TY - GEN
T1 - Barbarians in the gate
T2 - DSN 2006: 2006 International Conference on Dependable Systems and Networks
AU - Ihde, Michael
AU - Sanders, William H.
PY - 2006
Y1 - 2006
N2 - This paper presents our experience validating the flood tolerance of two network interface card (NIC)-based embedded firewall solutions, the Embedded Firewall (EFW) and the Autonomic Distributed Firewall (ADF). Experiments were performed for both embedded firewall devices to determine their flood tolerance and performance characteristics. The results show that both are vulnerable to packet flood attacks on a 100 Mbps network. In certain configurations, we found that both embedded firewall devices can have a significant, negative impact on bandwidth and application performance. These results imply first that, firewall rule-sets should be optimized for performance-sensitive applications, and second, that proper consideration must be given to attack risks and mitigations before either the EFW or ADF is deployed. Finally, we believe that future embedded firewall implementations should be vetted in a manner similar to that presented in this paper. Our experience shows that when their limitations are properly considered, both the EFW and ADF can be safely deployed to enhance network security without undue risk.
AB - This paper presents our experience validating the flood tolerance of two network interface card (NIC)-based embedded firewall solutions, the Embedded Firewall (EFW) and the Autonomic Distributed Firewall (ADF). Experiments were performed for both embedded firewall devices to determine their flood tolerance and performance characteristics. The results show that both are vulnerable to packet flood attacks on a 100 Mbps network. In certain configurations, we found that both embedded firewall devices can have a significant, negative impact on bandwidth and application performance. These results imply first that, firewall rule-sets should be optimized for performance-sensitive applications, and second, that proper consideration must be given to attack risks and mitigations before either the EFW or ADF is deployed. Finally, we believe that future embedded firewall implementations should be vetted in a manner similar to that presented in this paper. Our experience shows that when their limitations are properly considered, both the EFW and ADF can be safely deployed to enhance network security without undue risk.
UR - http://www.scopus.com/inward/record.url?scp=33845581445&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=33845581445&partnerID=8YFLogxK
U2 - 10.1109/DSN.2006.17
DO - 10.1109/DSN.2006.17
M3 - Conference contribution
AN - SCOPUS:33845581445
SN - 0769526071
SN - 9780769526072
T3 - Proceedings of the International Conference on Dependable Systems and Networks
SP - 209
EP - 214
BT - Proceedings - DSN 2006
Y2 - 25 June 2006 through 28 June 2006
ER -