Barbarians in the Gate: An Experimental Validation of NIC-based Distributed Firewall Performance and Flood Tolerance

International Conference on Dependable Systems and Networks (DSN'06) Pub Date : 2006-06-25 DOI:10.1109/DSN.2006.17

Michael Ihde, W. Sanders

{"title":"Barbarians in the Gate: An Experimental Validation of NIC-based Distributed Firewall Performance and Flood Tolerance","authors":"Michael Ihde, W. Sanders","doi":"10.1109/DSN.2006.17","DOIUrl":null,"url":null,"abstract":"This paper presents our experience validating the flood tolerance of two network interface card (NIC)-based embedded firewall solutions, the embedded firewall (EFW) and the autonomic distributed firewall (ADF). Experiments were performed for both embedded firewall devices to determine their flood tolerance and performance characteristics. The results show that both are vulnerable to packet flood attacks on a 100 Mbps network. In certain configurations, we found that both embedded firewall devices can have a significant, negative impact on bandwidth and application performance. These results imply first that, firewall rule-sets should be optimized for performance-sensitive applications, and second, that proper consideration must be given to attack risks and mitigations before either the EFW or ADF is deployed. Finally, we believe that future embedded firewall implementations should be vetted in a manner similar to that presented in this paper. Our experience shows that when their limitations are properly considered, both the EFW and ADF can be safely deployed to enhance network security without undue risk","PeriodicalId":228470,"journal":{"name":"International Conference on Dependable Systems and Networks (DSN'06)","volume":"24 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2006-06-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"8","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"International Conference on Dependable Systems and Networks (DSN'06)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/DSN.2006.17","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 8

Abstract

This paper presents our experience validating the flood tolerance of two network interface card (NIC)-based embedded firewall solutions, the embedded firewall (EFW) and the autonomic distributed firewall (ADF). Experiments were performed for both embedded firewall devices to determine their flood tolerance and performance characteristics. The results show that both are vulnerable to packet flood attacks on a 100 Mbps network. In certain configurations, we found that both embedded firewall devices can have a significant, negative impact on bandwidth and application performance. These results imply first that, firewall rule-sets should be optimized for performance-sensitive applications, and second, that proper consideration must be given to attack risks and mitigations before either the EFW or ADF is deployed. Finally, we believe that future embedded firewall implementations should be vetted in a manner similar to that presented in this paper. Our experience shows that when their limitations are properly considered, both the EFW and ADF can be safely deployed to enhance network security without undue risk

查看原文本刊更多论文

门口的野蛮人:基于nic的分布式防火墙性能和洪水容忍度的实验验证

本文介绍了我们验证两种基于网卡(NIC)的嵌入式防火墙解决方案——嵌入式防火墙(EFW)和自主分布式防火墙(ADF)的洪泛容忍度的经验。对这两种嵌入式防火墙设备进行了实验，以确定它们的洪水容忍度和性能特性。结果表明，在100mbps的网络中，这两种方法都容易受到包洪攻击。在某些配置中，我们发现这两种嵌入式防火墙设备都可能对带宽和应用程序性能产生显著的负面影响。这些结果表明，首先，应该针对性能敏感的应用程序优化防火墙规则集;其次，在部署EFW或ADF之前，必须适当考虑攻击风险和缓解措施。最后，我们认为未来的嵌入式防火墙实现应该以类似于本文中提出的方式进行审查。我们的经验显示，当适当考虑到它们的局限性时，EFW和ADF都可以安全地部署，以增强网络安全性，而不会带来不必要的风险

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

International Conference on Dependable Systems and Networks (DSN'06)

自引率

0.00%

发文量