http://iet.metastore.ingenta.com
1887

Modelling and analysis of rule-based network security middleboxes

Modelling and analysis of rule-based network security middleboxes

For access to this article, please select a purchase option:

Buy article PDF
£12.50
(plus tax if applicable)
Buy Knowledge Pack
10 articles for £75.00
(plus taxes if applicable)

IET members benefit from discounts to all IET publications and free access to E&T Magazine. If you are an IET member, log in to your account and the discounts will automatically be applied.

Learn more about IET membership 

Recommend Title Publication to library

You must fill out fields marked with: *

Librarian details
Name:*
Email:*
Your details
Name:*
Email:*
Department:*
Why are you recommending this title?
Select reason:
 
 
 
 
 
IET Information Security — Recommend this title to your library

Thank you

Your recommendation has been sent to your librarian.

This study presents an analytical model for rule-based network security middleboxes as those of network firewalls, intrusion detection systems and email spam filters. In these systems, incoming packets carrying requests arrive at the middlebox and obtain queued for processing in multiple stages. The stages consist of first a main stage for packet processing and then subsequent stages of rulebase interrogation in which rules or conditions are checked sequentially until a match is triggered. The service at these stages is characterised to be mutually exclusive; that is, only one stage is active at any time. The authors derive useful formulas that can predict the middlebox performance, taking into account its incoming request rate, the queue size and the processing capacity of the middlebox, and thereby proper engineering capacity of the middlebox can be achieved.

References

    1. 1)
      • 1. Linux Netfilter, http://www.netfilter.org, Last accessed September 20144.
    2. 2)
      • 2. Melara, A.J.: ‘Performance analysis of the linux firewall in a host’. Master Thesis, California Polytechnic State University, June 2002.
    3. 3)
      • 3. FreeBSD ipfw, http://www.freebsd.org/doc/en/books/handbook/firewalls-ipfw.html, Last accessed September 2014.
    4. 4)
      • 4. ‘Snort’, http://www.snort.org/, Last accessed September 2014.
    5. 5)
      • 5. Choi, O., Han, S.: ‘Flexible rule-based web services system for users’ preferences’. Proc. of the Fourth Int. Conf. on Next Generation Web Services Practices, 2008, pp. 14.
    6. 6)
      • 6. Nair, M., Kakaraddi, S., Ramanarayan, K., Gopalakrishna, V.: ‘Agent with rule engine: the ‘glue’ for web service oriented computing applied to network management’. Proc. of the IEEE Int. Conf. on Services Computing (SCC'09), September 2009, pp. 528531.
    7. 7)
      • 7. Albert, M., Menditto, L., Shannon, N., Tiwari, P., Tsang, T.: ‘Distributed rule-based packet redirection’. US Patent 6836462, 2004.
    8. 8)
      • 8. Vrancic, A., Jurasovic, K., Kusek, M., Jezic, G., Trzec, K.: ‘Service provisioning in telecom networks using software agents and rule based approach’. Technical Paper, Zagreb R & D Centre, Croatia, 2006.
    9. 9)
    10. 10)
    11. 11)
    12. 12)
    13. 13)
      • 13. Amazon Inc.: ‘Amazon web services auto scaling’, 2014, Available at: http://www.aws.amazon.com/autoscaling.
    14. 14)
    15. 15)
      • 15. Benner, R., Echeverria, V., Onunkwo, U., Patel, J., Zage, D.: ‘Harnessing many-core processors for scalable, highly efficient, and adaptable firewall solutions’. Proc. of the 2013 Int. Conf. on Computing, Networking and Communications (ICNC), 2013, pp. 637641.
    16. 16)
      • 16. Meiners, C.R., Liu, A.X., Torng, E.: ‘Topological transformation approaches to optimizing TCAM-based packet classification systems’. Proc. of the Eleventh Int. Joint Conf. on Measurement and Modeling of Computer Systems (SIGMETRICS'09), 2009, pp. 7384.
    17. 17)
      • 17. Acharya, S., Wang, J., Ge, Z., Znati, T., Greeberg, A.: ‘Simulation study of firewalls to aid improved performance’. Proc. of the 39th Annual Simulation Symp. (ANSS'06), 2006.
    18. 18)
      • 18. Aldalki, R., Salah, K., Otrok, H., Alqutayri, M.: ‘Accelerating snort NIDS using NetFPGA-based bloom filter’. Proc. of the IEEE IWCMC 2014 Conf., 4–8 August 2014.
    19. 19)
      • 19. Mitra, A., Najjar, W., Bhuyan, L.: ‘Compiling FCRE to FPGA for accelerating SNORT IDS’. Proc. of the Third ACM/IEEE Symp. on Architecture for Networking and Communications Systems (ANCS'07), 2007, pp. 127136.
    20. 20)
      • 20. Jacob, N., Brodley, C.: ‘Offloading IDS computation to the GPU’. Proc. of the 22nd Annual Computer Security Applications Conf. (ACSAC'06), 2006, pp. 371380.
    21. 21)
      • 21. Vasiliadis, G., Antonatos, S., Polychronakis, M., Markatos, E., Ioannidis, S.: ‘Gnort: High performance network intrusion detection using graphics processors’. Recent Advances in Intrusion Detection, 2008, pp. 116134.
    22. 22)
      • 22. Jiang, H., Zhang, G., Xie, G., Salamatian, K., Mathy, L.: ‘Scalable high-performance parallel design for network intrusion detection systems on many-core processors’. Proc. of the Ninth ACM/IEEE Symp. on Architectures for Networking and Communications Systems, 2013, pp. 137146.
    23. 23)
      • 23. Gross, D., Harris, C.: ‘Fundamentals of queueing theory’ (Wiley, 1998).
    24. 24)
      • 24. Kleinrock, L.: ‘Queueing systems, Vol. 1: theory’ (John Wiley & Sons, 1975).
    25. 25)
      • 25. Neuts, M.F.: ‘Matrix-geometric solutions in stochastic models: an algorithmic approach’ (Dover Publications Inc., 1981).
    26. 26)
    27. 27)
    28. 28)
      • 28. Salah, K.: ‘Analysis of a two-stage network server’, Int. J. Appl. Math. Comput., 2011, 217, (23), pp. 96359645.
    29. 29)
    30. 30)
      • 30. Salah, K.: ‘Queueing analysis of network firewalls’. Proc. of the IEEE Globecom 2010, 6–10 December 2010, pp. 15.
    31. 31)
      • 31. Bovet, D., Cesati, M.: ‘Understanding the linux kernel’ (O'Reily, 2005, 3rd edn.).
    32. 32)
      • 32. McKusick, M., Bostic, K., Karels, M., Quarterman, J.: ‘The design and implementation of the 4.4BSD unix operating system’ (Addison Wesley, Reading, MA, 1996).
    33. 33)
    34. 34)
    35. 35)
      • 35. Andersson, M., Bengtsson, A., Host, M., Nyberg, C.: ‘Web server traffic in crisis conditions’. Proc. of the Third Swedish National Computer Networking Workshop, November 2005.
    36. 36)
    37. 37)
    38. 38)
      • 38. Jain, R.: ‘The art of computer systems performance analysis: techniques for experimental design, measurement, simulation, and modeling’ (Jonh Wiley & Sons, Inc., 1991).
    39. 39)
      • 39. Takagi, H.: ‘Queueing analysis, Vol. 1: finite systems’ (North-Holland, 1993).
    40. 40)
      • 40. Erdelyi, A., Magnus, W., Oberhettinger, F., Tricomi, F.G.: ‘Tables of integral transforms; (McGraw-Hill, 1954), vol. I.
    41. 41)
      • 41. Law, A., Kelton, W.: ‘Simulation modeling and analysis’ (McGraw-Hill, 1991, 2nd edn.).
    42. 42)
    43. 43)
      • 43. Distributed Internet Traffic Generator, 2014, Available at: http://www.grid.unina.it/software/ITG.
    44. 44)
      • 44. Zander, S., Kennedy, D.d., Armitage, G.: ‘KUTE – a high performance Kernel-based UDP traffic engine’. Technical Report 050118A, Center for Advanced Internet Architectures (CAIA).
    45. 45)
      • 45. Olsson, R.: ‘pktgen the linux packet generator’. Proc. of Linux Symp., 2005.
    46. 46)
      • 46. Melara, A.J.: ‘Performance analysis of the linux firewall in a host’. Master Thesis, California Polytechnic State University, June 2002.
http://iet.metastore.ingenta.com/content/journals/10.1049/iet-ifs.2014.0545
Loading

Related content

content/journals/10.1049/iet-ifs.2014.0545
pub_keyword,iet_inspecKeyword,pub_concept
6
6
Loading
This is a required field
Please enter a valid email address