Objects of the research The thesis includes the following objectives: Proposing new techniques in packet classification and detection of conflicts in rules to improve the speed of packe
Trang 1MINISTRY OF EDUCATION AND TRAINING MINISTRY OF NATIONAL DEFENCE
ACADEMY OF MILITARY SCIENCE AND TECHNOLOGY
Trang 2The dissertation has been accomplished at: Academy of Military Science
and Technology – Ministry of Defense
Supervisor:
Reviewer 1: Assos Prof PhD Nguyễn Long Giang
Information Technology Institute
Vietnam Academy of Science and Technology Reviewer 2: Assos Prof PhD Ngô Thành Long
Military Technical Academy
Reviewer 3: Assos Prof PhD Nguyễn Ngọc Hóa
The thesis will be defended in front of PhD thesis
examination Committee at Academy of Military Science and
Technology in … hour on …
The thesis could be found at:
- The Library of Academy of Military Science and Technology
- The National Library of Vietnam.
Trang 3INTRODUCTION
1 Dissertation's necessity
Today, computer networks have a strong development in terms of connectivity, types of services, and number of users Along with that development is the introduction of advanced transmission technologies, resulting in huge amounts of data being exchanged on the network A firewall is
an access control device that is located at the connection point between the networks that needs to be protected with an external network to ensure security for that network Security is done by checking all packets going through the firewall in both directions in and out according to a security policy set by the administrator
With the function and location deployed, the firewall will become a barrier between the networks to be protected with other networks This device will affect the network system in two aspects: Ensuring the security of the system with the function of controlling the legality of the passing packets; Reduces the speed of exchanging information between protected networks with external networks The high firewall's performance enhances the ability to protect the internal network and limit the degradation of the speed of information exchange through it
Until now, researchers both at home and abroad have had many research projects to improve the performance of firewalls to meet usage requirements Each solution has its own advantages and disadvantages and often only solves a small problem in improving the performance of the device, no solution is really optimal and general The firewall's performance has been and will still need to
be enhanced to allow it to meet actual demands That is the reason why we select this research problem in the thesis
2 Objects of the research
The thesis includes the following objectives: Proposing new techniques in packet classification and detection of conflicts in rules to improve the speed of packet classification, thereby developing high-performance firewall
3 Scope, object and method of research
The scope of the thesis focuses on studying software improvements More
Trang 4details are packet classification algorithms to improve the throughput of the firewall
The object to be directly studied in the thesis is: Data structure of rules and classification algorithms based on that structure; Techniques to minimize the average sorting time for each packet on the firewall
The thesis uses a combination of theoretical research and experimental simulation
4 The meaning of the research topic
Improving performance is an indispensable requirement for firewalls to meet actual demands Analyzing, evaluating and proposing solutions to improve the performance of firewalls is an area that has been concerned by domestic and foreign researchers The research contents of the thesis will be the basis for us
to master and develop firewalls to meet the security demands of network systems in general and especially the network systems of national security
5 The composition of the thesis
The dissertation consists of 4 chapters along with the introduction, conclusion, list of published scientific papers and articles of PhD students and appendices
Trang 5CHAPTER 1 OVERVIEW OF PACKET CLASSIFICATION ON
FIREWALL 1.1 Concepts about the firewall
This section includes some contents: Definition and development history of the firewall; the features and types of firewalls
1.2 Performance and relationship to the packet classification process of the firewall
The performance of a firewall is evaluated according to the criteria of 3511: Methodology for Firewall Performance", in which criterion for IP throughput are determined first This criterion is directly related to the speed of packet classification in a firewall device Improving the speed of packet classification on firewalls is also about improving the performance of this device
"RFC-1.3 Research fields to improve packet classification speed on the firewall
1.3.1 Researches in the field of hardware
Latest hardware technology solutions which are divided into basic forms: Using FPGA technology; ASIC technology; Take advantage of GPU computing power; Developing specialized network microprocessors; parallel processing techniques (Fig 1.4)
Parallel processing techniques
Figure 1.4 Researches in the field of hardware
Each proposed approach using hardware technology to enhance firewall
Trang 6performance has its advantages and disadvantages However, building a performance firewall based entirely on the use of the above hardware improvements is very difficult in practice.
high-1.3.2 Researches in software field
Participants in the classification process of firewalls include Classification Algorithms and Rule sets for classification The properties of these two components will directly affect the speed of packet classification Studies in the field of software to improve the speed of packet classification are also aimed at the two objects above Two research directions in this area are shown in Figure 1.5
Improve Software performance
Develop algorithms, classification techniques Optimize the rule set
Optimize the way of checking in the classification process
Detect and resolve conflicts
Figure 1.5 Researches in software field 1.3.3 Domestic researches
Development of high-performance firewalls has not been studied in Vietnam, research on firewalls only includes: Mastering and developing firewalls with basic features and crypto integration; Deploying the firewalls in network models to ensure system security
1.3.4 Determine the research directions in the thesis
New proposals are implemented in all steps and stages of the packet classification process (Figure 1.10)
Trang 7PACKET CLASSICATION
MODULE Input packets
Rule set
Package has been classified
Optimizing the rule set:
Detect and resolve conflicts
on that structure; Techniques to minimize the average sorting time for each packet on the firewall The solution is designed to improve the performance of firewalls with new suggestions associated with each step of the packet classification process: Detecting and handling conflicts in firewall rule set (optimizing input parameters for classification problem); Early packet rejected against DoS attacks on default rules (Reducing average classification time in case of attack); Improve the efficiency of the classification process with new data structures and algorithms New proposals will be presented by the PhD student in the next chapters of the thesis
Trang 8CHAPTER 2 CLASSIFICATION ALGORITHM ON FIREWALL 2.2 The basic concepts
Rule set: Each rule set consists of many rules, each of which consists of three
main parameters (Filter F; Action A; Rule index)
Filter: Each F filter contains the value of the fields to be satisfied Each field
can be represented as a range or tube of pair (address / mask)
2.3 Proposed packet classification algorithm based on Multi-Way Priority – MWP trie
2.3.3 Main ideas and definitions
2.3.3.1 Main ideas
Based on Priority Trie - PT [43] and JA-trie [10], we build Multi-Way Priority trie – MWP with the following characteristics:
- The MWP trie is built into a one-dimensional packet classification (source
or destination IP address), data stored on the trie is given as a prefix
- Result of classification on MWP returns the longest prefix (BMP – Best Matching Prefix) matching the input packet
- Length of the prefix which is stored at a node is always greater than or equal to length of prefixes which is stored in its child nodes The search will end
as soon as it matches the prefix at a node
- MWP is a multi-way trie Each node on the MWP consists of multiple child
nodes, where the ith child node contains a prefix with the first i bit coinciding with the first i bit contained in its parent node
2.3.3.2 Definitions and theorems
DEFINITIONS 2.1 Degree of a prefix
Consider prefixes P and Q; length of P is l; length of Q is t Q is called n
degree prefix of P if and only if the following three conditions are satisfied:
t ≤ l;
The first n bits of Q coincide with the first n bits of P
The (n +1) th bit of Q is different from (n+1) th bit of P
Denote Q = Ln(P)
DEFINITIONS 2.2 Degree of a set of prefixes
Let G be the set of prefixes, G is n th degree of prefix P if and only if every
Trang 9prefix Q of G is satisfied Q = L n(P)
Denote G = S n(P)
DEFINITIONS 2.3 The biggest prefix
Let G be the set of prefixes, P is the biggest prefix of G if and only if ∀Q ∈
G (Q ≠ P), length of Q is less than or equal to length of P
THEOREM 2.1 Let G be a set of prefixes (G does not contain two identical prefixes) and P is the biggest prefix of G: If an IP address matches P then P will
be the Best Match Prefix of the IP
THEOREM 2.2 We have two sets of prefixes G 1 , G 2 and prefix P, in which
G 1 = Si (P), G 2 = Sj(P) and i ≠ j: If an IP address matches with prefix P1 (P1 ∈ G1) then it will not exist any prefix P2 ∈ G2 so that P2 matches with the IP
2.3.4 Structure of MWP trie
2.3.4.1 Node structure
Each node on the MWP trie is shown as Figure 2.1 and has the following characteristics:
Each N node stores a prefix P
The N button has a Backtrack field used when there is a Q prefix that is prefix of P In this case, we do not need to create a node to store Q and then simply set the Backtrack field to length of Q
Each node has a maximum of k child nodes (k = 32 with IPv4, k = 128
with IPv6)
The length of the prefix stored in the child node is always less than or equal to the prefix length stored in its parent node
The m th child of node N is a node that contains the biggest prefix of m
degree prefix set of P
Trang 102 .3.4.2 Node construction algorithm
The procedure for building the node on the trie is done with the input being
a prefix set in which prefixes have the same degree of the prefix stored at its parent node
Start
G is empty
Finish
node.key = [Value of Prefixlongest] Left shift
(W–length of Prefixlonggest) bits;
node.len = length of Prefixlonggest;
The classification process starts from the root node of the trie
In each node, the IP address is compared to the stored prefix:
o If matched, the search process ends and the longest matching prefix is the prefix stored in the button
o Else:
If the node does not have a child node, the largest matching
prefix will be equal to the Backtrack value
In contrast, compare the first bits of the IP address with the first bit of the prefix stored in the node to branch for the next
Trang 11Table 2.5 Comparing the complexity of MWP structure with PT and JA-trie
Structure Complex search Storage complexity
Trang 12The firewall performs the function of protecting the intranet from external attacks Proposing packet classification algorithm on MWP tree structure in this chapter to improve device performance However, the firewall itself is subject
to direct attacks, so it requires the ability to protect itself against such attacks The next chapter of the thesis will present the technical proposal for early packet rejection on firewalls to limit a form of DoS attack on this device, thereby improving the device's performance in case of attack
Trang 13CHAPTER 3 EARLY PACKET REJECTION ON THE FIREWALL 3.2 Proposed early packet rejection technique based on the combination of fields
3.2.1 The idea of early packet rejection by combining fields
Observation points:
The rules in the firewall can be divided into two groups: Rules have action be prohibit – "DENY", Rules have action be allow – "ACCEPT" A packet that satisfies a rule of the "DENY" group will not satisfy any of the
"ACCEPT" rules and vice versa Calling C Accept as a condition for the packet to
be "ACCEPT" (built from the set of "ACCEPT" rules) the packet that does not
meet C Accept will be "DENY" Thus, for reject the packet, we can build
NOT(C Accept) condition and check the packet according to that condition The
problem is how do we build and use NOT(C Accept) conditions to be effective in packet classification on firewalls
In packet classification algorithms, checking must be performed on all fields used for the classification process Checking on those fields can be done
in parallel or sequentially However, in any form, the classification on each field will require the cost of resources and time The dimension of classification is proportional to the classification time If we reduce the number of dimensions
we need to check, we can reduce the cost for the classification process
Based on the above observation, we give the idea for the proposed new early packet rejection technology as follows:
Reduce the number of check dimensions for each packet arriving at the early filter module Instead of having to check on multiple fields, combine the original fields into one field based on combinations
Develop a rule set for early packet rejection on combined fields (build
NOT(C Accept) conditions)
Use balanced tree structure (B tree, AVL tree, red-black tree) to store the early packet rejection rules and filter incoming packets
3.2.2 Early packet rejection using COM combining operations in two
dimensions
3.2.2.1 Combining COM operations
COM is the combination of the source address field and the destination
Trang 14address field of a firewall`s rule into a single field according to association rules
we propose and it is called a COM combination
Source IP address prefix
Destination IP address prefix
Figure 3.1 How to create a COM prefix
COM operation: Rule Ri has a source IP prefix with length s bits, the destination IP prefix has a length of d bits with d > s (Figure 3.1) The preCOM prefix consists of s values generated by combining the s bits of the source IP prefix with the s bits of the destination IP prefix: the jth bit of the source IP prefix is associated with the jth bit of the destination prefix to form the value j of
the preCOM field (j = 0 s-1) according to the rules in Table 3.1
Table 3.1 COM association rules
Case 1 Case 2 Case 3 Case 4 Source IP prefix 0 0 1 1
Destination IP prefix 0 1 0 1
3.2.2.2 Use the COM field in packet classification
Definition 3.1: The value range of the COM prefix
The value range of the COM prefix - preCOM has length l, defined as the
Definition 3.2: COM field of the packet
Let the Pkt packet have the source IP address of sIP and the destination IP address is dIP, then the COM field of the Pkt is denoted by fCOM and calculated
as follows:
fCOM = [sIP] COM [dIP] (3.1)
Theorem 3.1: If the Pkt packet has source IP address - sIP that matches
the source IP prefix - preSIP and the destination IP address - dIP matches the