The Experts below are selected from a list of 75 Experts worldwide ranked by ideXlab platform
Avishai Wool - One of the best experts on this subject based on the ideXlab platform.
-
The geometric efficient matching algorithm for Firewalls
IEEE Transactions on Dependable and Secure Computing, 2011Co-Authors: Dmitry Rovniagin, Avishai WoolAbstract:Firewall packet matching can be viewed as a point location problem: each packet (point) has 5 fields (dimensions) which need to be checked against every Firewall rule in order to find the first matching rule. We consider a packet matching algorithm, which we call the geometric efficient matching (GEM) algorithm. The GEM algorithm enjoys a logarithmic matching time performance, easily beating the linear time required by the naive matching algorithm. However, the algorithm's theoretical worst-case space complexity is O(n4) for a rule-base with n rules. Based on statistics from real Firewall rule-bases, we created a model that generates random, but non-uniform, rule-bases. We evaluated GEM via extensive simulation using this rule-base generator. Subsequently, we integrated GEM into the code of the Linux "iptables" Open-Source Firewall. Our GEM-iptables implementation supports a throughput which is at least 5-10 times higher than that of the unoptimized iptables. Our implementation was able to match over 30,000 packets-per-second even with 10 thousand rules.
-
The Geometric Efficient Matching Algorithm for Firewalls
IEEE Transactions on Dependable and Secure Computing, 2011Co-Authors: Dmitry Rovniagin, Avishai WoolAbstract:Since Firewalls need to filter all the traffic crossing the network perimeter, they should be able to sustain a very high throughput, or risk becoming a bottleneck. Firewall packet matching can be viewed as a point location problem: Each packet (point) has five fields (dimensions), which need to be checked against every Firewall rule in order to find the first matching rule. Thus, algorithms from computational geometry can be applied. In this paper, we consider a classical algorithm that we adapted to the Firewall domain. We call the resulting algorithm “Geometric Efficient Matching” (GEM). The GEM algorithm enjoys a logarithmic matching time performance. However, the algorithm's theoretical worst-case space complexity is O(n4) for a rule-base with n rules. Because of this perceived high space complexity, GEM-like algorithms were rejected as impractical by earlier works. Contrary to this conclusion, this paper shows that GEM is actually an excellent choice. Based on statistics from real Firewall rule-bases, we created a Perimeter rules model that generates random, but nonuniform, rule-bases. We evaluated GEM via extensive simulation using the Perimeter rules model. Our simulations show that on such rule-bases, GEM uses near-linear space, and only needs approximately 13 MB of space for rule-bases of 5,000 rules. Moreover, with use of additional space improving heuristics, we have been able to reduce the space requirement to 2-3 MB for 5,000 rules. But most importantly, we integrated GEM into the code of the Linux iptables Open-Source Firewall, and tested it on real traffic loads. Our GEM-iptables implementation managed to filter over 30,000 packets-per-second on a standard PC, even with 10,000 rules. Therefore, we believe that GEM is an efficient and practical algorithm for Firewall packet matching.
-
The Geometric Efficient Matching Algorithm for Firewalls
2010Co-Authors: Dmitry Rovniagin, Avishai WoolAbstract:Since Firewalls need to filter all the traffic crossing the network perimeter, they should be able to sustain a very high throughput, or risk becoming a bottleneck. Firewall packet matching can be viewed as a point location problem: Each packet (point) has 5 fields (dimensions), which need to be checked against every Firewall rule in order to find the first matching rule. Thus, algorithms from computational geometry can be applied. In this paper we consider a classical algorithm that we adapted to the Firewall domain. We call the resulting algorithm “Geometric Efficient Matching” (GEM). The GEM algorithm enjoys a logarithmic matching time performance. However, the algorithm’s theoretical worst-case space complexity is O(n 4) for a rule-base with n rules. Because of this perceived high space complexity, GEM-like algorithms were rejected as impractical by earlier works. Contrary to this conclusion, this paper shows that GEM is actually an excellent choice. Based on statistics from real Firewall rule-bases, we created a Perimeter rules model that generates random, but non-uniform, rulebases. We evaluated GEM via extensive simulation using the Perimeter rules model. Our simulations show that on such rule-bases, GEM uses near linear space, and only needs approximately 13MB of space for rule-bases of 5,000 rules. Moreover, with use of additional space improving heuristics, we have been able to reduce the space requirement to 2-3MB for 5,000 rules. But most importantly, we integrated GEM into the code of the Linux iptables Open-Source Firewall, and tested it on real traffic loads. Our GEM-iptables implementation managed to filter over 30,000 packets-per-second on a standard PC, even with 10,000 rules. Therefore, we believe that GEM is an efficient, and practical, algorithm for Firewall packet matching
Dmitry Rovniagin - One of the best experts on this subject based on the ideXlab platform.
-
The geometric efficient matching algorithm for Firewalls
IEEE Transactions on Dependable and Secure Computing, 2011Co-Authors: Dmitry Rovniagin, Avishai WoolAbstract:Firewall packet matching can be viewed as a point location problem: each packet (point) has 5 fields (dimensions) which need to be checked against every Firewall rule in order to find the first matching rule. We consider a packet matching algorithm, which we call the geometric efficient matching (GEM) algorithm. The GEM algorithm enjoys a logarithmic matching time performance, easily beating the linear time required by the naive matching algorithm. However, the algorithm's theoretical worst-case space complexity is O(n4) for a rule-base with n rules. Based on statistics from real Firewall rule-bases, we created a model that generates random, but non-uniform, rule-bases. We evaluated GEM via extensive simulation using this rule-base generator. Subsequently, we integrated GEM into the code of the Linux "iptables" Open-Source Firewall. Our GEM-iptables implementation supports a throughput which is at least 5-10 times higher than that of the unoptimized iptables. Our implementation was able to match over 30,000 packets-per-second even with 10 thousand rules.
-
The Geometric Efficient Matching Algorithm for Firewalls
IEEE Transactions on Dependable and Secure Computing, 2011Co-Authors: Dmitry Rovniagin, Avishai WoolAbstract:Since Firewalls need to filter all the traffic crossing the network perimeter, they should be able to sustain a very high throughput, or risk becoming a bottleneck. Firewall packet matching can be viewed as a point location problem: Each packet (point) has five fields (dimensions), which need to be checked against every Firewall rule in order to find the first matching rule. Thus, algorithms from computational geometry can be applied. In this paper, we consider a classical algorithm that we adapted to the Firewall domain. We call the resulting algorithm “Geometric Efficient Matching” (GEM). The GEM algorithm enjoys a logarithmic matching time performance. However, the algorithm's theoretical worst-case space complexity is O(n4) for a rule-base with n rules. Because of this perceived high space complexity, GEM-like algorithms were rejected as impractical by earlier works. Contrary to this conclusion, this paper shows that GEM is actually an excellent choice. Based on statistics from real Firewall rule-bases, we created a Perimeter rules model that generates random, but nonuniform, rule-bases. We evaluated GEM via extensive simulation using the Perimeter rules model. Our simulations show that on such rule-bases, GEM uses near-linear space, and only needs approximately 13 MB of space for rule-bases of 5,000 rules. Moreover, with use of additional space improving heuristics, we have been able to reduce the space requirement to 2-3 MB for 5,000 rules. But most importantly, we integrated GEM into the code of the Linux iptables Open-Source Firewall, and tested it on real traffic loads. Our GEM-iptables implementation managed to filter over 30,000 packets-per-second on a standard PC, even with 10,000 rules. Therefore, we believe that GEM is an efficient and practical algorithm for Firewall packet matching.
-
The Geometric Efficient Matching Algorithm for Firewalls
2010Co-Authors: Dmitry Rovniagin, Avishai WoolAbstract:Since Firewalls need to filter all the traffic crossing the network perimeter, they should be able to sustain a very high throughput, or risk becoming a bottleneck. Firewall packet matching can be viewed as a point location problem: Each packet (point) has 5 fields (dimensions), which need to be checked against every Firewall rule in order to find the first matching rule. Thus, algorithms from computational geometry can be applied. In this paper we consider a classical algorithm that we adapted to the Firewall domain. We call the resulting algorithm “Geometric Efficient Matching” (GEM). The GEM algorithm enjoys a logarithmic matching time performance. However, the algorithm’s theoretical worst-case space complexity is O(n 4) for a rule-base with n rules. Because of this perceived high space complexity, GEM-like algorithms were rejected as impractical by earlier works. Contrary to this conclusion, this paper shows that GEM is actually an excellent choice. Based on statistics from real Firewall rule-bases, we created a Perimeter rules model that generates random, but non-uniform, rulebases. We evaluated GEM via extensive simulation using the Perimeter rules model. Our simulations show that on such rule-bases, GEM uses near linear space, and only needs approximately 13MB of space for rule-bases of 5,000 rules. Moreover, with use of additional space improving heuristics, we have been able to reduce the space requirement to 2-3MB for 5,000 rules. But most importantly, we integrated GEM into the code of the Linux iptables Open-Source Firewall, and tested it on real traffic loads. Our GEM-iptables implementation managed to filter over 30,000 packets-per-second on a standard PC, even with 10,000 rules. Therefore, we believe that GEM is an efficient, and practical, algorithm for Firewall packet matching
Priyanka Sharma - One of the best experts on this subject based on the ideXlab platform.
-
A Review paper on pfsense – an Open Source Firewall introducing with different capabilities & customization
International Journal of Advance Research and Innovative Ideas in Education, 2017Co-Authors: Krupa C. Patel, Priyanka SharmaAbstract:Network Security is a crucial aspect in network management with many formation around the world spend millions each year to safeguard valuable corporate data and information. Many companies use Firewalls and encryption mechanisms as security diamention. Although there are many types of Firewalls and encryption mechanisms in the market, not all are suitable for Small and Medium Enterprises (SMEs). For SMEs, these operations might be an overkill, both financially and functionally. For proper and centralized control and management, range of security features need to be integrated into unified security package One of the most efficient solution will be carried out by an Open Source Firewall. In this paper we are carried out a case study of different existing features of an Open Source pfSense, a Firewall on FreeBSD operating system such as, a comprehensive network security solution which integrates all of the security services such as Firewall, URL filtering, virtual private networking etc in a single appliance, Captive Portal and Active Directory for managing user authentication for wireless network, analyse the logs to make network infrastructure more secure, layer 7 capabilities providing a powerful solution to control traffic based on application patterns and lastly used as a tool with other different Open Source tool will work well together in detecting and disabling network attacks.
-
a review paper on pfsense an Open Source Firewall introducing with different capabilities customization
International Journal of Advance Research and Innovative Ideas in Education, 2017Co-Authors: Krupa C. Patel, Priyanka SharmaAbstract:Network Security is a crucial aspect in network management with many formation around the world spend millions each year to safeguard valuable corporate data and information. Many companies use Firewalls and encryption mechanisms as security diamention. Although there are many types of Firewalls and encryption mechanisms in the market, not all are suitable for Small and Medium Enterprises (SMEs). For SMEs, these operations might be an overkill, both financially and functionally. For proper and centralized control and management, range of security features need to be integrated into unified security package One of the most efficient solution will be carried out by an Open Source Firewall. In this paper we are carried out a case study of different existing features of an Open Source pfSense, a Firewall on FreeBSD operating system such as, a comprehensive network security solution which integrates all of the security services such as Firewall, URL filtering, virtual private networking etc in a single appliance, Captive Portal and Active Directory for managing user authentication for wireless network, analyse the logs to make network infrastructure more secure, layer 7 capabilities providing a powerful solution to control traffic based on application patterns and lastly used as a tool with other different Open Source tool will work well together in detecting and disabling network attacks.
Khalid Latif - One of the best experts on this subject based on the ideXlab platform.
-
A deliberately insecure RDF-based Semantic Web application framework for teaching SPARQL/SPARUL injection attacks and defense mechanisms
Computers & Security, 2016Co-Authors: Hira Asghar, Zahid Anwar, Khalid LatifAbstract:SemWebGoat is a deliberately insecure learning framework for software developers.This work provides an analysis and categorization of SPARQL and SPARUL injection attacks.This research contributes interactive lessons to teach good programming practices and defensive techniques.Developers are mostly unaware of vulnerabilities in RDF-based web applications. The Semantic Web uses the ReSource Description Framework (RDF) and the Simple Protocol and Query/Update Languages (SPARQL/SPARUL) as standardized logical data representation and manipulation models allowing machines to directly interpret data on the Web. As Semantic Web applications grow increasingly popular, new and challenging security threats emerge. Semantic query languages owing to their flexible nature introduce new vulnerabilities if secure programming practices are not followed. This makes them prone to both existing attacks such as command injection as well as novel attacks, making it necessary for application developers to understand the security risks involved when developing and deploying semantic applications. In this research, we have analyzed and categorized the possible SPARQL/SPARUL injection attacks to which semantic applications are vulnerable. Moreover, we have developed a deliberately insecure RDF-based Semantic Web application, called SemWebGoat - inspired by the Open Source vulnerable web application, WebGoat - which offers a realistic teaching and learning environment for exploiting SPARQL/SPARUL oriented injection vulnerabilities. With the aim of teaching both developers and web administrators the art of protecting their Semantic Web applications, we have implemented web application Firewall (WAF) rules using the popular Open-Source Firewall - ModSecurity - and extended some penetration testing tools to detect and mitigate SPARQL/SPARUL injections. For the evaluation, we conducted a user study to determine the usability of SemWebGoat attack lessons as well as a detection rate and false alarm analysis of our proposed Firewall rules based on OWASP top-ten attack dataset. The results of the user study conclude that web developers are not normally familiar with the injection vulnerabilities demonstrated. The positive test results of our ModSecurity rule set show that it a suitable defense mechanism for protecting vulnerable Semantic Web application against injection attacks.
Krupa C. Patel - One of the best experts on this subject based on the ideXlab platform.
-
A Review paper on pfsense – an Open Source Firewall introducing with different capabilities & customization
International Journal of Advance Research and Innovative Ideas in Education, 2017Co-Authors: Krupa C. Patel, Priyanka SharmaAbstract:Network Security is a crucial aspect in network management with many formation around the world spend millions each year to safeguard valuable corporate data and information. Many companies use Firewalls and encryption mechanisms as security diamention. Although there are many types of Firewalls and encryption mechanisms in the market, not all are suitable for Small and Medium Enterprises (SMEs). For SMEs, these operations might be an overkill, both financially and functionally. For proper and centralized control and management, range of security features need to be integrated into unified security package One of the most efficient solution will be carried out by an Open Source Firewall. In this paper we are carried out a case study of different existing features of an Open Source pfSense, a Firewall on FreeBSD operating system such as, a comprehensive network security solution which integrates all of the security services such as Firewall, URL filtering, virtual private networking etc in a single appliance, Captive Portal and Active Directory for managing user authentication for wireless network, analyse the logs to make network infrastructure more secure, layer 7 capabilities providing a powerful solution to control traffic based on application patterns and lastly used as a tool with other different Open Source tool will work well together in detecting and disabling network attacks.
-
a review paper on pfsense an Open Source Firewall introducing with different capabilities customization
International Journal of Advance Research and Innovative Ideas in Education, 2017Co-Authors: Krupa C. Patel, Priyanka SharmaAbstract:Network Security is a crucial aspect in network management with many formation around the world spend millions each year to safeguard valuable corporate data and information. Many companies use Firewalls and encryption mechanisms as security diamention. Although there are many types of Firewalls and encryption mechanisms in the market, not all are suitable for Small and Medium Enterprises (SMEs). For SMEs, these operations might be an overkill, both financially and functionally. For proper and centralized control and management, range of security features need to be integrated into unified security package One of the most efficient solution will be carried out by an Open Source Firewall. In this paper we are carried out a case study of different existing features of an Open Source pfSense, a Firewall on FreeBSD operating system such as, a comprehensive network security solution which integrates all of the security services such as Firewall, URL filtering, virtual private networking etc in a single appliance, Captive Portal and Active Directory for managing user authentication for wireless network, analyse the logs to make network infrastructure more secure, layer 7 capabilities providing a powerful solution to control traffic based on application patterns and lastly used as a tool with other different Open Source tool will work well together in detecting and disabling network attacks.
