Anticipatory Distributed Packet Filter Configuration for Carrier-grade IP-Networks

In: Networking 2006. 5th International IFIP-TC6 Networking Conference, Coimbra, Portugal, May 15-19, 2006. Proceedings. Lecture Notes in Computer Science / Boavida, Fernando; Plagemann, Thomas; Stiller, Burkhard; Westphal, Cédric; Monteiro, Edmundo (Hrsg.)
New York, NY, USA: Springer, Elsevier North-Holland, Inc. (2006), S. 928-941
ISBN: 3-540-34192-7
Buchaufsatz / Kapitel / Fach: Wirtschaftswissenschaften
Packet filters have traditionally been used to shield IP networks from known attack flows, usually within firewall systems connecting trusted and non-trusted network segments. As IP networks grow and tend to connect to more and more neighbor networks with unknown trust status, carrier-grade operators in particular are beginning to experience raising costs due to increasingly complex filter configurations that have to be applied to their networks, in order to maintain a desired security level. In this paper, we discuss the general properties of distributed packet filter configurations in large networks. Additionally, an algorithm for a simplified compilation of anticipatory static packet filter configurations in heterogeneous IP networks as well as simulation results that demonstrate possible filter cost reduction is presented.