Title: Discovering last-matching rules in popular open-source and commercial firewalls

Authors: K. Salah, K. Sattar, Z.A. Baig, M.H. Sqalli, P. Calyam

Addresses: Department of Information and Computer Science, King Fahd University of Petroleum and Minerals, Dhahran 31261, Saudi Arabia. ' Department of Information and Computer Science, King Fahd University of Petroleum and Minerals, Dhahran 31261, Saudi Arabia. ' Department of Computer Engineering, King Fahd University of Petroleum and Minerals, Dhahran 31261, Saudi Arabia. ' Department of Computer Engineering, King Fahd University of Petroleum and Minerals, Dhahran 31261, Saudi Arabia. ' Ohio Supercomputer Center, The Ohio State University, Columbus, Ohio 43212, USA

Abstract: Denial of service (DoS) attacks pose a major threat to the smooth operations of critical network resources. Network firewalls act as the first line of defence against unwanted and malicious traffic. Firewalls themselves can become target of DoS attacks. In a prior work (Salah et al., 2009), we studied the resiliency and robustness of open-source network firewalls against the remote discovery of the last-matching rules. If last-matching rules are discovered, an attacker can launch an effective and slow-rate DoS attack which can bring down the firewall to its knees. In this paper, we examine and compare the resiliency of five of the most popular network firewalls, considering both open-source and commercial ones; namely, Linux NetFilter, Linux IPSets and FreeBSD ipfw, Cisco PIX and Cisco ASA. Our results show significant variations in the resiliency of these five firewall technologies, with Cisco ASA being the most resilient and Cisco PIX being the most vulnerable.

Keywords: network security; firewalls; DoS attacks; denial of service; open source firewalls; last-matching rules; commercial firewalls; resiliency.

DOI: 10.1504/IJIPT.2010.032612

International Journal of Internet Protocol Technology, 2010 Vol.5 No.1/2, pp.23 - 31

Available online: 09 Apr 2010 *

Full-text access for editors Access for subscribers Purchase this article Comment on this article