Abstract

Network security is an integral component of a multi-user distributed information environment. Firewall (FW) technology is a popular approach to build secure networks, and a plethora of FWs have been designed. Our research focuses on the placement of FWs (i.e. an operations research approach) in a large, complex network system, or a system of systems. A key contribution of this research is to propose the concept of a FW cascade, i.e. a chain of FWs, which could be placed in the path between a potential attack point and a network node with sensitive data. Among other benefits, the FW cascade offers two key benefits: (1) increased comprehensiveness (viz. address, port, service, user ID and direction) of security protection; and (2) most importantly, enhancing the degree of confidence that the network security engineer could expect from the underlying set of FWs and the overall end-to-end security protection that is achieved. This results in a novel capability, where a network security engineer can provide completeness and high confidence in the security attributes across the network. We propose a decomposition of the security characters of a FW and a suite of FW placement heuristics which allows us to place the FWs across the network while optimizing cost and maximizing security protection. Minimization of delay is another optimization goal. Performance is depicted using simulation.