management toolkit

ACM Transactions on Computer Systems (TOCS)
Balancing Trie-Based Policy Representations for Network Firewalls

ISCC '06 Proceedings of the 11th IEEE Symposium on Computers and Communications
Using client puzzles to protect TLS

SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Denial of service via algorithmic complexity attacks

SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12

Quantified Score

Hi-index	0.00

Visualization

Abstract

Packet filters have traditionally been used to shield IP networks from known attack flows, usually within firewall systems connecting trusted and non-trusted network segments. As IP networks grow and tend to connect to more and more neighbor networks with unknown trust status, carrier-grade operators in particular are beginning to experience raising costs due to increasingly complex filter configurations that have to be applied to their networks, in order to maintain a desired security level. In this paper, we discuss the general properties of distributed packet filter configurations in large networks. Additionally, an algorithm for a simplified compilation of anticipatory static packet filter configurations in heterogeneous IP networks as well as simulation results that demonstrate possible filter cost reduction is presented.