Dynamic Firewall Policy for VoIP Security - Introduction
Info: 2968 words (12 pages) Introduction
Published: 3rd Jun 2021
Tagged: Information TechnologyInternet
Voice over Internet Protocol (VoIP) technology has come of age and is quickly gaining momentum on Broadband networks. VoIP packetizes phone calls through the same routes used by network and Internet traffic and is consequently prone to the same cyber threats that plague data networks today. It presents lower cost and greater flexibility for a venture but presents considerable security challenges. Many solutions for VoIP security are projected, however these solutions should take into account the real-time constriction of voice service and their methods be supposed to address probable attacks and overhead related with it.
One of these solutions is to make use of Firewalls, which implement a security strategy by examining and straining traffic arriving or leaving from a protected network. This is normally done by evaluating an incoming packet to a set of policies and performing the corresponding rule action, which is accept or reject. Undesirably packet examinations can require considerable interruptions on traffic due to the difficulty and size of policies. Consequently, improving firewall performance is significant for the VoIP networks. In this paper, we propose a new firewall deign that is able to dynamically update firewall policy based on Neural Network and achieve packet examinations under rising traffic loads, higher traffic speeds, and stringent QoS necessities.
The design consists of several firewalls configured in parallel that jointly impose a defense strategy. Every firewall outfits part of the rule and incoming packets is processed through all the firewalls concurrently. Once the neural network is trained, it continuously updates the firewall policy using the selected parameters to perform its evaluation. Since many firewalls are utilized to process each packet, the proposed parallel firewall system has considerably lower delays and a higher throughput than other firewalls.
Voice over IP the transmission of voice over traditional packet-switched IP networks is one of the hottest trends in telecommunications. Although most computers can provide VoIP and many offer VoIP applications, the term “voice over IP” is typically associated with equipment that lets users dial telephone numbers and communicate with parties on the other end who have a VoIP system or a traditional analog telephone. (The sidebar, “Current voice-over-IP products,” describes some of the products on the market today.) As with any new technology, VoIP introduces both opportunities and problems. It offers lower cost and greater flexibility for an enterprise but presents significant security challenges.
As with any new technology, VoIP introduces both opportunities and problems.. Security administrators might assume that because digitized voice travels in packets, they can simply plug VoIP components into their already secured networks and get a stable and secure voice network. Quality of service (QoS) is fundamental to a VoIP networks operation. A VoIP application is much more sensitive to delays than its traditional data counterparts. Latency turns traditional security measures into double-edged swords for VoIP.
Tools such as encryption and firewall protection can help secure the network, but they also produce significant delay. Latency isn’t just a QoS issue, but also a security issue because it increases the system’s susceptibility to denial-of-service attacks. To succeed in a VoIP network, a DoS attack need not completely shut down the system, but only delay voice packets for a fraction of a second. The necessary impediment is even less when latency-producing security devices are slowing down traffic.
As described in the introduction, parallelization offers a Scalable technique for improving the performance of network firewalls. Using this approach an array of m firewalls processes packets in parallel. However, the two designs depicted in differ based on what is distributed: packets or rules. The design was Consisted of multiple identical firewalls connected in parallel, each firewall j in the system implements a local policy Rj where Rj = R. Arriving packets are distributed across the firewalls for processing (one packet is sent to one firewall), allowing different packets to be processed in parallel. Since each packet is processed using the policy Rj = R, policy integrity is maintained.
A neural network is a group of interconnected nodes. The well-known example is the human brain, the most complicated and difficult neural network. We can make very fast and reliable choice in portion of a second. In the face of the clear neatness of usual thinking, outcome are usually not-white and -black or binary, but quite engage a broad diversity of alert and secreted inputs, we have an wonderful facility to recognize well-known patterns as well as extraordinary patterns more or less directly, the neural network approach effort to reproduce the way humans visually the usual consumer speedily studies to identify spam from correct connection.
The reason for this is generally since we illustration our brains both on reason to a broad variety of message content and the brain learns to create lightning-fast, very exact guess. The capacity of utilizing packet changed networks as a transmit standard for real-time tone of voice connections has drawn broad awareness among both research and possible communities alike.
The current progress in speech conventions and high speed information communication technology hold up the notice in equipment such as voice over Internet protocol (VoIP), the mathematical character of information interchange and the energetic routing method engaged in packet-switched networks outcomes in an unbalanced network delay (jitter) practiced by IP packets. [chris miller].
Although a data-parallel firewall can achieve higher throughput than a traditional (single machine) firewall, it suffers from two major disadvantages. First, stateful inspection requires all traffic from a certain connection or exchange to traverse the same firewall. Successful connection tracking is difficult to perform at high speeds using the data-parallel approach Second, distributing packets is only beneficial when each firewall in the array has a significant amount of traffic to process (never idle), which only occurs under high traffic loads.
In order to understand parity in a carrier network maintaining secrecy, the studying techniques to know excluded traffic from partial information, such as the header information and show pattern of a series of packets. The propose a traffic credit technique for a direct request which uses mathematical information such as incidence of packet coming.
This method is to be used for stop idea by recognize traffic generate by not only VoIP but video request as well. By using this method, travel that is clearly mediator excluded is not needed, the quality of traffic that is classified into best services, such as urgent situation message and moving sharing, is certain, and, for best effort services, suitable operation are perform so that capital can not be busy by a few edge, so as to understand fairness in symbol services. This advance is to applications that generate traffic from the presentation of the traffic. It can be underground into the following three types regarding the granularity of the observed traffic. [Toshiya Okabe Tsutomu Kitamura 2006].
This approach is a system focus on the skin of an application-level action, such as an HTTP request message, and its response, an HTTP response message or MAIL message. With this progress, a request is indirect from the change patterns, the size of each message. A method to order maintain by the time-series changes in the size of messages. These techniques are useful for sense a signal protocol, but are not suitable for discovery of real-time message traffic whose features are boring and last for a fairly long time. [Toshiya Okabe Tsutomu Kitamura 2006]
This method is to make out an application from mathematical information such as the inter-arrival time, period of the run, packet size. Here, a run is defined as a sequence of packets having a common source address, source port, destination address, destination port and transport protocol. It is extract skin of size data message request flows, such as HTTP, FTP and SMTP graceful from side to side a network, in order to create workload for a network simulator and classify traffic into three lessons, bulk data message such as FTP, informal message. [Toshiya Okabe Tsutomu Kitamura 2006]
This is techniques that identify a request from the header or load of a single packet. A group method mainly based on port facts has been used but its efficiency has been lost due to the arrival of P2P applications that illegitimately use chance port numbers and port numbers for HTTP to traverse a Firewall. [Toshiya Okabe Tsutomu Kitamura 2006].
Average packet length and variation
The result of extract skin correlated to the normal packet size and difference in packet size. Difference in packet size here indicates the number of types of packet size for a request whose packet size is fixed. It is the result of take out the skin of voice applications. The packet size of the voice application is lesser than that of the other application. [ Takayuki Shizuno 2006]
As with any new knowledge, VoIP introduce both opportunity and problems. It offers lesser cost and greater give for an project but presents significant security challenge. Security administrator strength suppose that because digitized voice actions in packets, the plug VoIP mechanism into their previously protected networks and get a stable and secure voice network address translation (NAT), and most VoIP mechanism have counterpart in data network, VoIP’s presentation stress mean you must extra ordinary network software and hardware with special VoIP mechanism.
Packet network depend on many configurable bound: IP and physical addresses of say terminal of routers and firewalls. VoIP networks add specific software, to place and route calls. Many network bound are recognized with passion each time a network part is restart or when a VoIP phone is restart or added to the network.. So many nodes in a VoIP network have dynamically configurable bound; But VoIP systems have much stricter presentation constraint than data networks with important implication for security. [ Takayuki Shizuno 2006].
Quality of service is basic to a VoIP network’s process. A VoIP request is much more responsive to delay than its customary data matching part. In the VoIP language, this is the latency problem. Latency turns conventional safety measured. Tools such as encryption and firewall defense can help secure the system, but they also set up important delay. Latency isn’t just a QoS issue, but also a safety issue because it increases the system weakness to denial-of-service attacks.
To do well in a VoIP network, a DoS attack need not totally shut down the system, but only delay voice packets for a part of a second. The necessary let is even less when latency-producing security devices are slowing down traffic. Another QoS issue jitter, refers to no uniform delays that can cause packets to turn up and be process out of series. The Real-Time Transport Protocol (RTP), which is used to move voice media, so packets received out of order can’t be reassembled at the move level, but must be rearrange at the request level, introduce major above your head. When packets turn up in order, high jitter causes them to arrive at their target in spurts.
To control jitter, network expensive can use buffers and implement QoS-supporting network elements that let VoIP packets when larger data packets are listed in front of them. The buffer can use one of several plans to resolve when to let go voice data, counting several scheme that adapt the payout time also encompass packet loss. In addition to the usual packet loss issue related with data networks, even VoIP packets that reach their target can be make useless by latency and jitter. [thomas j. walsh and d. richard kuhn ].
Neural network is the bury order growing fast in current years. It is jointly of a massive deal of easy giving out units of neuron with providing connect as a neural network. It can replicate the information distribution task of human being brain, with huge talent of nonlinear estimate, consecutively storage, large-scale similar development, and self-training lessons. The information distribution in the neural network is recognizing by the communication between the neurons, and the storage of data and in progression as increase physical interconnection of the network parts. [, a. shelestov, v. pasechnik, a. sidorenko, n. kussul , 2006].
A parallel firewall (also called a load-balancing firewall) is a scalable approach for increasing the speed of inspecting network traffic. As seen in figure .the system consists of multiple identical firewalls connected in parallel. Each firewall in the system implements the complete security policy and arriving packets are distributed across the firewalls such that only one firewall processes any given packet. How the load-balancing algorithm distributes packets is vital to the system and typically implemented as a high-speed switch in commercial products.
Although parallel firewalls achieve a higher throughput than traditional firewalls and have a redundant design, the performance benefit is only evident under high traffic loads. Furthermore, stateful inspection requires all traffic from a certain connection or exchange to traverse the same firewall, which is difficult to perform at high speeds. This paper introduces a new scalable parallel firewall architecture designed for increasing network speeds and traffic loads. The design consists of multiple firewalls where each firewall implements only a portion of the security policy.
Since the policy is divided across the firewalls, rule distribution guidelines are provided that maintains integrity, ensuring the new parallel design and a traditional single firewall always reach the same decision. Unlike the previous parallel design, When a packet arrives to the new architecture it is processed by every firewall in parallel, thus the processing time required per packet is reduced.
Simulation results for the new architecture (consisting of four firewalls) yielded a 74% reduction in processing time as compared to other parallel firewall designs. Furthermore, the proposed architecture can provide stateful inspections since a packet is processed by every firewall. Therefore, the new parallel design is a scalable solution that can offer better performance and more capabilities than other designs.
In list-based rule symbol, when packets arrive at a firewall, it is in sequence check against the system in the rule list until a match is found or attainment the end of the list. Then, the parallel action is applied to mass or pass the packet. To make the policy complete of match is always found for each packet, the computational difficulty of the sort process depends on the length of rule as the depth of result a matched rule in the rule list. Apply more composite policy can result in major traffic wait which is not only a presentation block in high speed environment but also can make it weaker to rejection of service attacks.
Moreover, attractive the filter time is more difficult for multimedia applications that require firm quality of service promise. Although hardware solutions can very much decrease the packet giving out time, they are costly for large policy and improvement hardware may not be suitable in inheritance systems. on the other hand, better data structure for inner policy symbol and better search mechanism have been planned to provide relatively and effective solution to benefit on hand hardware systems.
The rules are group to allow multidimensional search by at once eliminate multiple rules with few comparison. While tries have shown great agree in improving the search time, the storage condition and difficulty in maintain try and policy honesty increases as more rules . Moreover, a policy trie does not take into report the traffic personality. In a method for trie sorting is proposed that sustain the policy honesty while reorder rules for unreliable traffic situation. The number of contrast as compare to the original trie.
Traffic-aware optimization of list-based firewalls has been addressed in rules are assigned matching probability that depend on the traffic information. Other firewall models have been planned to signify and analyze policy whether for central or distributed firewall architectures with main focus on identify rule conflicts and variance; Wireless local (WLAN) and wireless personal (WPAN) area networks are being used increasingly to implement VoIP forces. The main drives for using these architectures are user mobility. Behind realible real-time repair is one of the major concerns for generally use of VoIP in these wireless IPbased networks and safety is now getting the notice of researchers. The security and efficiency are consisting requirements. [El-Sayed M. El-Alfy and Shokri Z. Selim 2007]
Cite This Work
To export a reference to this article please select a referencing stye below:
Related ServicesView all
Related ContentAll Tags
Content relating to: "Internet"
The Internet is a worldwide network that connects computers from around the world. Anybody with an Internet connection can interact and communicate with others from across the globe.
Web Architecture Components to Further Web Functionality
The Technical Stuff – How the internet works Contents Task 1 P1 – Outline the web architecture and components which enable internet and web functionality. Introduction What is the internet? H...
Effect of the Internet on Business Development
The internet is a network of computers who can share data and communicate between them. Its reach is almost every place in this world (see table 1). Any other technology has never changed a business...
DMCA / Removal Request
If you are the original writer of this dissertation introduction and no longer wish to have your work published on the UKDiss.com website then please: