SlideShare a Scribd company logo

Traffic aware dynamic

J
Justin Cletus

Traffic aware dynamic

Engineering
1 of 7
Download to read offline
IEEE Communications Magazine • July 2013 730163-6804/13/$25.00 © 2013 IEEE INTRODUCTION Firewalls are the most popular network-based security devices and have been widely deployed since the early days of computer networks. They are designed to permit or deny network traffic based on a firewall policy that specifies what types of packets should be allowed from/into the protected network. Firewalls are usually deployed at the boundary points between net- works and subnets. With the growth of network complexity, it is very common to find firewall policies with thousands of rules. A firewall policy contains a set of rules that are usually checked in a sequential order. This implies that the high- er the order of the matching rule, the more cost- ly the firewall filtering overhead will be. Thus, to reduce the filtering overhead, it is crucial to have the appropriate rule ordering in the fire- wall policy. Firewall policy rule management is also important for security. An attacker can launch denial of service (DoS) attacks by over- whelming firewalls with packets that match high ordered rules such as the default deny rule. This attack can drastically reduce the overall through- put of firewalls and increase network delays dra- matically [1]. However, finding the optimal rule ordering in firewall policy is a computationally hard problem [2]. It is important to design prac- tical heuristics for adapting firewall policies dynamically without losing semantic integrity. The study of many Internet and private traces shows that the major portion of network traffic flows matches a small subset of firewall rules, which means that the frequency distribution for some of the traffic properties appears to be highly skewed [3]. Therefore, when performing packet filtering, it is desirable to decrease the number of packet matches required for large flows in order to reduce the overall packet matching time. It is also observed that the skewedness in traffic distribution is likely to last long enough to make firewall policies adaptively take advantage of it [3]. Based on these observa- tions, many techniques have been proposed to exploit this traffic property to achieve two goals: increase the firewall performance and defend against DoS attacks. We classify firewall policy management tech- niques into two categories, as shown in Fig. 1: matching optimization and early rejection opti- mization. Matching optimization techniques can be further classified into two types: static and traffic-aware adaptive. Early rejection optimiza- tion techniques can be further classified into two types: online and blacklist blocking. In this article we present a comprehensive survey of dynamic firewall policy management techniques that uti- lize traffic characteristics and give a detailed comparison of these techniques. We believe that this study can help researchers gain a good understanding of existing work and enable future innovations. We also believe that this study can help engineers and system administrators be aware of this important problem and adopt the appropriate traffic-aware firewall technique based on specific applications. The article is organized as follows. First, we introduce necessary background knowledge for the article. Next, we describe statistical matching optimization techniques. We then describe early ABSTRACT Firewalls are important network security devices that protect networks by blocking unwanted traffic based on filtering policies. However, the structure of firewall policies has a major impact on firewall security and perfor- mance. In this article, we classify, describe, and compare traffic-aware firewall policy manage- ment techniques based on their objectives, schemes, complexity, applicability, and limita- tions. We classify traffic-aware firewall policy techniques into two categories based on their goals: matching optimization and early rejection optimization schemes. Matching optimization techniques try to minimize the matching time of normal network traffic. Early rejection tech- niques create a minimum set of policy preamble rules (constraints) that can potentially filter out the maximum amount of denied traffic. Both categories are self-adaptive to ensure that the performance gain will always supersede the dynamic management maintenance overhead. We believe that our work provides important insights on the operation and use of traffic- aware filtering. TOPICS IN NETWORK AND SERVICE MANAGEMENT Qi Duan and Ehab Al-Shaer, University of North Carolina at Charlotte Traffic-Aware Dynamic Firewall Policy Management: Techniques and Applications DUAN LAYOUT_Layout 1 6/26/13 1:50 PM Page 73
IEEE Communications Magazine • July 201374 rejection optimization techniques. We give a detailed comparison of the techniques. We con- clude the article. BACKGROUND A firewall is a network element that controls the traversal of packets across the boundaries of a secured network based on a specific security poli- cy. A firewall security policy is a list of ordered filtering rules that define the actions performed on matching packets. A rule is composed of filter- ing fields (also called header tuples) such as pro- tocol type, source IP address, destination IP address, source port and destination port, and an action field. Each network field may be a single value or a range of values. Filtering actions are either accept, which passes the packet into or from the secure network, or deny, which causes the packet to be discarded. The packet is accept- ed or denied by a specific rule if the packet head- er information matches all the network fields of this rule. Otherwise, the following rule is exam- ined, and the process is repeated until a matching rule is found or the default policy action is per- formed. The filtering rules may not be disjoint; therefore, packets may match one or more rules in the firewall policy. In this case, these rules are said to be dependent or overlapping, and their relative ordering must be preserved for the fire- wall policy to operate correctly. For example, in Fig. 2a, rules R1 and R2 are overlapping rules. The traffic address space is the space whose elements contain all possible tuples that identify traffic flows in a network environment. This is usually composed of the transport protocol, source address/port, and destination address/ port. A segment is a subset of the total traffic address space that is covered by a unique set of rules. In other words, segments are equivalence classes over packets. The equivalence of packets is defined by the same policy rules that match these packets. Therefore, segments exhibit the following two properties: • All segments are pairwise disjoint. • Any packet must fall in exactly one seg- ment. Figure 2a shows a simple firewall policy com- posed of three rules: R1, R2, and R3. Figure 2b shows the segmentation of the firewall policy in Fig. 2a. As a result of intersecting (or overlap- ping) the three rules, four address segments are produced: S1, S2, S3, and S4. MATCHING OPTIMIZATION TECHNIQUES AN OVERVIEW The objective of matching optimization is to reduce the number of rules to be inspected in the average case [3]. As shown in Fig. 1, there are two types of matching optimization tech- niques: static and adaptive. Many algorithmic- based techniques have been proposed for static filtering optimization. These techniques try to improve the search time using various algorithmic techniques such as hardware- based solutions, specialized data structures, and heuristics. However, these static tech- niques are used to improve the worst case sce- nario, and they do not consider the properties of network traffic. The earliest work to exploit traffic properties for packet classification is by Gupta et al. in [4]. In this work, the authors used depth-constrained single-field alphabetic trees to reduce the lookup time of destination IP addresses of packets against entries in the routing table. However, one cannot directly use it for firewalls that have multiple match- ing fields. In this article, we focus on adaptive optimization techniques that improve the effi- ciency of filtering in the average case. These techniques can adjust the filtering policies to fit the matching frequency of firewall rules or filtering field values. Rule-based techniques include common branch decision tree, offline statistical-based rule generation, and dynamic rule ordering. Field-value-based techniques include multifield alphabetic tree, Huffman- tree-based filtering, and segment-list-based filter- ing. In the following subsections, we describe these traffic-aware dynamic firewall policy techniques because they represent the state of Figure 1. Classification of traffic-aware firewall policy techniques. Classification of firewall policy management techniques Matching optimization Early rejection optimization Blacklist blockingOnline early rejection Field-based optimizationRule-based optimization Algorithm-based static techniques Strict Static Adaptive traffic-aware Relaxed LCP-based blacklist blocking BDD-based relaxed policy Field-value- cover- based early rejection Segment- list-based filtering Huffman- tree- based filtering Multifield alphabetic tree Dynamic rule ordering Offline statistical- based rule generation Common branch tree The traffic address space is the space whose elements con- tain all possible tuples that identify traffic flows in a net- work environment. This is usually com- posed of the trans- port protocol, source address/port, and destination address/port. A seg- ment is a subset of the total traffic address space that is covered by a unique set of rules. DUAN LAYOUT_Layout 1 6/26/13 1:50 PM Page 74
IEEE Communications Magazine • July 2013 75 the art in traffic-aware firewall filtering for firewalls with a large number of overlapping rules. RULE-BASED OPTIMIZATION Common Branch Tree — In [5], the authors present common branching-tree-based packet classification algorithms in an operational net- work. Decision trees can be categorized under three optimization criteria: worst case, average case, and mixed. Based on the skewedness in Internet traffic, they suggest that average case time is an important metric in the packet classifi- cation settings and propose algorithms to con- struct common branches decision trees to achieve good average case performance. It needs time Q(klog(l/k)) and space Q(l) to build com- mon branches decision tree, where l is the num- ber of rules and k is the number of fields. The experimental evaluation of real-word fil- ters showed that common branching trees use much less memory than binary decision trees, and have comparable worst case and average case search times. The good performance of the common branching tree can be attributed to the presence of extensive wildcarding with a certain structure in the rule sets. The limitation of the technique is that the entire decision tree needs to be rebuilt every time the traffic pattern changes, and it is not appropriate for heavily overlapping rules. Offline Statistical-Based Rule Generation — In [6], the authors presented an offline statisti- cal-based rule generation technique called traf- fic-aware firewall optimizer (TFO). The first step in TFO is called pre-optimization. This step removes all redundancies in the rule set. The second step of TFO uses two optimizers: a rule- set-based optimizer and a traffic-based optimizer. The rule-set-based optimizer contains the Dis- joint Set Creator (DSC) algorithm and the Dis- joint Set Merger (DSM) algorithm. The DSC algorithm converts the original rule set to a semantically equivalent disjoint rule set, which can provide the traffic-based optimizer with full flexibility to re-order rules based on traffic char- acteristics. The DSM algorithm merges the rules of the disjoint rule set produced by DSC to reduce rule set size. The traffic-based optimizer has four components: hot caching, total re-order- ing, default proxy, and online adaptation. The hot caching scheme tries to put those rules that are frequently hit to the top of the rule set. The total re-ordering scheme combines the measure of hit frequency and rule size to optimize rule ordering. The default proxy scheme can optimize the firewall performance when the default deny action is heavily invoked. The online adaptation scheme builds a long-term rule hit profile to optimize the rule set. TFO is based on the assumption that only a small portion of rules are dependent on other rules, so it cannot handle policies with heavily overlapped rules. Also, TFO has only limited adaptivity because the rule hit profile is built offline. The authors conducted experiments in only one enterprise firewall, which may not be able to represent other real world firewalls. Dynamic Rule Ordering — This technique uses a heuristic approximation algorithm for optimal dynamic firewall rule ordering based on real-time traffic characteristics [2]. The objective of optimizing the firewall rules is to create a semantically equivalent rule order that mini- mizes the packet matching time in firewalls. The optimal rule ordering (ORO) problem is mapped to the job scheduling problem for a single machine with precedence constraints. Since the scheduling problem is NP-hard, the general ORO problem is also NP-hard. Thus, a heuristic approximation algorithm that runs in polynomial time and achieves near-optimal results for the most common firewall policies is presented. The implementation of the technique also includes a method to compute filtering rule weights in order to capture the matching impor- Figure 2. An example of firewall rules and segmentation. Protocol tcp tcp tcp Action Deny Accept Deny Source address:port 140.192.37.30:any 140.192.37.*:100 *.*.*.*:any Destination address:port *.*.*.*:any *.*.*.*:any *.*.*.*:any Rule R1 R2 R3 (a) (b) R1 R2 S2 S1 S3R3 S4 The good perfor- mance of the common branching tree can be attribut- ed to the presence of extensive wild- carding with a certain structure in the rule sets. The limitation of the technique is that the entire decision tree needs to be rebuilt every time the traffic pattern changes, and it is not appropriate for heavily overlapping rules. DUAN LAYOUT_Layout 1 6/26/13 1:50 PM Page 75
IEEE Communications Magazine • July 201376 tance of every rule relative to others. Each rule in the filtering policy is given a weight that reflects the dominance of this rule in matching the traffic processed by the firewall. The rule weight is calculated based on matching frequency, which determines how frequent the rule has been triggered, and matching recency, which determines how recent the rule has been trig- gered during packet matching. The optimized rule list is constructed based on the computed rule weights and is used for matching upcoming packets to the firewall. Since the traffic distribu- tion of Internet flows over filtering rules is con- stantly changing, the rule weights should be dynamically adjusted to reflect the most recent distribution. Two types of rule list updates are used: performance-based triggered updates and time-based periodic updates. In this way, an ordering that is as close as possible to the opti- mal can be computed, while the overhead to compute these updates can be minimized. The limitation of the technique is that it is not good for policies with a large number of overlapping rules. FIELD-BASED OPTIMIZATION Multifield Alphabetic Tree — In [3, 7], a new multifield alphabetic-tree-based technique for dynamic firewall policy management was pre- sented. The technique calculates the field value frequency (entropy) and uses this entropy infor- mation to build the alphabetic search tree for adaptive packet filtering. The alphabetic search tree stores field values in the leaves based on given weights such that the inherent order of the stored values is preserved. At each internal node, the left subtree contains nodes that have values less than those on the right. This added constraint of enforcing an order on the place- ment of values in the tree enables the matching algorithm to branch left or right. The constraint can also eliminate the need for preprocessing of the packet field values. The alphabetic search tree inserts values of higher occurrence probability (matching fre- quency) at higher tree levels than the values with less probability. Field values that commonly exist in the traffic will have lower numbers of packet matches compared to uncommon values. The alphabetic search tree can improve the overall average filtering by significantly reducing the number of matches for most popular pack- ets, although it may not be in favor of less fre- quently matched traffic. The gain in filtering performance is proportional to the degree of skewedness in the traffic distribution over field values. Even in the worst case scenario when the traffic distribution is uniform, this technique cannot do worse than the binary search as a lower bound. The alphabetic search tree can be built with time O(nlogn) and space O(n) where n is the number of rules. The limitation of this technique is that the overhead of updating the tree can be significant. Huffman-Tree-Based Filtering — This tech- nique in [8] uses a Huffman tree to represent the segmentation of traffic address space in the firewall policy. The Huffman tree can minimize the average number of comparisons applied to packets arriving at the firewall ports. To build the Huffman tree, the traffic statis- tics can be kept as hit-count measurements for all segments. The internal nodes of the Huffman tree contain a Boolean expression that should be satisfied by each packet passing through this node towards its descendants. The expression is built by taking logic OR of the two correspond- ing expressions from the children nodes. When a new node is created in a merging step of two nodes with the lowest weight, it will have the expression that takes the logic OR of these two nodes. The operation in the Huffman tree building algorithm differs slightly with the original Huff- man’s algorithm. The changes occur in swapping the left and right children based on whichever is easier to evaluate. Another difference is the added expression at each node. The time and space complexity of building the Huffman tree are O(ns) and s, respectively, where n is the number of rules and s is the num- ber of segments in the policy. Using the skewedness of the segments to build a Huffman tree over these segments can enhance the per- formance of searching. The technique is good for policies with a large number of rules. The limitation is that the Huffman tree needs to be rebuilt periodically to reflect changes in network flows. Segment-List-Based Filtering — In order to get rid of the maintenance cost of the Huffman tree, one can use a policy-segment-based search list [8] to utilize the very high imbalance in the frequency distribution of packets over the policy segments. One can obtain a very simple yet extremely effective structure by building a simple list of segments that is updated after each packet match. Theoretically, the optimal order is to have the segments sorted in reverse order of their popularity. But it is impossible to guaran- tee this without prior knowledge of the exact dis- tribution. A heuristic algorithm can be used to minimize the average search time. The main idea in the algorithm is to match an incoming packet against the segment list one by one; once a match is found, the list ordering is adjusted. The time and space complexity of building the segment list are O(ns) and s, respectively, where n is the number of rules and s is the num- ber of segments in the policy. This technique only contains very simple operations. It is good for extremely biased traffic. The only limitation is that it has transient behavior until a good order of segments is obtained. EARLY REJECTION OPTIMIZATION TECHNIQUES AN OVERVIEW The problem of early packet filters received much attention for two main reasons. The first is to protect firewalls from DoS attacks that target the default deny rule. The second is to minimize the filtering overhead due to discarding unwant- ed traffic by introducing approximate policies that can easily filter out discarded traffic. The alphabetic search tree inserts values of higher occurrence probabili- ty (matching fre- quency) at higher tree levels than the values with less probability. Field val- ues that commonly exist in the traffic will have lower numbers of packet matches compared to uncommon values. DUAN LAYOUT_Layout 1 6/26/13 1:50 PM Page 76
IEEE Communications Magazine • July 2013 77 Early rejection optimization can be classi- fied as online and blacklist blocking. Online early rejection techniques include field value cover early rejection [7] and the binary deci- sion diagram (BDD)-based relaxed policy [1]. Blacklist blocking techniques include longest common prefix (LCP)-based blacklist block- ing [9]. ONLINE EARLY REJECTION Field Value Cover-Based Early Rejection — The first article to present an early rejection optimization technique is [7]. In this technique, an early filtering module is deployed as anoth- er layer before the actual filtering that takes place in a firewall. The goal of this early filter- ing module is to filter out as many discarded packets as possible with the lowest overhead. This is because discarded packets might tra- verse a long decision path of rule matching before they are finally rejected by the default deny rule, which causes significant overhead proportional to the number of rules in the fire- wall policy. For those packets on which the early filtering module has made a decision (deny or accept), there is no need to pass the packet to the original filtering module. If the early filtering module cannot reach a decision based on its approximation of the policy, the filtering process will be delegated to the origi- nal filtering algorithm. The early rejection rules (RRs) can be formed as a combination of the common field values that cover all rules in the policy. It can be shown that these rules are more feasible to find because the number of distinct field values is usually small relative to the policy size. It is desirable to search in the firewall policy for a combination of common field values such that every rule uses at least one of these values. This problem can be modeled as a set cover problem. Two approximation algorithms can be used to solve this problem. The first one runs in time O(n2) and has an approximation ratio log(n) where n is the number of rules. The sec- ond one uses integer programming to achieve an f approximation ratio where f is the maxi- mum number of subsets to which any element can belong. The set cover approximation algo- rithm generates a combination of common field values to be used as early rejection rules. But it is not known in advance how many and which ones we should use to achieve an opti- mal rejection solution. A suite of three algo- rithms were used to address this problem. These three algorithms are the startup phase algorithm, dynamic rule selection algorithm, and early rejection algorithm. In the startup phase algorithm, the candidate rejection rule list is built from different solutions that belong to the set cover problem. The dynamic rule selec- tion algorithm is responsible for the periodic addition/removal of rules according to the per- formance gain/loss of each rule. The early rejection algorithm calculates the location of early rejection relative to normal packet filter- ing and defines the per-packet operation of fil- tering. The limitation of the technique is that it is not suitable for large policies (policies with a large number of rules). BDD-Based Relaxed Policy — Another tech- nique is called the BDD-based relaxed policy. The basic idea of this policy is to approximate the current policy with another new policy. The technique evaluates every packet against the new policy, and decides to accept, reject, or forward it to the original policy. The original policy is deployed as normal, but it is not executed unless the early filtering module fails to reach a deci- sion. Efficient Boolean expression can be used to represent and approximate the policy. The actu- al implementation is based on Boolean expres- sions, which are constructed using BDD. Each Boolean expression represents the different packets that match a specific rule, and the vari- ables used for this expression correspond to the bits of individual packet header fields (e.g., source IP, destination port, protocol). BDDs can facilitate the matching by representing the expression in the form of a tree, where each variable is checked only once. An important advantage of the BDD tree is that the decision can be quickly made for a large portion of the packet space. When a packet arrives, the fields in the packet header are extracted and sorted according to their order in the expression tree, so they can be used one by one in navigating the tree. Tree navigation is itself a very simple set of instructions. One need only check the variable at the current node, and load the left child node entry in the BDD table if true and the right child entry if false. This is repeated until a node is reached with a final value or the maximum depth allowed in the tree is reached. Note that this BDD construction technique can also be used for matching optimization. The whole system is dynamic to traffic prop- erties, and can be tuned by the policy structure and previous performance measures. The limita- tion of the technique is that the overhead to build the BDD is usually significant. LCP-BASED BLACKLIST BLOCKING This technique is the general framework for modeling the filter selection as resource alloca- tion problems in [9]. A filter is a set of simple access control rules to specify that addresses with certain prefixes should be blocked. The goal of filter selection is to build filtering rules that can minimize the impact of malicious sources in the network using the available network resources. The technique considers different fil- tering problems based on different attack sce- narios, operators’ policies and constraints. Each filtering problem can be modeled as an opti- mization problem. The data structure to repre- sent the problems is the LCP) tree. The LCP tree is a kind of binary tree such that the leaves of the tree are the malicious IP addresses, and all the other nodes represent the longest com- mon prefixes between any pair of IPs in the tree. The LCP tree can be built in time O(mN) and space O(N) where m = 32 is the number of bits in the IP address and N is the number of mali- cious IP addresses. Polynomial or pseudo-poly- nomial algorithms were designed to solve the filtering problems. The limitation of this tech- nique is that all the malicious IP addresses must be known before the computation of the optimal The early rejection algorithm calculates the location of early rejection relative to normal packet filter- ing and defines the per-packet operation of filtering. The limi- tation of the tech- nique is that it is not suitable for large policies (policies with a large number of rules). DUAN LAYOUT_Layout 1 6/26/13 1:50 PM Page 77
IEEE Communications Magazine • July 201378 solution. To defend against attackers who can move quickly among multiple source IPs, one must recompute the optimal solutions frequent- ly. Thus, this technique may not be efficient enough. A COMPARATIVE STUDY In this section we present a detailed comparison of the traffic-aware dynamic firewall policy man- agement techniques discussed in this article. Table 1 shows the comparison of the data structures, algorithms, adaptivity, measure- ment, and complexity (time and space) of the techniques. Here the adaptivity column denotes whether the technique is online or offline, and the measurement column denotes the key quantitative values used in the technique. We compare the nine techniques discussed in the article for traffic-aware packet filtering. The algorithmic-based static techniques in Fig. 1 are not included in our study since they are not traffic-aware filtering techniques. Note that in the table, n, d, s, and N are the number of rules, the number of fields, the number of seg- ments, and the number of malicious source addresses in the policy, respectively. For BDD- based techniques, in the worst case the com- plexity can be exponential. However, in most cases, the complexity of BDD construction for firewall policies does not exceed the quadratic of the number of rules due to rule correlation and overlapping [10]. For offline statistical- based rule generation, the complexity is not known because the authors did not give a com- plexity analysis. We can note that dynamic rule ordering and multifield alphabetic tree have sim- ilar complexity, while Huffman tree based filter- ing and segment list based filtering have complexity related to the number of rules and segments in the policy. Table 2 compares the functionality, policy structure, traffic characterization and mainte- nance cost of each technique. In this table, plus (+) sign means the corresponding technique is suitable for the property, and minus (–) sign means the corresponding technique may not be suitable for the property. N/A means the tech- nique is not applicable for the property. Skew- ness is the measure of the asymmetry in the probability distribution of the traffic. Dynamic means that the traffic pattern has frequent changes. LCP based blacklist blocking is not applicable for general policies of multi-field rules. Although dynamic rule ordering, common branch tree, and offline statistical-based rule gen- eration techniques are good for rules with mul- tiple fields, they are not suitable for heavily overlapping policies. Although dynamic rule ordering, segment list based filtering, multi- field alphabetic tree and Huffman tree based filtering techniques exhibit high dynamism and low maintenance overhead, they expect high-to- moderate skewness in the traffic distribution (i.e., there is a small number of popular servers) except dynamic rule ordering, which can toler- ate low skewedness in traffic. BDD based relaxed policy, field value cover based early rejection, and offline statistical-based rule generation are not suitable for large poli- cies or policies with large number of field val- ues. Huffman-tree-based filtering, common branch tree, and offline statistical-based rule generation could exhibit high maintenance overhead. Online early rejection techniques (BDD-based relaxed policy, field-value-cover- based early rejection) look robust with traffic Table 1. Comparison of the algorithms, data structures, and complexity of traffic-aware dynamic firewall policy techniques. Technique Data structure Algorithm Adaptivity Measurement Time Space Common branch tree [3] Tree Decision tree optimization Offline N/A Q(dlog(n/d)) or n0.63 nQ(d) Offline statistical-based rule generation [1] List Optimal splitting Offline N/A 2n n Dynamic rule ordering [7] Rule Job scheduling with precedence Online Rule frequency and recency O(nlogn) O(n) Multifield alphabetic tree [8] Tree Alphabetic tree Online Field entropy O(nlogn) O(dn) Huffman tree filtering [5] Tree Huffman tree Online Segment entropy O(ns) O(s) Segment-list-based filtering [5] List Linear search Online Segment counting O(ns) O(s) Field-value-cover-based early rejection [8] Boolean expression Set cover approximation Online Statistical thresholding O(n2) O(n) BDD-based relaxed policy [4] BDD BDD optimization Online Rule probability O(2n) O(2n) LCP-based blacklist blocking [10] Tree Dynamic programming Offline N/A O(N) O(N) DUAN LAYOUT_Layout 1 6/26/13 1:50 PM Page 78
IEEE Communications Magazine • July 2013 79 distribution and rules overlapping, but they suffer from the high number of rules. It is worth noticing that offline statistical-based rule generation is not fit for overlapping rules and traffic dynamics, and LCP-based blacklist blocking can only be applied efficiently to a pre-defined blacklist. To achieve the desired goal, one should choose the appropriate tech- nique according to the properties of the fire- wall policy. SUMMARY In this article we present a taxonomy of traf- fic-aware firewall management techniques. We believe that our analysis of the research work in traffic-aware dynamic firewall policy management can help researchers and engi- neers to understand the importance of the problem and provide useful guidance for adopting a specific technique based on appli- cation requirements. This study provides ingredients for more innovative solutions in this field. REFERENCES [1] S. Acharya et al., “Traffic-Aware Firewall Optimization Strategies,” IEEE ICC, 2006. [2] E. Al-Shaer, W. Marrero, and A. El-Atawy, “Network Configuration in A Box: Towards End-to-End Verifica- tion of Network Reachability and Security,” IEEE Int’l. Conf. Network Protocols, Oct. 2009. [3] E. Cohen and C. Lund, “Packet Classification in Large ISPS: Design and Evaluation of Decision Tree Classi- fiers,” Proc. 2005 ACM Sigmetrics Int’l. Conf. Measure- ment and Modeling of Computer Systems, SIGMETRICS ’05, 2005, pp. 73–84. [4] A. El-Atawy et al., “Adaptive Early Packet Filtering for Defending Firewalls Against DoS Attacks,” IEEE INFO- COM ’09, Rio de Janeiro, Brazil, 2009, pp. 2437–45. [5] A. El-Atawy et al., “Using Online Traffic Statistical Matching for Optimizing Packet Filtering Performance,” INFOCOM ’07, 2007, pp. 866–74. [6] P. Gupta, B. Prabhakar, and S. Boyd, “Near Optimal Routing Lookups with Bounded Worst Case Perfor- mance,” IEEE INFOCOM 2000, 2000. [7] H. Hamed and E. Al-Shaer, “Dynamic Rule Ordering Optimization for High-Speed Firewall Filtering,” ASI- ACCS ’06, 2006. [8] H. Hamed, A. El-Atawy, and E. Al-Shaer, “Adaptive Sta- tistical Optimization Techniques for Firewall Packet Fil- tering,” IEEE INFOCOM ’06, Apr. 2006. [9] H. Hamed, A. El-atawy, and E. Al-shaer, “On Dynamic Optimization of Packet Matching in High-Speed Fire- walls,” IEEE JSAC, 2006, pp. 1817–30. [10] F. Soldo, A. Markopoulou, and K. J. Argyraki, “Optimal Filtering of Source Address Prefixes: Models and Algo- rithms,” IEEE INFOCOM ’09, 2009, pp. 2446–54. BIOGRAPHIES QI DUAN (qduan@uncc.edu) is a research associate in the Department of Software and Information Systems, Univer- sity of North Carolina at Charlotte. His research areas are network security and configuration verification. EHAB AL-SHAER (ehab@uncc.edu) is a professor and the director of the Cyber Defense and Network Assurability Center (CyberDNA) in the Department of Software and Information Systems, University of North Carolina at Char- lotte. His primary research areas are network security, secu- rity management, fault diagnosis, and network assurability. Table 2. Comparison of limitations and application suitability of traffic–aware dynamic firewall policy techniques. Technique Functionality Policy structure Traffic characterization Maintenance cost Matching optimization Early rejection Multi- field High over- lapping Large policy Large field value Large no. of seg- ments Skewed- ness Dynamic Common branch tree + – + – + – N/A Moderate No High Offline statistical- based rule generation + + + – – – N/A High Low High Dynamic rule ordering + – + – + + N/A Low High Low Multifield alphabetic tree + – + + + – N/A moderate high low Huffman tree filtering + – + + + N/A – Moderate High Low Segment-list-based filtering + – + + + N/A – Moderate High Low Field-value-cover- based early rejection – + + + – – N/A Moderate High Moderate BDD-based relaxed policy + + + + – – – Low Moderate High LCP-based blacklist blocking – + – – + + N/A N/A High Moderate DUAN LAYOUT_Layout 1 6/26/13 1:50 PM Page 79

Recommended

Distributed Packet Filtering Firewall for Enhanced Security In Mobile Ad-Hoc ...
Distributed Packet Filtering Firewall for Enhanced Security In Mobile Ad-Hoc ...Distributed Packet Filtering Firewall for Enhanced Security In Mobile Ad-Hoc ...
Distributed Packet Filtering Firewall for Enhanced Security In Mobile Ad-Hoc ...IJERA Editor
 
A COMBINATION OF TEMPORAL SEQUENCE LEARNING AND DATA DESCRIPTION FOR ANOMALYB...
A COMBINATION OF TEMPORAL SEQUENCE LEARNING AND DATA DESCRIPTION FOR ANOMALYB...A COMBINATION OF TEMPORAL SEQUENCE LEARNING AND DATA DESCRIPTION FOR ANOMALYB...
A COMBINATION OF TEMPORAL SEQUENCE LEARNING AND DATA DESCRIPTION FOR ANOMALYB...IJNSA Journal
 
A N E NERGY -E FFICIENT A ND S CALABLE S LOT - B ASED P RIVACY H OMOMOR...
A N E NERGY -E FFICIENT A ND S CALABLE S LOT - B ASED P RIVACY H OMOMOR...A N E NERGY -E FFICIENT A ND S CALABLE S LOT - B ASED P RIVACY H OMOMOR...
A N E NERGY -E FFICIENT A ND S CALABLE S LOT - B ASED P RIVACY H OMOMOR...ijassn
 
AN ENERGY-EFFICIENT AND SCALABLE SLOTBASED PRIVACY HOMOMORPHIC ENCRYPTION SCH...
AN ENERGY-EFFICIENT AND SCALABLE SLOTBASED PRIVACY HOMOMORPHIC ENCRYPTION SCH...AN ENERGY-EFFICIENT AND SCALABLE SLOTBASED PRIVACY HOMOMORPHIC ENCRYPTION SCH...
AN ENERGY-EFFICIENT AND SCALABLE SLOTBASED PRIVACY HOMOMORPHIC ENCRYPTION SCH...ijassn
 
IEEE 2015 NS2 Projects
IEEE 2015 NS2 ProjectsIEEE 2015 NS2 Projects
IEEE 2015 NS2 ProjectsVijay Karan
 
IEEE 2015 NS2 Projects
IEEE 2015 NS2 ProjectsIEEE 2015 NS2 Projects
IEEE 2015 NS2 ProjectsVijay Karan
 
A FORMAL VERIFICATION FRAMEWORK FOR SECURITY POLICY MANAGEMENT IN MOBILE IP B...
A FORMAL VERIFICATION FRAMEWORK FOR SECURITY POLICY MANAGEMENT IN MOBILE IP B...A FORMAL VERIFICATION FRAMEWORK FOR SECURITY POLICY MANAGEMENT IN MOBILE IP B...
A FORMAL VERIFICATION FRAMEWORK FOR SECURITY POLICY MANAGEMENT IN MOBILE IP B...IJNSA Journal
 
Using Data Mining for Discovering Anomalies from Firewall Logs: a Comprehensi...
Using Data Mining for Discovering Anomalies from Firewall Logs: a Comprehensi...Using Data Mining for Discovering Anomalies from Firewall Logs: a Comprehensi...
Using Data Mining for Discovering Anomalies from Firewall Logs: a Comprehensi...IRJET Journal
 

Recommended

Distributed Packet Filtering Firewall for Enhanced Security In Mobile Ad-Hoc ...
Distributed Packet Filtering Firewall for Enhanced Security In Mobile Ad-Hoc ...Distributed Packet Filtering Firewall for Enhanced Security In Mobile Ad-Hoc ...
Distributed Packet Filtering Firewall for Enhanced Security In Mobile Ad-Hoc ...IJERA Editor
 
A COMBINATION OF TEMPORAL SEQUENCE LEARNING AND DATA DESCRIPTION FOR ANOMALYB...
A COMBINATION OF TEMPORAL SEQUENCE LEARNING AND DATA DESCRIPTION FOR ANOMALYB...A COMBINATION OF TEMPORAL SEQUENCE LEARNING AND DATA DESCRIPTION FOR ANOMALYB...
A COMBINATION OF TEMPORAL SEQUENCE LEARNING AND DATA DESCRIPTION FOR ANOMALYB...IJNSA Journal
 
A N E NERGY -E FFICIENT A ND S CALABLE S LOT - B ASED P RIVACY H OMOMOR...
A N E NERGY -E FFICIENT A ND S CALABLE S LOT - B ASED P RIVACY H OMOMOR...A N E NERGY -E FFICIENT A ND S CALABLE S LOT - B ASED P RIVACY H OMOMOR...
A N E NERGY -E FFICIENT A ND S CALABLE S LOT - B ASED P RIVACY H OMOMOR...ijassn
 
AN ENERGY-EFFICIENT AND SCALABLE SLOTBASED PRIVACY HOMOMORPHIC ENCRYPTION SCH...
AN ENERGY-EFFICIENT AND SCALABLE SLOTBASED PRIVACY HOMOMORPHIC ENCRYPTION SCH...AN ENERGY-EFFICIENT AND SCALABLE SLOTBASED PRIVACY HOMOMORPHIC ENCRYPTION SCH...
AN ENERGY-EFFICIENT AND SCALABLE SLOTBASED PRIVACY HOMOMORPHIC ENCRYPTION SCH...ijassn
 
IEEE 2015 NS2 Projects
IEEE 2015 NS2 ProjectsIEEE 2015 NS2 Projects
IEEE 2015 NS2 ProjectsVijay Karan
 
IEEE 2015 NS2 Projects
IEEE 2015 NS2 ProjectsIEEE 2015 NS2 Projects
IEEE 2015 NS2 ProjectsVijay Karan
 
A FORMAL VERIFICATION FRAMEWORK FOR SECURITY POLICY MANAGEMENT IN MOBILE IP B...
A FORMAL VERIFICATION FRAMEWORK FOR SECURITY POLICY MANAGEMENT IN MOBILE IP B...A FORMAL VERIFICATION FRAMEWORK FOR SECURITY POLICY MANAGEMENT IN MOBILE IP B...
A FORMAL VERIFICATION FRAMEWORK FOR SECURITY POLICY MANAGEMENT IN MOBILE IP B...IJNSA Journal
 
Using Data Mining for Discovering Anomalies from Firewall Logs: a Comprehensi...
Using Data Mining for Discovering Anomalies from Firewall Logs: a Comprehensi...Using Data Mining for Discovering Anomalies from Firewall Logs: a Comprehensi...
Using Data Mining for Discovering Anomalies from Firewall Logs: a Comprehensi...IRJET Journal
 
Region Based Time Varying Addressing Scheme For Improved Mitigating Various N...
Region Based Time Varying Addressing Scheme For Improved Mitigating Various N...Region Based Time Varying Addressing Scheme For Improved Mitigating Various N...
Region Based Time Varying Addressing Scheme For Improved Mitigating Various N...theijes
 
Hf3612861290
Hf3612861290Hf3612861290
Hf3612861290IJERA Editor
 
Privacy preserving collaborative spectrum sensing with multiple service provi...
Privacy preserving collaborative spectrum sensing with multiple service provi...Privacy preserving collaborative spectrum sensing with multiple service provi...
Privacy preserving collaborative spectrum sensing with multiple service provi...ieeepondy
 
Privacy preserving and truthful detection of packet dropping attacks in wirel...
Privacy preserving and truthful detection of packet dropping attacks in wirel...Privacy preserving and truthful detection of packet dropping attacks in wirel...
Privacy preserving and truthful detection of packet dropping attacks in wirel...LogicMindtech Nologies
 
D035418024
D035418024D035418024
D035418024ijceronline
 
WORKLOAD CHARACTERIZATION OF SPAM EMAIL FILTERING SYSTEMS
WORKLOAD CHARACTERIZATION OF SPAM EMAIL FILTERING SYSTEMSWORKLOAD CHARACTERIZATION OF SPAM EMAIL FILTERING SYSTEMS
WORKLOAD CHARACTERIZATION OF SPAM EMAIL FILTERING SYSTEMSIJNSA Journal
 
Internet Traffic Classification Using Bayesian Analysis Techniques
Internet Traffic Classification Using Bayesian Analysis TechniquesInternet Traffic Classification Using Bayesian Analysis Techniques
Internet Traffic Classification Using Bayesian Analysis TechniquesDenis Zuev
 
Online stream mining approach for clustering network traffic
Online stream mining approach for clustering network trafficOnline stream mining approach for clustering network traffic
Online stream mining approach for clustering network trafficeSAT Publishing House
 
Online stream mining approach for clustering network traffic
Online stream mining approach for clustering network trafficOnline stream mining approach for clustering network traffic
Online stream mining approach for clustering network trafficeSAT Journals
 
Defending against collaborative attacks by malicious nodes in manets a cooper...
Defending against collaborative attacks by malicious nodes in manets a cooper...Defending against collaborative attacks by malicious nodes in manets a cooper...
Defending against collaborative attacks by malicious nodes in manets a cooper...IISTech2015
 
A1803060110
A1803060110A1803060110
A1803060110IOSR Journals
 
Bonneau - Complex Networks Foundations of Information Systems - Spring Review...
Bonneau - Complex Networks Foundations of Information Systems - Spring Review...Bonneau - Complex Networks Foundations of Information Systems - Spring Review...
Bonneau - Complex Networks Foundations of Information Systems - Spring Review...The Air Force Office of Scientific Research
 
Auto Finding and Resolving Distributed Firewall Policy
Auto Finding and Resolving Distributed Firewall PolicyAuto Finding and Resolving Distributed Firewall Policy
Auto Finding and Resolving Distributed Firewall PolicyIOSR Journals
 
An Effective Policy Anomaly Management Framework for Firewalls
An Effective Policy Anomaly Management Framework for FirewallsAn Effective Policy Anomaly Management Framework for Firewalls
An Effective Policy Anomaly Management Framework for FirewallsIJMER
 
A Novel Management Framework for Policy Anomaly in Firewall
A Novel Management Framework for Policy Anomaly in FirewallA Novel Management Framework for Policy Anomaly in Firewall
A Novel Management Framework for Policy Anomaly in Firewallijsrd.com
 
Interfirewall optimization across various administrative domain for enabling ...
Interfirewall optimization across various administrative domain for enabling ...Interfirewall optimization across various administrative domain for enabling ...
Interfirewall optimization across various administrative domain for enabling ...Editor IJMTER
 
Dp4301696701
Dp4301696701Dp4301696701
Dp4301696701IJERA Editor
 
ANALYSIS OF SECURITY ASPECTS FOR DYNAMIC RESOURCE MANAGEMENT IN DISTRIBUTED S...
ANALYSIS OF SECURITY ASPECTS FOR DYNAMIC RESOURCE MANAGEMENT IN DISTRIBUTED S...ANALYSIS OF SECURITY ASPECTS FOR DYNAMIC RESOURCE MANAGEMENT IN DISTRIBUTED S...
ANALYSIS OF SECURITY ASPECTS FOR DYNAMIC RESOURCE MANAGEMENT IN DISTRIBUTED S...ijcseit
 
ANALYSIS OF SECURITY ASPECTS FOR DYNAMIC RESOURCE MANAGEMENT IN DISTRIBUTED S...
ANALYSIS OF SECURITY ASPECTS FOR DYNAMIC RESOURCE MANAGEMENT IN DISTRIBUTED S...ANALYSIS OF SECURITY ASPECTS FOR DYNAMIC RESOURCE MANAGEMENT IN DISTRIBUTED S...
ANALYSIS OF SECURITY ASPECTS FOR DYNAMIC RESOURCE MANAGEMENT IN DISTRIBUTED S...ijcseit
 
Cross domain privacy-preserving cooperative firewall optimization
Cross domain privacy-preserving cooperative firewall optimizationCross domain privacy-preserving cooperative firewall optimization
Cross domain privacy-preserving cooperative firewall optimizationJPINFOTECH JAYAPRAKASH
 
Review on redundancy removal of rules for optimizing firewall
Review on redundancy removal of rules for optimizing firewallReview on redundancy removal of rules for optimizing firewall
Review on redundancy removal of rules for optimizing firewalleSAT Publishing House
 
Cross-Domain Privacy-Preserving Cooperative Firewall Optimization
Cross-Domain Privacy-Preserving Cooperative Firewall OptimizationCross-Domain Privacy-Preserving Cooperative Firewall Optimization
Cross-Domain Privacy-Preserving Cooperative Firewall OptimizationVenkatavarma Vegiraju
 

More Related Content

What's hot

Region Based Time Varying Addressing Scheme For Improved Mitigating Various N...
Region Based Time Varying Addressing Scheme For Improved Mitigating Various N...Region Based Time Varying Addressing Scheme For Improved Mitigating Various N...
Region Based Time Varying Addressing Scheme For Improved Mitigating Various N...theijes
 
Privacy preserving collaborative spectrum sensing with multiple service provi...
Privacy preserving collaborative spectrum sensing with multiple service provi...Privacy preserving collaborative spectrum sensing with multiple service provi...
Privacy preserving collaborative spectrum sensing with multiple service provi...ieeepondy
 
Privacy preserving and truthful detection of packet dropping attacks in wirel...
Privacy preserving and truthful detection of packet dropping attacks in wirel...Privacy preserving and truthful detection of packet dropping attacks in wirel...
Privacy preserving and truthful detection of packet dropping attacks in wirel...LogicMindtech Nologies
 
WORKLOAD CHARACTERIZATION OF SPAM EMAIL FILTERING SYSTEMS
WORKLOAD CHARACTERIZATION OF SPAM EMAIL FILTERING SYSTEMSWORKLOAD CHARACTERIZATION OF SPAM EMAIL FILTERING SYSTEMS
WORKLOAD CHARACTERIZATION OF SPAM EMAIL FILTERING SYSTEMSIJNSA Journal
 
Internet Traffic Classification Using Bayesian Analysis Techniques
Internet Traffic Classification Using Bayesian Analysis TechniquesInternet Traffic Classification Using Bayesian Analysis Techniques
Internet Traffic Classification Using Bayesian Analysis TechniquesDenis Zuev
 
Online stream mining approach for clustering network traffic
Online stream mining approach for clustering network trafficOnline stream mining approach for clustering network traffic
Online stream mining approach for clustering network trafficeSAT Publishing House
 
Online stream mining approach for clustering network traffic
Online stream mining approach for clustering network trafficOnline stream mining approach for clustering network traffic
Online stream mining approach for clustering network trafficeSAT Journals
 
Defending against collaborative attacks by malicious nodes in manets a cooper...
Defending against collaborative attacks by malicious nodes in manets a cooper...Defending against collaborative attacks by malicious nodes in manets a cooper...
Defending against collaborative attacks by malicious nodes in manets a cooper...IISTech2015
 
Bonneau - Complex Networks Foundations of Information Systems - Spring Review...
Bonneau - Complex Networks Foundations of Information Systems - Spring Review...Bonneau - Complex Networks Foundations of Information Systems - Spring Review...
Bonneau - Complex Networks Foundations of Information Systems - Spring Review...The Air Force Office of Scientific Research
 

What's hot (12)

Region Based Time Varying Addressing Scheme For Improved Mitigating Various N...
Region Based Time Varying Addressing Scheme For Improved Mitigating Various N...Region Based Time Varying Addressing Scheme For Improved Mitigating Various N...
Region Based Time Varying Addressing Scheme For Improved Mitigating Various N...
 
Hf3612861290
Hf3612861290Hf3612861290
Hf3612861290
 
Privacy preserving collaborative spectrum sensing with multiple service provi...
Privacy preserving collaborative spectrum sensing with multiple service provi...Privacy preserving collaborative spectrum sensing with multiple service provi...
Privacy preserving collaborative spectrum sensing with multiple service provi...
 
Privacy preserving and truthful detection of packet dropping attacks in wirel...
Privacy preserving and truthful detection of packet dropping attacks in wirel...Privacy preserving and truthful detection of packet dropping attacks in wirel...
Privacy preserving and truthful detection of packet dropping attacks in wirel...
 
D035418024
D035418024D035418024
D035418024
 
WORKLOAD CHARACTERIZATION OF SPAM EMAIL FILTERING SYSTEMS
WORKLOAD CHARACTERIZATION OF SPAM EMAIL FILTERING SYSTEMSWORKLOAD CHARACTERIZATION OF SPAM EMAIL FILTERING SYSTEMS
WORKLOAD CHARACTERIZATION OF SPAM EMAIL FILTERING SYSTEMS
 
Internet Traffic Classification Using Bayesian Analysis Techniques
Internet Traffic Classification Using Bayesian Analysis TechniquesInternet Traffic Classification Using Bayesian Analysis Techniques
Internet Traffic Classification Using Bayesian Analysis Techniques
 
Online stream mining approach for clustering network traffic
Online stream mining approach for clustering network trafficOnline stream mining approach for clustering network traffic
Online stream mining approach for clustering network traffic
 
Online stream mining approach for clustering network traffic
Online stream mining approach for clustering network trafficOnline stream mining approach for clustering network traffic
Online stream mining approach for clustering network traffic
 
Defending against collaborative attacks by malicious nodes in manets a cooper...
Defending against collaborative attacks by malicious nodes in manets a cooper...Defending against collaborative attacks by malicious nodes in manets a cooper...
Defending against collaborative attacks by malicious nodes in manets a cooper...
 
A1803060110
A1803060110A1803060110
A1803060110
 
Bonneau - Complex Networks Foundations of Information Systems - Spring Review...
Bonneau - Complex Networks Foundations of Information Systems - Spring Review...Bonneau - Complex Networks Foundations of Information Systems - Spring Review...
Bonneau - Complex Networks Foundations of Information Systems - Spring Review...
 

Similar to Traffic aware dynamic

Auto Finding and Resolving Distributed Firewall Policy
Auto Finding and Resolving Distributed Firewall PolicyAuto Finding and Resolving Distributed Firewall Policy
Auto Finding and Resolving Distributed Firewall PolicyIOSR Journals
 
An Effective Policy Anomaly Management Framework for Firewalls
An Effective Policy Anomaly Management Framework for FirewallsAn Effective Policy Anomaly Management Framework for Firewalls
An Effective Policy Anomaly Management Framework for FirewallsIJMER
 
A Novel Management Framework for Policy Anomaly in Firewall
A Novel Management Framework for Policy Anomaly in FirewallA Novel Management Framework for Policy Anomaly in Firewall
A Novel Management Framework for Policy Anomaly in Firewallijsrd.com
 
Interfirewall optimization across various administrative domain for enabling ...
Interfirewall optimization across various administrative domain for enabling ...Interfirewall optimization across various administrative domain for enabling ...
Interfirewall optimization across various administrative domain for enabling ...Editor IJMTER
 
ANALYSIS OF SECURITY ASPECTS FOR DYNAMIC RESOURCE MANAGEMENT IN DISTRIBUTED S...
ANALYSIS OF SECURITY ASPECTS FOR DYNAMIC RESOURCE MANAGEMENT IN DISTRIBUTED S...ANALYSIS OF SECURITY ASPECTS FOR DYNAMIC RESOURCE MANAGEMENT IN DISTRIBUTED S...
ANALYSIS OF SECURITY ASPECTS FOR DYNAMIC RESOURCE MANAGEMENT IN DISTRIBUTED S...ijcseit
 
ANALYSIS OF SECURITY ASPECTS FOR DYNAMIC RESOURCE MANAGEMENT IN DISTRIBUTED S...
ANALYSIS OF SECURITY ASPECTS FOR DYNAMIC RESOURCE MANAGEMENT IN DISTRIBUTED S...ANALYSIS OF SECURITY ASPECTS FOR DYNAMIC RESOURCE MANAGEMENT IN DISTRIBUTED S...
ANALYSIS OF SECURITY ASPECTS FOR DYNAMIC RESOURCE MANAGEMENT IN DISTRIBUTED S...ijcseit
 
Cross domain privacy-preserving cooperative firewall optimization
Cross domain privacy-preserving cooperative firewall optimizationCross domain privacy-preserving cooperative firewall optimization
Cross domain privacy-preserving cooperative firewall optimizationJPINFOTECH JAYAPRAKASH
 
Review on redundancy removal of rules for optimizing firewall
Review on redundancy removal of rules for optimizing firewallReview on redundancy removal of rules for optimizing firewall
Review on redundancy removal of rules for optimizing firewalleSAT Publishing House
 
Cross-Domain Privacy-Preserving Cooperative Firewall Optimization
Cross-Domain Privacy-Preserving Cooperative Firewall OptimizationCross-Domain Privacy-Preserving Cooperative Firewall Optimization
Cross-Domain Privacy-Preserving Cooperative Firewall OptimizationVenkatavarma Vegiraju
 
Splay trees based early packet rejection mechanism against do s traffic targe...
Splay trees based early packet rejection mechanism against do s traffic targe...Splay trees based early packet rejection mechanism against do s traffic targe...
Splay trees based early packet rejection mechanism against do s traffic targe...Anh Phan
 
SURVEY ON COOPERATIVE FIREWALL ANOMALY DETECTION AND REDUNDANCY MANAGEMENT
SURVEY ON COOPERATIVE FIREWALL ANOMALY DETECTION AND REDUNDANCY MANAGEMENTSURVEY ON COOPERATIVE FIREWALL ANOMALY DETECTION AND REDUNDANCY MANAGEMENT
SURVEY ON COOPERATIVE FIREWALL ANOMALY DETECTION AND REDUNDANCY MANAGEMENTijsrd.com
 
PERFORMANCE EVALUATION OF ENHANCEDGREEDY- TWO-PHASE DEPLOYMENT ALGORITHM
PERFORMANCE EVALUATION OF ENHANCEDGREEDY- TWO-PHASE DEPLOYMENT ALGORITHMPERFORMANCE EVALUATION OF ENHANCEDGREEDY- TWO-PHASE DEPLOYMENT ALGORITHM
PERFORMANCE EVALUATION OF ENHANCEDGREEDY- TWO-PHASE DEPLOYMENT ALGORITHMIJNSA Journal
 
PERFORMANCE EVALUATION OF ENHANCEDGREEDY-TWO-PHASE DEPLOYMENT ALGORITHM
PERFORMANCE EVALUATION OF ENHANCEDGREEDY-TWO-PHASE DEPLOYMENT ALGORITHMPERFORMANCE EVALUATION OF ENHANCEDGREEDY-TWO-PHASE DEPLOYMENT ALGORITHM
PERFORMANCE EVALUATION OF ENHANCEDGREEDY-TWO-PHASE DEPLOYMENT ALGORITHMIJNSA Journal
 
Networking for java and dotnet 2016 - 17
Networking for java and dotnet 2016 - 17Networking for java and dotnet 2016 - 17
Networking for java and dotnet 2016 - 17redpel dot com
 
International Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentInternational Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentIJERD Editor
 
Redundancy removal of rules with reordering them to increase the firewall opt...
Redundancy removal of rules with reordering them to increase the firewall opt...Redundancy removal of rules with reordering them to increase the firewall opt...
Redundancy removal of rules with reordering them to increase the firewall opt...eSAT Journals
 
Redundancy removal of rules with reordering them to increase the firewall opt...
Redundancy removal of rules with reordering them to increase the firewall opt...Redundancy removal of rules with reordering them to increase the firewall opt...
Redundancy removal of rules with reordering them to increase the firewall opt...eSAT Publishing House
 

Similar to Traffic aware dynamic (20)

Auto Finding and Resolving Distributed Firewall Policy
Auto Finding and Resolving Distributed Firewall PolicyAuto Finding and Resolving Distributed Firewall Policy
Auto Finding and Resolving Distributed Firewall Policy
 
An Effective Policy Anomaly Management Framework for Firewalls
An Effective Policy Anomaly Management Framework for FirewallsAn Effective Policy Anomaly Management Framework for Firewalls
An Effective Policy Anomaly Management Framework for Firewalls
 
A Novel Management Framework for Policy Anomaly in Firewall
A Novel Management Framework for Policy Anomaly in FirewallA Novel Management Framework for Policy Anomaly in Firewall
A Novel Management Framework for Policy Anomaly in Firewall
 
Interfirewall optimization across various administrative domain for enabling ...
Interfirewall optimization across various administrative domain for enabling ...Interfirewall optimization across various administrative domain for enabling ...
Interfirewall optimization across various administrative domain for enabling ...
 
Dp4301696701
Dp4301696701Dp4301696701
Dp4301696701
 
ANALYSIS OF SECURITY ASPECTS FOR DYNAMIC RESOURCE MANAGEMENT IN DISTRIBUTED S...
ANALYSIS OF SECURITY ASPECTS FOR DYNAMIC RESOURCE MANAGEMENT IN DISTRIBUTED S...ANALYSIS OF SECURITY ASPECTS FOR DYNAMIC RESOURCE MANAGEMENT IN DISTRIBUTED S...
ANALYSIS OF SECURITY ASPECTS FOR DYNAMIC RESOURCE MANAGEMENT IN DISTRIBUTED S...
 
ANALYSIS OF SECURITY ASPECTS FOR DYNAMIC RESOURCE MANAGEMENT IN DISTRIBUTED S...
ANALYSIS OF SECURITY ASPECTS FOR DYNAMIC RESOURCE MANAGEMENT IN DISTRIBUTED S...ANALYSIS OF SECURITY ASPECTS FOR DYNAMIC RESOURCE MANAGEMENT IN DISTRIBUTED S...
ANALYSIS OF SECURITY ASPECTS FOR DYNAMIC RESOURCE MANAGEMENT IN DISTRIBUTED S...
 
Cross domain privacy-preserving cooperative firewall optimization
Cross domain privacy-preserving cooperative firewall optimizationCross domain privacy-preserving cooperative firewall optimization
Cross domain privacy-preserving cooperative firewall optimization
 
Review on redundancy removal of rules for optimizing firewall
Review on redundancy removal of rules for optimizing firewallReview on redundancy removal of rules for optimizing firewall
Review on redundancy removal of rules for optimizing firewall
 
Cross-Domain Privacy-Preserving Cooperative Firewall Optimization
Cross-Domain Privacy-Preserving Cooperative Firewall OptimizationCross-Domain Privacy-Preserving Cooperative Firewall Optimization
Cross-Domain Privacy-Preserving Cooperative Firewall Optimization
 
P43018691
P43018691P43018691
P43018691
 
Splay trees based early packet rejection mechanism against do s traffic targe...
Splay trees based early packet rejection mechanism against do s traffic targe...Splay trees based early packet rejection mechanism against do s traffic targe...
Splay trees based early packet rejection mechanism against do s traffic targe...
 
SURVEY ON COOPERATIVE FIREWALL ANOMALY DETECTION AND REDUNDANCY MANAGEMENT
SURVEY ON COOPERATIVE FIREWALL ANOMALY DETECTION AND REDUNDANCY MANAGEMENTSURVEY ON COOPERATIVE FIREWALL ANOMALY DETECTION AND REDUNDANCY MANAGEMENT
SURVEY ON COOPERATIVE FIREWALL ANOMALY DETECTION AND REDUNDANCY MANAGEMENT
 
PERFORMANCE EVALUATION OF ENHANCEDGREEDY- TWO-PHASE DEPLOYMENT ALGORITHM
PERFORMANCE EVALUATION OF ENHANCEDGREEDY- TWO-PHASE DEPLOYMENT ALGORITHMPERFORMANCE EVALUATION OF ENHANCEDGREEDY- TWO-PHASE DEPLOYMENT ALGORITHM
PERFORMANCE EVALUATION OF ENHANCEDGREEDY- TWO-PHASE DEPLOYMENT ALGORITHM
 
PERFORMANCE EVALUATION OF ENHANCEDGREEDY-TWO-PHASE DEPLOYMENT ALGORITHM
PERFORMANCE EVALUATION OF ENHANCEDGREEDY-TWO-PHASE DEPLOYMENT ALGORITHMPERFORMANCE EVALUATION OF ENHANCEDGREEDY-TWO-PHASE DEPLOYMENT ALGORITHM
PERFORMANCE EVALUATION OF ENHANCEDGREEDY-TWO-PHASE DEPLOYMENT ALGORITHM
 
Networking for java and dotnet 2016 - 17
Networking for java and dotnet 2016 - 17Networking for java and dotnet 2016 - 17
Networking for java and dotnet 2016 - 17
 
J1087181
J1087181J1087181
J1087181
 
International Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentInternational Journal of Engineering Research and Development
International Journal of Engineering Research and Development
 
Redundancy removal of rules with reordering them to increase the firewall opt...
Redundancy removal of rules with reordering them to increase the firewall opt...Redundancy removal of rules with reordering them to increase the firewall opt...
Redundancy removal of rules with reordering them to increase the firewall opt...
 
Redundancy removal of rules with reordering them to increase the firewall opt...
Redundancy removal of rules with reordering them to increase the firewall opt...Redundancy removal of rules with reordering them to increase the firewall opt...
Redundancy removal of rules with reordering them to increase the firewall opt...
 

More from Justin Cletus

Cloud computing-05-10-en
Cloud computing-05-10-enCloud computing-05-10-en
Cloud computing-05-10-enJustin Cletus
 
Alternatives for-securing-virtual-networks
Alternatives for-securing-virtual-networksAlternatives for-securing-virtual-networks
Alternatives for-securing-virtual-networksJustin Cletus
 
Hybrid cloud based firewalling
Hybrid cloud based firewallingHybrid cloud based firewalling
Hybrid cloud based firewallingJustin Cletus
 
Fuzzy c-Means Clustering Algorithms
Fuzzy c-Means Clustering AlgorithmsFuzzy c-Means Clustering Algorithms
Fuzzy c-Means Clustering AlgorithmsJustin Cletus
 
Mining Frequent Patterns, Association and Correlations
Mining Frequent Patterns, Association and CorrelationsMining Frequent Patterns, Association and Correlations
Mining Frequent Patterns, Association and CorrelationsJustin Cletus
 
Data mining Concepts and Techniques
Data mining Concepts and Techniques Data mining Concepts and Techniques
Data mining Concepts and Techniques Justin Cletus
 

More from Justin Cletus (8)

First step toward
First step towardFirst step toward
First step toward
 
Cloud computing-05-10-en
Cloud computing-05-10-enCloud computing-05-10-en
Cloud computing-05-10-en
 
Alternatives for-securing-virtual-networks
Alternatives for-securing-virtual-networksAlternatives for-securing-virtual-networks
Alternatives for-securing-virtual-networks
 
Hybrid cloud based firewalling
Hybrid cloud based firewallingHybrid cloud based firewalling
Hybrid cloud based firewalling
 
Fuzzy c-Means Clustering Algorithms
Fuzzy c-Means Clustering AlgorithmsFuzzy c-Means Clustering Algorithms
Fuzzy c-Means Clustering Algorithms
 
Mining Frequent Patterns, Association and Correlations
Mining Frequent Patterns, Association and CorrelationsMining Frequent Patterns, Association and Correlations
Mining Frequent Patterns, Association and Correlations
 
Data mining Concepts and Techniques
Data mining Concepts and Techniques Data mining Concepts and Techniques
Data mining Concepts and Techniques
 
Dm lecture1
Dm lecture1Dm lecture1
Dm lecture1
 

Recently uploaded

Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...srsj9000
 
Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.eptoze12
 
Introduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxIntroduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxk795866
 
complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...asadnawaz62
 
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort servicejennyeacort
 
Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...VICTOR MAESTRE RAMIREZ
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130Suhani Kapoor
 
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...VICTOR MAESTRE RAMIREZ
 
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)dollysharma2066
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AIabhishek36461
 
Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024hassan khalil
 
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVHARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVRajaP95
 
HARMONY IN THE HUMAN BEING - Unit-II UHV-2
HARMONY IN THE HUMAN BEING - Unit-II UHV-2HARMONY IN THE HUMAN BEING - Unit-II UHV-2
HARMONY IN THE HUMAN BEING - Unit-II UHV-2RajaP95
 
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxJoão Esperancinha
 
SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )Tsuyoshi Horigome
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girlsssuser7cb4ff
 
Churning of Butter, Factors affecting .
Churning of Butter, Factors affecting .Churning of Butter, Factors affecting .
Churning of Butter, Factors affecting .Satyam Kumar
 

Recently uploaded (20)

Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
 
Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.
 
Introduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxIntroduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptx
 
complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...
 
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
 
Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
 
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
 
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AI
 
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCRCall Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
 
Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024
 
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVHARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
 
HARMONY IN THE HUMAN BEING - Unit-II UHV-2
HARMONY IN THE HUMAN BEING - Unit-II UHV-2HARMONY IN THE HUMAN BEING - Unit-II UHV-2
HARMONY IN THE HUMAN BEING - Unit-II UHV-2
 
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
 
SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girls
 
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
 
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
 
Churning of Butter, Factors affecting .
Churning of Butter, Factors affecting .Churning of Butter, Factors affecting .
Churning of Butter, Factors affecting .
 

Traffic aware dynamic

  • 1. IEEE Communications Magazine • July 2013 730163-6804/13/$25.00 © 2013 IEEE INTRODUCTION Firewalls are the most popular network-based security devices and have been widely deployed since the early days of computer networks. They are designed to permit or deny network traffic based on a firewall policy that specifies what types of packets should be allowed from/into the protected network. Firewalls are usually deployed at the boundary points between net- works and subnets. With the growth of network complexity, it is very common to find firewall policies with thousands of rules. A firewall policy contains a set of rules that are usually checked in a sequential order. This implies that the high- er the order of the matching rule, the more cost- ly the firewall filtering overhead will be. Thus, to reduce the filtering overhead, it is crucial to have the appropriate rule ordering in the fire- wall policy. Firewall policy rule management is also important for security. An attacker can launch denial of service (DoS) attacks by over- whelming firewalls with packets that match high ordered rules such as the default deny rule. This attack can drastically reduce the overall through- put of firewalls and increase network delays dra- matically [1]. However, finding the optimal rule ordering in firewall policy is a computationally hard problem [2]. It is important to design prac- tical heuristics for adapting firewall policies dynamically without losing semantic integrity. The study of many Internet and private traces shows that the major portion of network traffic flows matches a small subset of firewall rules, which means that the frequency distribution for some of the traffic properties appears to be highly skewed [3]. Therefore, when performing packet filtering, it is desirable to decrease the number of packet matches required for large flows in order to reduce the overall packet matching time. It is also observed that the skewedness in traffic distribution is likely to last long enough to make firewall policies adaptively take advantage of it [3]. Based on these observa- tions, many techniques have been proposed to exploit this traffic property to achieve two goals: increase the firewall performance and defend against DoS attacks. We classify firewall policy management tech- niques into two categories, as shown in Fig. 1: matching optimization and early rejection opti- mization. Matching optimization techniques can be further classified into two types: static and traffic-aware adaptive. Early rejection optimiza- tion techniques can be further classified into two types: online and blacklist blocking. In this article we present a comprehensive survey of dynamic firewall policy management techniques that uti- lize traffic characteristics and give a detailed comparison of these techniques. We believe that this study can help researchers gain a good understanding of existing work and enable future innovations. We also believe that this study can help engineers and system administrators be aware of this important problem and adopt the appropriate traffic-aware firewall technique based on specific applications. The article is organized as follows. First, we introduce necessary background knowledge for the article. Next, we describe statistical matching optimization techniques. We then describe early ABSTRACT Firewalls are important network security devices that protect networks by blocking unwanted traffic based on filtering policies. However, the structure of firewall policies has a major impact on firewall security and perfor- mance. In this article, we classify, describe, and compare traffic-aware firewall policy manage- ment techniques based on their objectives, schemes, complexity, applicability, and limita- tions. We classify traffic-aware firewall policy techniques into two categories based on their goals: matching optimization and early rejection optimization schemes. Matching optimization techniques try to minimize the matching time of normal network traffic. Early rejection tech- niques create a minimum set of policy preamble rules (constraints) that can potentially filter out the maximum amount of denied traffic. Both categories are self-adaptive to ensure that the performance gain will always supersede the dynamic management maintenance overhead. We believe that our work provides important insights on the operation and use of traffic- aware filtering. TOPICS IN NETWORK AND SERVICE MANAGEMENT Qi Duan and Ehab Al-Shaer, University of North Carolina at Charlotte Traffic-Aware Dynamic Firewall Policy Management: Techniques and Applications DUAN LAYOUT_Layout 1 6/26/13 1:50 PM Page 73
  • 2. IEEE Communications Magazine • July 201374 rejection optimization techniques. We give a detailed comparison of the techniques. We con- clude the article. BACKGROUND A firewall is a network element that controls the traversal of packets across the boundaries of a secured network based on a specific security poli- cy. A firewall security policy is a list of ordered filtering rules that define the actions performed on matching packets. A rule is composed of filter- ing fields (also called header tuples) such as pro- tocol type, source IP address, destination IP address, source port and destination port, and an action field. Each network field may be a single value or a range of values. Filtering actions are either accept, which passes the packet into or from the secure network, or deny, which causes the packet to be discarded. The packet is accept- ed or denied by a specific rule if the packet head- er information matches all the network fields of this rule. Otherwise, the following rule is exam- ined, and the process is repeated until a matching rule is found or the default policy action is per- formed. The filtering rules may not be disjoint; therefore, packets may match one or more rules in the firewall policy. In this case, these rules are said to be dependent or overlapping, and their relative ordering must be preserved for the fire- wall policy to operate correctly. For example, in Fig. 2a, rules R1 and R2 are overlapping rules. The traffic address space is the space whose elements contain all possible tuples that identify traffic flows in a network environment. This is usually composed of the transport protocol, source address/port, and destination address/ port. A segment is a subset of the total traffic address space that is covered by a unique set of rules. In other words, segments are equivalence classes over packets. The equivalence of packets is defined by the same policy rules that match these packets. Therefore, segments exhibit the following two properties: • All segments are pairwise disjoint. • Any packet must fall in exactly one seg- ment. Figure 2a shows a simple firewall policy com- posed of three rules: R1, R2, and R3. Figure 2b shows the segmentation of the firewall policy in Fig. 2a. As a result of intersecting (or overlap- ping) the three rules, four address segments are produced: S1, S2, S3, and S4. MATCHING OPTIMIZATION TECHNIQUES AN OVERVIEW The objective of matching optimization is to reduce the number of rules to be inspected in the average case [3]. As shown in Fig. 1, there are two types of matching optimization tech- niques: static and adaptive. Many algorithmic- based techniques have been proposed for static filtering optimization. These techniques try to improve the search time using various algorithmic techniques such as hardware- based solutions, specialized data structures, and heuristics. However, these static tech- niques are used to improve the worst case sce- nario, and they do not consider the properties of network traffic. The earliest work to exploit traffic properties for packet classification is by Gupta et al. in [4]. In this work, the authors used depth-constrained single-field alphabetic trees to reduce the lookup time of destination IP addresses of packets against entries in the routing table. However, one cannot directly use it for firewalls that have multiple match- ing fields. In this article, we focus on adaptive optimization techniques that improve the effi- ciency of filtering in the average case. These techniques can adjust the filtering policies to fit the matching frequency of firewall rules or filtering field values. Rule-based techniques include common branch decision tree, offline statistical-based rule generation, and dynamic rule ordering. Field-value-based techniques include multifield alphabetic tree, Huffman- tree-based filtering, and segment-list-based filter- ing. In the following subsections, we describe these traffic-aware dynamic firewall policy techniques because they represent the state of Figure 1. Classification of traffic-aware firewall policy techniques. Classification of firewall policy management techniques Matching optimization Early rejection optimization Blacklist blockingOnline early rejection Field-based optimizationRule-based optimization Algorithm-based static techniques Strict Static Adaptive traffic-aware Relaxed LCP-based blacklist blocking BDD-based relaxed policy Field-value- cover- based early rejection Segment- list-based filtering Huffman- tree- based filtering Multifield alphabetic tree Dynamic rule ordering Offline statistical- based rule generation Common branch tree The traffic address space is the space whose elements con- tain all possible tuples that identify traffic flows in a net- work environment. This is usually com- posed of the trans- port protocol, source address/port, and destination address/port. A seg- ment is a subset of the total traffic address space that is covered by a unique set of rules. DUAN LAYOUT_Layout 1 6/26/13 1:50 PM Page 74
  • 3. IEEE Communications Magazine • July 2013 75 the art in traffic-aware firewall filtering for firewalls with a large number of overlapping rules. RULE-BASED OPTIMIZATION Common Branch Tree — In [5], the authors present common branching-tree-based packet classification algorithms in an operational net- work. Decision trees can be categorized under three optimization criteria: worst case, average case, and mixed. Based on the skewedness in Internet traffic, they suggest that average case time is an important metric in the packet classifi- cation settings and propose algorithms to con- struct common branches decision trees to achieve good average case performance. It needs time Q(klog(l/k)) and space Q(l) to build com- mon branches decision tree, where l is the num- ber of rules and k is the number of fields. The experimental evaluation of real-word fil- ters showed that common branching trees use much less memory than binary decision trees, and have comparable worst case and average case search times. The good performance of the common branching tree can be attributed to the presence of extensive wildcarding with a certain structure in the rule sets. The limitation of the technique is that the entire decision tree needs to be rebuilt every time the traffic pattern changes, and it is not appropriate for heavily overlapping rules. Offline Statistical-Based Rule Generation — In [6], the authors presented an offline statisti- cal-based rule generation technique called traf- fic-aware firewall optimizer (TFO). The first step in TFO is called pre-optimization. This step removes all redundancies in the rule set. The second step of TFO uses two optimizers: a rule- set-based optimizer and a traffic-based optimizer. The rule-set-based optimizer contains the Dis- joint Set Creator (DSC) algorithm and the Dis- joint Set Merger (DSM) algorithm. The DSC algorithm converts the original rule set to a semantically equivalent disjoint rule set, which can provide the traffic-based optimizer with full flexibility to re-order rules based on traffic char- acteristics. The DSM algorithm merges the rules of the disjoint rule set produced by DSC to reduce rule set size. The traffic-based optimizer has four components: hot caching, total re-order- ing, default proxy, and online adaptation. The hot caching scheme tries to put those rules that are frequently hit to the top of the rule set. The total re-ordering scheme combines the measure of hit frequency and rule size to optimize rule ordering. The default proxy scheme can optimize the firewall performance when the default deny action is heavily invoked. The online adaptation scheme builds a long-term rule hit profile to optimize the rule set. TFO is based on the assumption that only a small portion of rules are dependent on other rules, so it cannot handle policies with heavily overlapped rules. Also, TFO has only limited adaptivity because the rule hit profile is built offline. The authors conducted experiments in only one enterprise firewall, which may not be able to represent other real world firewalls. Dynamic Rule Ordering — This technique uses a heuristic approximation algorithm for optimal dynamic firewall rule ordering based on real-time traffic characteristics [2]. The objective of optimizing the firewall rules is to create a semantically equivalent rule order that mini- mizes the packet matching time in firewalls. The optimal rule ordering (ORO) problem is mapped to the job scheduling problem for a single machine with precedence constraints. Since the scheduling problem is NP-hard, the general ORO problem is also NP-hard. Thus, a heuristic approximation algorithm that runs in polynomial time and achieves near-optimal results for the most common firewall policies is presented. The implementation of the technique also includes a method to compute filtering rule weights in order to capture the matching impor- Figure 2. An example of firewall rules and segmentation. Protocol tcp tcp tcp Action Deny Accept Deny Source address:port 140.192.37.30:any 140.192.37.*:100 *.*.*.*:any Destination address:port *.*.*.*:any *.*.*.*:any *.*.*.*:any Rule R1 R2 R3 (a) (b) R1 R2 S2 S1 S3R3 S4 The good perfor- mance of the common branching tree can be attribut- ed to the presence of extensive wild- carding with a certain structure in the rule sets. The limitation of the technique is that the entire decision tree needs to be rebuilt every time the traffic pattern changes, and it is not appropriate for heavily overlapping rules. DUAN LAYOUT_Layout 1 6/26/13 1:50 PM Page 75
  • 4. IEEE Communications Magazine • July 201376 tance of every rule relative to others. Each rule in the filtering policy is given a weight that reflects the dominance of this rule in matching the traffic processed by the firewall. The rule weight is calculated based on matching frequency, which determines how frequent the rule has been triggered, and matching recency, which determines how recent the rule has been trig- gered during packet matching. The optimized rule list is constructed based on the computed rule weights and is used for matching upcoming packets to the firewall. Since the traffic distribu- tion of Internet flows over filtering rules is con- stantly changing, the rule weights should be dynamically adjusted to reflect the most recent distribution. Two types of rule list updates are used: performance-based triggered updates and time-based periodic updates. In this way, an ordering that is as close as possible to the opti- mal can be computed, while the overhead to compute these updates can be minimized. The limitation of the technique is that it is not good for policies with a large number of overlapping rules. FIELD-BASED OPTIMIZATION Multifield Alphabetic Tree — In [3, 7], a new multifield alphabetic-tree-based technique for dynamic firewall policy management was pre- sented. The technique calculates the field value frequency (entropy) and uses this entropy infor- mation to build the alphabetic search tree for adaptive packet filtering. The alphabetic search tree stores field values in the leaves based on given weights such that the inherent order of the stored values is preserved. At each internal node, the left subtree contains nodes that have values less than those on the right. This added constraint of enforcing an order on the place- ment of values in the tree enables the matching algorithm to branch left or right. The constraint can also eliminate the need for preprocessing of the packet field values. The alphabetic search tree inserts values of higher occurrence probability (matching fre- quency) at higher tree levels than the values with less probability. Field values that commonly exist in the traffic will have lower numbers of packet matches compared to uncommon values. The alphabetic search tree can improve the overall average filtering by significantly reducing the number of matches for most popular pack- ets, although it may not be in favor of less fre- quently matched traffic. The gain in filtering performance is proportional to the degree of skewedness in the traffic distribution over field values. Even in the worst case scenario when the traffic distribution is uniform, this technique cannot do worse than the binary search as a lower bound. The alphabetic search tree can be built with time O(nlogn) and space O(n) where n is the number of rules. The limitation of this technique is that the overhead of updating the tree can be significant. Huffman-Tree-Based Filtering — This tech- nique in [8] uses a Huffman tree to represent the segmentation of traffic address space in the firewall policy. The Huffman tree can minimize the average number of comparisons applied to packets arriving at the firewall ports. To build the Huffman tree, the traffic statis- tics can be kept as hit-count measurements for all segments. The internal nodes of the Huffman tree contain a Boolean expression that should be satisfied by each packet passing through this node towards its descendants. The expression is built by taking logic OR of the two correspond- ing expressions from the children nodes. When a new node is created in a merging step of two nodes with the lowest weight, it will have the expression that takes the logic OR of these two nodes. The operation in the Huffman tree building algorithm differs slightly with the original Huff- man’s algorithm. The changes occur in swapping the left and right children based on whichever is easier to evaluate. Another difference is the added expression at each node. The time and space complexity of building the Huffman tree are O(ns) and s, respectively, where n is the number of rules and s is the num- ber of segments in the policy. Using the skewedness of the segments to build a Huffman tree over these segments can enhance the per- formance of searching. The technique is good for policies with a large number of rules. The limitation is that the Huffman tree needs to be rebuilt periodically to reflect changes in network flows. Segment-List-Based Filtering — In order to get rid of the maintenance cost of the Huffman tree, one can use a policy-segment-based search list [8] to utilize the very high imbalance in the frequency distribution of packets over the policy segments. One can obtain a very simple yet extremely effective structure by building a simple list of segments that is updated after each packet match. Theoretically, the optimal order is to have the segments sorted in reverse order of their popularity. But it is impossible to guaran- tee this without prior knowledge of the exact dis- tribution. A heuristic algorithm can be used to minimize the average search time. The main idea in the algorithm is to match an incoming packet against the segment list one by one; once a match is found, the list ordering is adjusted. The time and space complexity of building the segment list are O(ns) and s, respectively, where n is the number of rules and s is the num- ber of segments in the policy. This technique only contains very simple operations. It is good for extremely biased traffic. The only limitation is that it has transient behavior until a good order of segments is obtained. EARLY REJECTION OPTIMIZATION TECHNIQUES AN OVERVIEW The problem of early packet filters received much attention for two main reasons. The first is to protect firewalls from DoS attacks that target the default deny rule. The second is to minimize the filtering overhead due to discarding unwant- ed traffic by introducing approximate policies that can easily filter out discarded traffic. The alphabetic search tree inserts values of higher occurrence probabili- ty (matching fre- quency) at higher tree levels than the values with less probability. Field val- ues that commonly exist in the traffic will have lower numbers of packet matches compared to uncommon values. DUAN LAYOUT_Layout 1 6/26/13 1:50 PM Page 76
  • 5. IEEE Communications Magazine • July 2013 77 Early rejection optimization can be classi- fied as online and blacklist blocking. Online early rejection techniques include field value cover early rejection [7] and the binary deci- sion diagram (BDD)-based relaxed policy [1]. Blacklist blocking techniques include longest common prefix (LCP)-based blacklist block- ing [9]. ONLINE EARLY REJECTION Field Value Cover-Based Early Rejection — The first article to present an early rejection optimization technique is [7]. In this technique, an early filtering module is deployed as anoth- er layer before the actual filtering that takes place in a firewall. The goal of this early filter- ing module is to filter out as many discarded packets as possible with the lowest overhead. This is because discarded packets might tra- verse a long decision path of rule matching before they are finally rejected by the default deny rule, which causes significant overhead proportional to the number of rules in the fire- wall policy. For those packets on which the early filtering module has made a decision (deny or accept), there is no need to pass the packet to the original filtering module. If the early filtering module cannot reach a decision based on its approximation of the policy, the filtering process will be delegated to the origi- nal filtering algorithm. The early rejection rules (RRs) can be formed as a combination of the common field values that cover all rules in the policy. It can be shown that these rules are more feasible to find because the number of distinct field values is usually small relative to the policy size. It is desirable to search in the firewall policy for a combination of common field values such that every rule uses at least one of these values. This problem can be modeled as a set cover problem. Two approximation algorithms can be used to solve this problem. The first one runs in time O(n2) and has an approximation ratio log(n) where n is the number of rules. The sec- ond one uses integer programming to achieve an f approximation ratio where f is the maxi- mum number of subsets to which any element can belong. The set cover approximation algo- rithm generates a combination of common field values to be used as early rejection rules. But it is not known in advance how many and which ones we should use to achieve an opti- mal rejection solution. A suite of three algo- rithms were used to address this problem. These three algorithms are the startup phase algorithm, dynamic rule selection algorithm, and early rejection algorithm. In the startup phase algorithm, the candidate rejection rule list is built from different solutions that belong to the set cover problem. The dynamic rule selec- tion algorithm is responsible for the periodic addition/removal of rules according to the per- formance gain/loss of each rule. The early rejection algorithm calculates the location of early rejection relative to normal packet filter- ing and defines the per-packet operation of fil- tering. The limitation of the technique is that it is not suitable for large policies (policies with a large number of rules). BDD-Based Relaxed Policy — Another tech- nique is called the BDD-based relaxed policy. The basic idea of this policy is to approximate the current policy with another new policy. The technique evaluates every packet against the new policy, and decides to accept, reject, or forward it to the original policy. The original policy is deployed as normal, but it is not executed unless the early filtering module fails to reach a deci- sion. Efficient Boolean expression can be used to represent and approximate the policy. The actu- al implementation is based on Boolean expres- sions, which are constructed using BDD. Each Boolean expression represents the different packets that match a specific rule, and the vari- ables used for this expression correspond to the bits of individual packet header fields (e.g., source IP, destination port, protocol). BDDs can facilitate the matching by representing the expression in the form of a tree, where each variable is checked only once. An important advantage of the BDD tree is that the decision can be quickly made for a large portion of the packet space. When a packet arrives, the fields in the packet header are extracted and sorted according to their order in the expression tree, so they can be used one by one in navigating the tree. Tree navigation is itself a very simple set of instructions. One need only check the variable at the current node, and load the left child node entry in the BDD table if true and the right child entry if false. This is repeated until a node is reached with a final value or the maximum depth allowed in the tree is reached. Note that this BDD construction technique can also be used for matching optimization. The whole system is dynamic to traffic prop- erties, and can be tuned by the policy structure and previous performance measures. The limita- tion of the technique is that the overhead to build the BDD is usually significant. LCP-BASED BLACKLIST BLOCKING This technique is the general framework for modeling the filter selection as resource alloca- tion problems in [9]. A filter is a set of simple access control rules to specify that addresses with certain prefixes should be blocked. The goal of filter selection is to build filtering rules that can minimize the impact of malicious sources in the network using the available network resources. The technique considers different fil- tering problems based on different attack sce- narios, operators’ policies and constraints. Each filtering problem can be modeled as an opti- mization problem. The data structure to repre- sent the problems is the LCP) tree. The LCP tree is a kind of binary tree such that the leaves of the tree are the malicious IP addresses, and all the other nodes represent the longest com- mon prefixes between any pair of IPs in the tree. The LCP tree can be built in time O(mN) and space O(N) where m = 32 is the number of bits in the IP address and N is the number of mali- cious IP addresses. Polynomial or pseudo-poly- nomial algorithms were designed to solve the filtering problems. The limitation of this tech- nique is that all the malicious IP addresses must be known before the computation of the optimal The early rejection algorithm calculates the location of early rejection relative to normal packet filter- ing and defines the per-packet operation of filtering. The limi- tation of the tech- nique is that it is not suitable for large policies (policies with a large number of rules). DUAN LAYOUT_Layout 1 6/26/13 1:50 PM Page 77
  • 6. IEEE Communications Magazine • July 201378 solution. To defend against attackers who can move quickly among multiple source IPs, one must recompute the optimal solutions frequent- ly. Thus, this technique may not be efficient enough. A COMPARATIVE STUDY In this section we present a detailed comparison of the traffic-aware dynamic firewall policy man- agement techniques discussed in this article. Table 1 shows the comparison of the data structures, algorithms, adaptivity, measure- ment, and complexity (time and space) of the techniques. Here the adaptivity column denotes whether the technique is online or offline, and the measurement column denotes the key quantitative values used in the technique. We compare the nine techniques discussed in the article for traffic-aware packet filtering. The algorithmic-based static techniques in Fig. 1 are not included in our study since they are not traffic-aware filtering techniques. Note that in the table, n, d, s, and N are the number of rules, the number of fields, the number of seg- ments, and the number of malicious source addresses in the policy, respectively. For BDD- based techniques, in the worst case the com- plexity can be exponential. However, in most cases, the complexity of BDD construction for firewall policies does not exceed the quadratic of the number of rules due to rule correlation and overlapping [10]. For offline statistical- based rule generation, the complexity is not known because the authors did not give a com- plexity analysis. We can note that dynamic rule ordering and multifield alphabetic tree have sim- ilar complexity, while Huffman tree based filter- ing and segment list based filtering have complexity related to the number of rules and segments in the policy. Table 2 compares the functionality, policy structure, traffic characterization and mainte- nance cost of each technique. In this table, plus (+) sign means the corresponding technique is suitable for the property, and minus (–) sign means the corresponding technique may not be suitable for the property. N/A means the tech- nique is not applicable for the property. Skew- ness is the measure of the asymmetry in the probability distribution of the traffic. Dynamic means that the traffic pattern has frequent changes. LCP based blacklist blocking is not applicable for general policies of multi-field rules. Although dynamic rule ordering, common branch tree, and offline statistical-based rule gen- eration techniques are good for rules with mul- tiple fields, they are not suitable for heavily overlapping policies. Although dynamic rule ordering, segment list based filtering, multi- field alphabetic tree and Huffman tree based filtering techniques exhibit high dynamism and low maintenance overhead, they expect high-to- moderate skewness in the traffic distribution (i.e., there is a small number of popular servers) except dynamic rule ordering, which can toler- ate low skewedness in traffic. BDD based relaxed policy, field value cover based early rejection, and offline statistical-based rule generation are not suitable for large poli- cies or policies with large number of field val- ues. Huffman-tree-based filtering, common branch tree, and offline statistical-based rule generation could exhibit high maintenance overhead. Online early rejection techniques (BDD-based relaxed policy, field-value-cover- based early rejection) look robust with traffic Table 1. Comparison of the algorithms, data structures, and complexity of traffic-aware dynamic firewall policy techniques. Technique Data structure Algorithm Adaptivity Measurement Time Space Common branch tree [3] Tree Decision tree optimization Offline N/A Q(dlog(n/d)) or n0.63 nQ(d) Offline statistical-based rule generation [1] List Optimal splitting Offline N/A 2n n Dynamic rule ordering [7] Rule Job scheduling with precedence Online Rule frequency and recency O(nlogn) O(n) Multifield alphabetic tree [8] Tree Alphabetic tree Online Field entropy O(nlogn) O(dn) Huffman tree filtering [5] Tree Huffman tree Online Segment entropy O(ns) O(s) Segment-list-based filtering [5] List Linear search Online Segment counting O(ns) O(s) Field-value-cover-based early rejection [8] Boolean expression Set cover approximation Online Statistical thresholding O(n2) O(n) BDD-based relaxed policy [4] BDD BDD optimization Online Rule probability O(2n) O(2n) LCP-based blacklist blocking [10] Tree Dynamic programming Offline N/A O(N) O(N) DUAN LAYOUT_Layout 1 6/26/13 1:50 PM Page 78
  • 7. IEEE Communications Magazine • July 2013 79 distribution and rules overlapping, but they suffer from the high number of rules. It is worth noticing that offline statistical-based rule generation is not fit for overlapping rules and traffic dynamics, and LCP-based blacklist blocking can only be applied efficiently to a pre-defined blacklist. To achieve the desired goal, one should choose the appropriate tech- nique according to the properties of the fire- wall policy. SUMMARY In this article we present a taxonomy of traf- fic-aware firewall management techniques. We believe that our analysis of the research work in traffic-aware dynamic firewall policy management can help researchers and engi- neers to understand the importance of the problem and provide useful guidance for adopting a specific technique based on appli- cation requirements. This study provides ingredients for more innovative solutions in this field. REFERENCES [1] S. Acharya et al., “Traffic-Aware Firewall Optimization Strategies,” IEEE ICC, 2006. [2] E. Al-Shaer, W. Marrero, and A. El-Atawy, “Network Configuration in A Box: Towards End-to-End Verifica- tion of Network Reachability and Security,” IEEE Int’l. Conf. Network Protocols, Oct. 2009. [3] E. Cohen and C. Lund, “Packet Classification in Large ISPS: Design and Evaluation of Decision Tree Classi- fiers,” Proc. 2005 ACM Sigmetrics Int’l. Conf. Measure- ment and Modeling of Computer Systems, SIGMETRICS ’05, 2005, pp. 73–84. [4] A. El-Atawy et al., “Adaptive Early Packet Filtering for Defending Firewalls Against DoS Attacks,” IEEE INFO- COM ’09, Rio de Janeiro, Brazil, 2009, pp. 2437–45. [5] A. El-Atawy et al., “Using Online Traffic Statistical Matching for Optimizing Packet Filtering Performance,” INFOCOM ’07, 2007, pp. 866–74. [6] P. Gupta, B. Prabhakar, and S. Boyd, “Near Optimal Routing Lookups with Bounded Worst Case Perfor- mance,” IEEE INFOCOM 2000, 2000. [7] H. Hamed and E. Al-Shaer, “Dynamic Rule Ordering Optimization for High-Speed Firewall Filtering,” ASI- ACCS ’06, 2006. [8] H. Hamed, A. El-Atawy, and E. Al-Shaer, “Adaptive Sta- tistical Optimization Techniques for Firewall Packet Fil- tering,” IEEE INFOCOM ’06, Apr. 2006. [9] H. Hamed, A. El-atawy, and E. Al-shaer, “On Dynamic Optimization of Packet Matching in High-Speed Fire- walls,” IEEE JSAC, 2006, pp. 1817–30. [10] F. Soldo, A. Markopoulou, and K. J. Argyraki, “Optimal Filtering of Source Address Prefixes: Models and Algo- rithms,” IEEE INFOCOM ’09, 2009, pp. 2446–54. BIOGRAPHIES QI DUAN (qduan@uncc.edu) is a research associate in the Department of Software and Information Systems, Univer- sity of North Carolina at Charlotte. His research areas are network security and configuration verification. EHAB AL-SHAER (ehab@uncc.edu) is a professor and the director of the Cyber Defense and Network Assurability Center (CyberDNA) in the Department of Software and Information Systems, University of North Carolina at Char- lotte. His primary research areas are network security, secu- rity management, fault diagnosis, and network assurability. Table 2. Comparison of limitations and application suitability of traffic–aware dynamic firewall policy techniques. Technique Functionality Policy structure Traffic characterization Maintenance cost Matching optimization Early rejection Multi- field High over- lapping Large policy Large field value Large no. of seg- ments Skewed- ness Dynamic Common branch tree + – + – + – N/A Moderate No High Offline statistical- based rule generation + + + – – – N/A High Low High Dynamic rule ordering + – + – + + N/A Low High Low Multifield alphabetic tree + – + + + – N/A moderate high low Huffman tree filtering + – + + + N/A – Moderate High Low Segment-list-based filtering + – + + + N/A – Moderate High Low Field-value-cover- based early rejection – + + + – – N/A Moderate High Moderate BDD-based relaxed policy + + + + – – – Low Moderate High LCP-based blacklist blocking – + – – + + N/A N/A High Moderate DUAN LAYOUT_Layout 1 6/26/13 1:50 PM Page 79