bryanmills.net

OPTWALL which is a paper written by me, Subrata Acharya, Mehmud Abliz, and our adviser Taieb Znati is off to the printers. It was accepted for publication at the 14th annual Network and Distributed Security Symposium. The work was based upon the basic idea that to improve firewall performance the rule-sets should be divided into rule subsets creating a hierarchical structure of rules.

Abstract -
The overall efficiency, reliability, and availability of a firewall is crucial in enforcing and administrating security, especially when the network is under attack. The continuous growth of the Internet, coupled with the increasing sophistication of the attacks, is placing stringent demands on firewall performance. These challenges require new designs, architecture and algorithms to optimize firewalls. In this paper, we propose OPTWALL, an adaptive hierarchical firewall optimization framework aimed at reducing operational cost of firewalls. The main features of the proposed approach are the hierarchical design, splitting techniques, an online traffic adaptation mechanism, and a strong reactive scheme to counter malicious attacks (e.g. Denial-of-Service (DoS) attacks). To the best of our knowledge, this work is the first of its kind to use traffic characteristics in the design of an adaptive hierarchical firewall optimization framework. To study the performance of OPTWALL, a set of experiments are conducted on Linux ipchains. The performance evaluation study uses a large set of firewall policies and traffic traces managed by a Tier-1 ISP and provides security access for the ISP network from/to its business partners. Results show the high potential of OPTWALL to reduce the operational cost of firewalls. In particular, the results show that a performance improvement of nearly 35% can been achieved in a heavily loaded network environment.

UPDATE: Paper is available for download here.

One stormy night (tonight) a young man (me) was eagerly seeking new music (John Mayer), as I previewed the music in iTunes I thought how easy it would be to drop $9.99 for a couple of mp3’s. I began debating my boycott of iTunes but quickly got upset because I couldn’t listen to my music on my desktop (linux) or my audiotron (mp3 player) I then slammed my laptop shut and grabbed my rain coat. I leisurely strolled down the rain drenched sidewalk to my neighborhood music store. Standing there soaking wet I paid my $11.99 while the cashier informed me that this was a great CD and he had downloaded it last night on Limewire. Lighting danced around me during the 5 block walk home and I thought to myself maybe I should give in and just download my music. Now I have this ethical dilemma, I believe I should pay for my music, but there is no legal way for me to buy the music I want to buy. Until the music industry figures what people really want I guess I’ll just keep my raincoat close.

I recently changed my DVR from a ReplayTV to Comcast’s Motorola DVR, which is surprisingly good. There are several clunky issues in the Comcast interface but I can deal with that. I switched for two main reason; 1) there has been no updates to the Replay software in the last year; and 2) The cost was less.

Three years ago, the only reason I choose Replay over Tivo was it had the ability to copy recordings from the DVR to my computer. That feature alone sold me but reality was that Replay never officially supported this “feature” and the process was extremely slow. I did copy a few shows but overall I never used this “feature”. My observation is that I still desire this feature but Replay just didn’t do it properly. I want the ability to record shows in my living room (and not with a big dell computer) and then watch the shows I’ve recorded on my laptop or in my office without having to run some program which is not officially supported by the device. The shows are in a digital format I want to move them around like I do all my other digital media. Screw digital rights management, its really simple there will always be 10% of the population that will lie, cheat, and steal anything they can the other 90% will use the tools for their own personal use and will continue to purchase DVDs.

The Comcast DVR doesn’t allow me to do this but what Comcast did get right is easy configuration in the living room. All the other DVR options suffered from multiple cables and remotes causing havoc in the living room. The most annoying feature is the inferred emitter that is used to change the channels on the cable box. The problem is quite simple and why Replay or Tivo didn’t solve this problem is beyond me. When I’m channel surfing and want to go up one channel send a channel up command to the cable box not a goto channel 302. The problem is to send a goto channel 302 requires 4 commands to be sent (3-0-2-enter) but if I’m already on channel 301 for the love of mankind just send a channel up command. The response time will be quicker and make channel surfing a much more pleasant experience.

So the question is why is ReplayTV still making DVRs? The answer is they aren’t. The only product officially listed on their site now is ReplayTV PC Edition which allows you to record TV shows on your computer. What? You mean I can have my Dell computer record a TV show to the hard drive and then I can watch it. This is going to change the world as we know it everyone will be running out to buy a computer put a special card in it then pay Replay a monthly fee so they can record TV shows on their computer. This is so 1995 and the people running Replay had better realize that going backwards in product design isn’t usually the right direction. The appliance model is the best model for providing a DVR and will continue to be the correct model for the foreseeable future.

To sum this rant up let me just say that the Comcast DVR while not perfect is much better than Replay. It is cheaper and it records HDTV (now I need HDTV).

The best thing about life is crossing goals off the list and moving onto something new and exciting. This weekend my brother was able to use a gigantic Sharpie and mark ‘graduate from college’ off his list. He now holds a Bachelors of Arts from Bethany College and we haven’t been able to pry it out of his hands since Saturday. Now its time for him to figure out what life will hold after graduation and start to form his next list of goals.

The graduation was very nice. The weather held up so graduation was held outside “in the shadows of Old Main”, a bit chilly but was very picturesque. The usual honorary degrees were presented and a very precise and short commencement speech was given. Of course, the best part was hearing them call out the name “Christopher Eric Mills”.

So as computer geeks go I’ve bought very few computers in my life.  In fact I’ve only bought one new computer.  And this purchase just took place, a brand-new Powerbook G4 12″.  All the other computers I’ve had over the years were either employers or old used machines I picked up on ebay.  Needless to say I’m very excited.

The reason I went with a powerbook is that it was one of the cheapest 12″ laptops I could buy (yep, you heard me right the mac was cheapest).  In addition to the price factor I also knew from various postings on the web that ubuntu would install cleanly on this machine.  I just got the machine this weekend and decided to run with OSX for a bit and see if I could actually make it my daily driver operating system.  So far my only complaints iinvolve mounting NFS shares using the finder.  I seem to have much better luck mounting them using the command line.

I suspect though by next weekend ubuntu will be installed on the machine.  Hopfully that doesn’t take all weekend.