A survey on firewall's early packet rejection techniques

A survey on firewall's early packet rejection techniques
of 6
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
   A Survey on Firewall’s Early Packet Rejection Techniques Safaa Zeidan Faculty of Information Technology UAE University   Al Ain, UAE Zouheir Trabelsi Faculty of Information Technology UAE University   Al Ain, UAE  Abstract   —Packet filtering plays a critical role in the performance of many network devices such as firewalls, routers and intrusion detection and prevention systems. Tremendous amount of research works on packet classification was proposed to optimize packet filtering. However, most works use deterministic techniques and do not take into consideration the traffic characteristics. Moreover, most packet classifiers give no specific consideration for optimizing early packet rejection (compared with packet acceptance), which is very important for improving firewall performance. In this paper, we are limited to survey firewall early packet rejection techniques. The strengths and limitations of the techniques are discussed. Also, some improvements have been proposed. This work can be the basis to enhance these techniques or for proposing new approaches that provide better firewall performance.  Keywords: Packet Classification, Early Rejection, Set cover,  Boolean Expression, Binary Decision Diagram, Binary Search on Prefix Length, Splay Tree, Hash Table. I.   I  NTRODUCTION Packet classification in general is a critical component that determines the performance of many network devices, including firewalls, IPSec gateways, Intrusion Detection Systems, DiffServ and QoS routers. The main task of packet filters or classifiers is to categorize packets based on a set of rules representing the device filtering policy. The information used for classifying packets is usually contained in distinct header fields in the packet, which are protocol field, source IP, source port, destination IP, destination port, TCP flags, ICMP type and ICMP code in IPv4. A firewall security policy consists of a set of filtering rules. Each filtering rule R can be considered as a set  of fields’ values. A packet P is said to match a rule R if each header-field of P matches the corresponding rule-field of R. Each rule R is associated with an action to be performed either to block (“deny”) or forward (“allow”) the packet to its destination. Since any packet may match multiple rules in the policy,  based on the rule ordering, the first matching rule is given the highest priority. If a packet does not match any of the rules in the policy, then it is discarded because the default rule’s action (last rule) is assumed to be “deny”. In fact, discarded packets might cause more harm than others if they are rejected by the default-deny rule as they traverse a long matching path. This significant matching overhead increases with the number of rules in the policy. Therefore, rejecting these packets as early as possible will eliminate such matching overhead. The paper is organized as follows. In Section II, we describe early packet rejection techniques. In Section III, we show the strengths and limitations of each technique, as well as ways to improve them. Finally, Section IV concludes the  paper. II.   E ARLY P ACKET R  EJECTION T ECHNIQUES There are mainly three early packet rejection techniques, namely Field Value Set Cover (FVSC), Policy Boolean Expression Relaxation (PBER) and Self Adjusting Binary Search on Prefix Length (SA-BSPL). The first two techniques present novel algorithms for maximizing early rejection of unwanted traffic flow without impacting significantly the accepted flow. They are built as early filtering module on top of the srcinal policy filtering module. For a given packet, the srcinal policy filtering algorithm is not executed unless the early filtering module fails to reach a decision. The third technique applies binary search on prefix length to each policy field along with dynamic splay tree data structure while maintaining the splay tree minimum node length at high level for early  packet rejection.  A.    Field Value Set Cover (FVSC)   This technique analyzes the firewall policy rules in order to construct a set of rules that can reject the maximum number of unwanted packets as early as possible [1]. This is an NP-complete problem and its solution is found by using an approximation algorithm that pre-processes the firewall  policy off-line to generate different near-optimal solutions [1] [6]. Firewall rules are often written as exceptions to the default deny rule which means that the space covered by the default deny rule is the complement of the space covered by all previous policy rules. This might explain the research emphasis on optimizing the acceptance decision path in firewall filtering. However, discarded packets might traverse long decision path of rule matching before they are finally rejected by the default-deny rule. Although packets can be 2011 International Conference on Innovations in Information Technology 978-1-4577-0314-0/11/$26.00 ©2011 IEEE203  rejected by intermediate deny rules in the policy this technique optimizes matching of traffic discarded due to the default rule because it has more profound effect on the  performance of the firewall. FVSC reduces the matching of discarded packets by dynamically introducing a set of early rejection rules that is  processed before the srcinal firewall policy. These early rejection rules have the maximum discarding effect and they are adaptive to the characteristics of the recently discarded traffic. The basic idea behind this technique is that if a packet does not match any of the field values common to all “allow” rules, then this packet should be rejected as early as  possible and thus no further matching through the srcinal  policy is done. This means that the early rejection rules (RR) can be formed as a combination of the common field values that cover all allow rules in the policy (i.e. combination of common field values such that every rule uses at least one of these values). For example, if all accept rules use a certain IP destination address or port number, then packets that do not have similar values can be early rejected without any further matching. A rejection rule can be in the form, )UDP  ≠ P( ∧ )  ≠ DIP( ∧ )21  ≠ DP( ∧ )80  ≠ DP(=RR   The set cover approximation algorithm will generate a set of early rejection rules until it reaches a limit defined by equation (2) in [1]. Also the effect of adding a specific RR is governed by equations (5) and (6) in [1] these equations use traffic statistics which make this technique adaptive to traffic behavior. The FVSC algorithm described in [1] are divided into three phases: Algorithm 1 builds up the rejection rule list using set cover approximation algorithm. Algorithm 2 is responsible of the periodic addition/removal of rules according to the performance gain/loss of each rule. Algorithm 3 is responsible for the per-packet operation of filtering as well as the update of statistics required for early rejection.  B.    Policy Boolean Expression Relaxiation (PBER) Data networks may suffer from some traffic flows that can be expensive to classify and filter as it will undergo a longer than average list of filtering rules before being rejected by the default deny rule. An attacker with some information about the access-control list (ACL) deployed at firewall or intrusion detection and prevention system (IDS/IPS) can initiate packets that will have maximum cost. This technique is executed before the regular policy matching algorithm module, and if a packet needs further  processing then the next layer (srcinal policy module) will  be executed, otherwise the packet is directly dropped or accepted to the system as early as possible [2]. To build the early filtering module the srcinal policy is compiled into a single Boolean expression that represents its acceptance space by converting each rule to its corresponding Boolean expression using the non don’t care bits. In this representation, each bit in the packet header is considered an input binary variable into the Boolean expression, and only  packets that satisfy this expression are accepted and passed through the system successfully. This expression, however, is quite complex and evaluating it for every packet can be a considerable overhead. Therefore it is simplified by placing an upper  bound on the depth by which we can traverse the expression tree to evaluate the packet. Provided a packet, the technique evaluates it against the early filtering module, and reaches one of three options: Either the packet should be accepted, rejected or more filtering is needed by the srcinal policy. The srcinal policy is still being deployed using the filtering method implemented in the firewall, but it is not executed unless the early filtering module fails to reach a decision. The policy expression incorporates the first-rule priority matching, so rule i   matches a packet if the packet does not match any higher rule. Evaluating this function by simple substitution of variables by their values from the packet header will result in the correct classification result ( e.g. , “allow” or “drop” in the case of firewall policies). The implementation and maintenance of this expression is done by using Binary Decision Diagrams data structure (BDD). BDDs can perform the matching by representing the expression in the form of a tree, where each variable is needed to be checked only once. Thus, the overall matching cost is bounded by the number of bits needed to represent the fields used in the policy. In the case of standard firewalls, this sums up to 104 variables (32*2 for IP addresses, 16*2 for the ports and 8 for the protocol). The technique is based on using only shallow leaves to approximate the policy, while leaving longer decision paths for the second stage where normal packet filtering techniques can take over. The range of depths to go into the policy expression tree, are obtained from traffic statistics. If the traffic that hits the leaves close to the root high enough, the gain will be valuable. But if this percentage gets lower the technique will  be less effective and it may introduce overhead with no gain, and in such case the algorithm will automatically shutdown the early filtering path. The technique uses an off-line step where the text policy is converted into a single compound Boolean expression. BDD trees are built representing several approximation levels concurrently: φ 0 ,.., φ n  Each tree approximates the srcinal policy using the first i variables. Furthermore, each node will be associated with an integer that represents the first tree level at which a decision can be reached ( i.e. , number of hops until the first leaf). When packet arrives, the fields used in classification are extracted from the packet header and sorted according to their order in the expression tree, so they can be used one- by-one in navigating the tree. Tree navigation is itself a very simple set of instructions; check the variable at the current node, load a certain integer if true ( i.e. , left child node entry in the BDD table) and another if false. This is repeated until a node is reached having a final value instead of a variable ID or reaching the maximum depth allowed in the tree. In order to use the optimal tree depth for the current traffic statistics, random sampling takes place to check if the traffic will perform better using another depth limit that is deeper or shallower. 204  C.   Self Adjusting Binary Search on Prefix  BSPL) This technique uses the splaying propthe early rejection of unwanted flows, whimany filtering devices such as firewalls. The proposed scheme presented in [3] cself-adjusting filters each filter uses binar length [4] with the splay tree model average search time [5] [7]. The Binary Search on Prefix Length aknown to be efficient in search performaon hashing to check whether an incoming  prefix of a particular length, also it usesreduce number of searches from linear addition it uses pre-computation to prevecase of failures in the binary search [4]. Considering the following list of prefixes, a 0*, b 01000*, c 011*, d 1*, e 100*, f h 1110*, i 1111*, j 01*, k 1100001* anshows an example of binary search on preThe Splay Tree is an ordered binary trewhich for every node x, every element in x is ≤ x, and every element in the right sub-When a node is accessed, either a single r of rotations are applied to move the accroot (Zig, Zig Zag and Zag Zig operatiosimple example of splay tree in which nothe root. Each filtering field consists of a collectand a splay tree with no need to represent(with zero length).The prefixes are grouhash tables as shown in Fig. 1 with thmatching rules, moreover each hash-table markers for longer length prefixes. Then, tlengths are stored in a splay tree whiimplementation of binary search trees thof locality in the incoming lookup requtendency to look for the same element mis an important aspect in firewall since wrepeated packets. Using Figure 1. Binary search on prefix le  splay trees, nodes that are often accessed the tree root. And by this memory acdynamically to reach quickly the required Considering Table I as an example for a fi3 shows the corresponding hash tables f  prefix and Fig. 4 represents the correspondThe algorithm works as follows: The started from the root node of the splay trefound in the corresponding hash-table, the value and the best matching prefix are  Length (SA- erties to optimize h is important for onsists of a set of search on prefix o ameliorate the lgorithm in [4] is ce and it is based alue matches any  binary search to o logarithmic, in t backtracking in 1100*, g 1101*, d p 101* , Fig. 1 ix length. e data structure in he left sub-tree of tree of x is ≥ x. otation or a series essed node to the ns). Fig. 2 shows de x is splayed to on of hash-tables the default prefix ed by lengths in eir corresponding is augmented with he different prefix h is an efficient t takes advantage sts. Locality is a ltiple times. This e may have many ngth. ill reside close to cess are reduced esult. ewall policy, Fig. r the Destination ing splay tree. search process is and if a match is  best prefix length updated, then the search continues in the higher lis matched, the successor of thand the search is redirected tThe search process is stopped  best length value and its succetop of the tree as follows: Thvalue is splayed to the root   and position Figure 2. Splaying node x t   TABLE I. E XAMPLE OF A R  ULSOURCE AND DESTI   Figure 3. The collection of hash-tablesfield of Figure 4. Splay tree according as shown in Fig. 5. The trivial (CSplay) is expressed as follo CSplay (  x ,  x +) = Splay (  x , root  ) Consequently, the tree is adeq2 hash accesses for all repeatedEither bottom-up or top-dowtop-down is much more efficsearching and splaying stages tThe idea of early rejection if a packet doesn’t match any it will be automatically rejecteminimum value). Generally relong decision path of rule marejected by the default-deny r node is Null, hence if a packe Src Prefix Dst Prefix R1 R2 R3 R4 R5 R6 R7 R8 R9   01001* 01001* 010* 0001* 1011* 1011* 1010* 110* *   000111* 00001* 000* 0011* 11010* 110000* 110* 1010* *   engths sub tree and if nothing e best length value is updated the lower lengths sub tree. f a leaf is met. After that, the ssor have to be splayed to the e matched best length prefix its successor to the root.right    o the root (Zig operation) E S ET WITH 8- BIT PREFIXES FOR THE ATION ADDRESSES  according to the destination address able 1 to the hash-tables in Figure 3 composed splaying operation s: Splay (  x +,  x . right  ). ately adjusted to have at most values. splay tree can be used, but ient because it can combine ogether [7] [8]. is performed in a manner that refix length in the splay tree  by the Min-node (node with    jected packets might traverse ching before they are finally le. The left child of the Min- doesn’t match the Min-node Dst Port Src Port Proto 80 80 443 443 80 80 443 443 *   * * * * * * * * *   TCP TCP TCP TCP UDP UDP UDP UDP * 205  we go to its left child which is Null, so it means that this node is the end of the search path. In each filter, the entire tree is searched until we arrive to the node with the minimum value. Therefore, the Min-node has to be rotated always to the upper levels of the splay tree. The Min-node has to be splayed to the root.left position as shown in Fig.6. The top-down splay tree is much more efficient for the early rejection technique because we are able to maintain the Min-node fixed at the desired position when searching for the  best matching value without explicitly splaying it. III.   D ISCUSSION The strengths and limitations of the three early rejection techniques are discussed below.  A.    FVSC and PBER techniques FVSC and PBER techniques can be considered as the first attempt to specifically target packets taking the reject  path rather than the acceptance path. The authors of these techniques claim that their techniques are considered as device protection techniques, which can be deployed on top of any filtering technique to protect the device from load spikes due to malicious activities or sudden change of traffic dynamics. Both techniques use a novel logical view of the policy that enables approximated  policies that are much simpler to use and evaluate against incoming traffic. The two policy approximation and simplification techniques open the door for many other applications that can make use of the same concept. Moreover, these two techniques address the problem differently making them applicable to devices in Figure 5. The operation of splaying of the item x and its successor Figure 6. Min node is splayed to root.left for early rejection  different environments to be protected with minimal change in their own design. Both techniques adapt to the traffic dynamics in a way to guarantee positive gain in  performance, and they can auto-shutdown if not needed. However, the claim regarding the use of the PBER and FVSC techniques as protection algorithm against Denial of Service attacks (DoS) is questionable. This is due to the fact that, in PBER technique if an attacker can gain knowledge about the integer values associated with the BDD tree nodes and the traffic depth by which the BDD tree is truncated, then he will be able to flood the firewall with packets that make the algorithm shutdown, and no decision is made at this level. Consequently, such flow of packets will be sent to the srcinal filtering module for processing. Therefore, the  processing time of these packets flow will be the addition of the processing time by the BDD tree plus the processing time by the srcinal policy. Such packet flow can generate a DoS attack situation since it will increase the firewall overhead. The same point can be applied for FVSC technique. In the sense that there are still expensive packets that go through the early RR rules then linearly searched by the firewall policy (since this technique targets mostly firewalls with sequential search algorithm), until finally rejected by the default-deny rule. Therefore, the filtering of these expensive packets requires huge processing time. Such  packets may be used by attackers to overwhelm firewalls, causing a DoS attack situation. FVSC is based on the assumption that the number of distinct field values is usually small relative to the policy size ( e.g. , number of used destination ports is much less than the number of rules). But if the policy size gets bigger and the variability in field values increase, we will end up with very huge number of generated RR rules and the achieved gain may drop down. Even in smaller policy with more diverse field values, it has been shown in the evaluation in [1] that optimum gain after using RR is 50%, while the achieved is 34%, which makes FVSC applicable to certain  policy structures. Another point to consider is that as seen in the RR rules forms, they cannot be represented directly as a standard firewall rules. The ( ≠ ) operator is not always supported in firewalls and simpler packet classifying devices. Also, the  possibility of having the same field used more than once in the same rule (see the example shown above, where DP was used twice) makes it even harder to find a device that can handle the structure of these criteria. PBER can be considered as a generalization of FVSC in the sense that FVSC focuses on rejection paths only, while PBER finds shortcuts for both accepted and rejected  packets. FVSC is more suitable for smaller policies, with low diversity of values, while PBER is more suitable for huge and complex policies and both algorithms can adapt to traffic changes.  B.   SA-BSPL technique Beside the work described in [3] (SA-BSPL), there is another work in [5], called Splay Tree Packet Classification Technique (ST-PC), implemented in the high-speed packet classifiers, and based on the splay tree data structure. The main difference  between SA-BSPL and ST-PC is that, in ST-PC prefixes,  both source and destination fields are converted into integer values. Then, these values with their matching rules are stored in splay trees. On the other hand, in SA-BSPL the  prefixes lengths are stored in splay trees and for each length there is a corresponding hash table containing prefixes of that length with their matching rules. Hence, SA-BSPL 206  gives better amortized analysis than ST-PC in terms of number of nodes in the splay tree and memory access. In SA-BSPL, there is a proposal for a better alternative optimized technique regarding the splaying properties and for minimizing the number of tree rotations, since x may appear before or after x+ in the search path, instead of splaying x to the root and x+ to the root.right. This is done in one step as follows: OCSplay (  x ,  x + ) = Splay (  x + ,  x . right  ) + Splay ((  x ,  x + ), root  ) as shown in Fig. 7. Or, OCSplay (  x ,  x + ) = Splay (  x ,  x + ) + Splay ((  x ,  x + ), root  ) as shown in Fig. 8. As SA-BSPL has all these advantages, we noticed that there are some limitations regarding rule fields matching conditions. Packet classification involves various matching conditions, e.g., longest prefix matching (LPM), exact matching, range matching and discreet values matching (TCP flags, ICMP Type and code, DstPort=80 or 21). Figure 7. Splaying x and x+ as a single node (x appears before x+ at the search path). Figure 8. Splaying x and x+ as a single node (x appears after x+ at the search path) SA-BSPL matching paradigm works well for prefix matching of IP addresses as shown before. For matching fields with ranges (e.g., port number range) a range to prefix algorithms should be used first [9] [10]. This operation increases the size of rules (memory entries) and therefore more storage is needed. It is important to mention that ST-PC provides better scheme for representing discreet value than SA-BSPL. A major point to consider is that SA-BSPL builds a splay tree and hash tables for each field in the security policy. Therefore, a considerable memory access and filtering  processing time is required to filter the traffic. A major improvement can be done by reordering policy fields according to traffic statistics. For a given window of traffic flow, the filtering fields that have the highest rejection statistics will be selected first. This would allow reducing memory access to the splay trees and hash tables and consequently, reducing the filtering processing time for the unwanted traffic flows. For example, suppose that 60% of the traffic is rejected by the field F2=DstIP, 30% by the field F5=ScrPort and 10% by the field F7=DstPort, so instead of checking packet fields against all policy filters, we check them first against F2, F5 and F7. If the corresponding packet header fields don’t match any one of F2, F5 and F7, then it will be rejected as early as possible. Otherwise it will be checked against the remaining filtering fields. Another improvement for SA-BSPL can be done by optimizing the intersection level between filtering fields. In Fields Intersection Filtering Level,   the   list of matched field rules is intersected with the previous intersected matched rules list. If there are no common rules between the two lists, then the packet will be rejected as early as possible with no need to check the remaining fields. Otherwise, the next field is checked. If the corresponding packet field matches this field, then the list of matched rules will be intersected with the previous list and so on. By these two major improvements, the packet processing time is excepted to get  better than before, since the unwanted packets are discarded as early as possible. Table II summarizes the main different features of the three early packet rejection techniques. TABLE II. S UMMARY OF EARLY FILTERING ALGORITHMS   Algorithm FVSC PBER SA_BSPL Policy approximation Use set cover algorithm to approximate the  policy Use Boolean expression to approximate the policy  No approximation is used. The exact  policy is represented in a different way Off-Line Phase Build RR rules Build policy BDD tree Build policy hash tables and splay trees Traffic awareness RR rules added/removed according to traffic statistics BDD tree traversal depth and levels are adaptive to traffic statistics The technique is dynamic to traffic changes due to the use of splay trees. But no traffic statistics are involved Filtering optimization Early filtering for rejected  packets Early filtering for rejected and accepted  packets Early filtering for rejected and accepted packets Original policy execution If no decision is reached using RR rules,  packet is sent to the srcinal  policy If no decision is reached using certain BDD depth,  packet is sent to the srcinal  policy Hash tables and splay trees represent the srcinal policy Limitations Suitable for smaller security  policies, with low diversity of field values Suitable for huge and complex security  policies Range fields values should be converted to  prefixes using range to prefix conversion algorithm, and this will increase the data storage. IV.   C ONCLUSION  As the size of firewall security policies grow, the discarded  packets by the default-deny rule affect significantly the 207
Related Search
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks