Packet Filter Networks

Over the past years, operators of private and public IP networks have seen an increased amount of securty related incidents, ranging from the rare targeted break-in attempt to the more frequent worm and virus spread. One method to protect against these threats is to set up and maintain special traffic examining and blocking functions at the edges of the network. The more sophisticated class of systems supplying such functions are commonly called 'firewalls', which are often not only capable of simple packet-by-packet filtering but can also handle the inspection of the content of whole reassembled connections.

The major benefit in deploying firewalls is an organizational one: maintain one system that keeps out unwanted traffic (and the malicious content it would import otherwise) instead of individually securing hundreds or even thousands of end-systems inside the network. However, this is only reasonable in an economic sense if the number of links to neighboring, untrusted network segments is comparatively small. Especially large carrier-grade IP network operators are confronted with the problem that they have many interconnection points to other networks and must also support a very high traffic throughput at these points. This makes setting up and maintaining firewall systems at interconnection points a prohibitive costly task. Nevertheless, IP carriers have an increased demand for filter functions especially to shield internal management communication from being disrupted by denial-of-service (DoS) attacks. While the common configuration protocols for routers and switches provide strong authentication and integrity protection mechanisms (e.g. SSH and SNMPv3) to avoid unauthorized use, they allow adversaries to launch effective DoS attacks exploiting the algorithmic complexity of those cryptographic functions.

To avoid the deployment of expensive firewalls, operators usually fall back on the capabilities of commercial off-the-shelf routing and switching platforms to filter packets. This is usually done in a very simple way by configuring filter rules on interfaces line by line within the routers or switches CLI. A drawback of this method is that it is difficult to automate, especially in heterogenous environments that result when operators grow and merge. There filter configurations often have to be adapted to meet the routing platforms specific configuration syntax as well.

The goal of the Packet Filter Network project is to provide the formal base for general filter network configurations and to implement a tool that automatically computes the best filter distribution for a given network.