Building an integrated security gateway: Mechanisms, performance evaluations, implementations, and research issues | IEEE Journals & Magazine | IEEE Xplore
Subscribe
ADVANCED SEARCH
Journals & Magazines >IEEE Communications Surveys &... >Volume: 4 Issue: 1

Building an integrated security gateway: Mechanisms, performance evaluations, implementations, and research issues

PDF
Ying-Dar Lin; Huan-Yun Wei; Shao-Tang Yu
All Authors

Abstract:

Network security has become a critical issue for enterprises. This article first gives a tutorial of each basic component of a security gateway, including the firewall, c...Show More

Metadata

Abstract:

Network security has become a critical issue for enterprises. This article first gives a tutorial of each basic component of a security gateway, including the firewall, content filtering, network address translation (NAT), the virtual private network (VPN), and the intrusion detection system (IDS). The building of an integrated security gateway, using various open-source packages, is then described. Conflicts among the packages are resolved to ensure interoperability. Next, we internally/externally evaluate the performance of each component with six commercial implementations to identify the problems for future research directions. Readers can understand how these components deliver secure operations, how a packet can properly traverse through such a gateway, and how many resources are consumed in each software component. Selected packages include the Linux kernel, ipchains (packet filter), Squid (URL filter), FWTK (content filter), FreeS/WAN (VPN), and Snort (IDS). ipchains and FreeS/WAN are found viable, but FWTK and Snort suffer performance problems. Further examining their source code and data structures reveals the improper implementation in FWTK and the less scalable linear matching algorithms in ipchains and Snort. Finally, several approaches to scale up these software components are suggested to improve the performance. Note that installing such a security gateway does not mean secured. This study focuses on building a product-like security gateway and on evaluating its performance. The integrated system with a self-developed Web management console is publicly available for downloading.
Published in: IEEE Communications Surveys & Tutorials ( Volume: 4, Issue: 1, First Quarter 2002)
Page(s): 2 - 15
Date of Publication: 31 March 2002

ISSN Information:

DOI: 10.1109/COMST.2002.5341332
National Chiao Tung University, Taiwan
NATION CHIAO TUNG UNIVERSITY
Ying-Dar Lin (ydlin@cis.nctu.edu.tw) received his M.S. and Ph.D. degrees in computer science from UCLA in 1990 and 1993, respectively. He was a technical staff member at IBM Taiwan and Bell Communications Research. Since 1999 he has been a professor at National Chiao Tung University in Taiwan. His research interests include the design, analysis, and implementation of network protocols and algorithms, quality of services, ...Show More
Ying-Dar Lin (ydlin@cis.nctu.edu.tw) received his M.S. and Ph.D. degrees in computer science from UCLA in 1990 and 1993, respectively. He was a technical staff member at IBM Taiwan and Bell Communications Research. Since 1999 he has been a professor at National Chiao Tung University in Taiwan. His research interests include the design, analysis, and implementation of network protocols and algorithms, quality of services, ...View more
NATION CHIAO TUNG UNIVERSITY
Huan-Yun Wei (hywei@cis.nctu.edu.tw) is a Ph.D. candidate in computer and information science at National Chiao Tung University. His interests include TCP rate shaping algorithms, integration of security gateway functions in Linux/FreeBSD/NetBSD kernels, and testbed design and evaluation. He can be reached at hywei@cis.nctu.edu.tw.
Huan-Yun Wei (hywei@cis.nctu.edu.tw) is a Ph.D. candidate in computer and information science at National Chiao Tung University. His interests include TCP rate shaping algorithms, integration of security gateway functions in Linux/FreeBSD/NetBSD kernels, and testbed design and evaluation. He can be reached at hywei@cis.nctu.edu.tw.View more
National Chiao Tung University, Taiwan
NATION CHIAO TUNG UNIVERSITY
Shao-Tang Yu (styu@cis.nctu.edu.tw) received his M.S. degree in computer and information science at National Chiao Tung University in 2001. His interests include the integration of security gateway functions in Linux kernels, and testbed design. He is now an engineer at D-Link and can be reached at gis88530@cis.nctu.edu.tw.
Shao-Tang Yu (styu@cis.nctu.edu.tw) received his M.S. degree in computer and information science at National Chiao Tung University in 2001. His interests include the integration of security gateway functions in Linux kernels, and testbed design. He is now an engineer at D-Link and can be reached at gis88530@cis.nctu.edu.tw.View more
Contents

National Chiao Tung University, Taiwan
NATION CHIAO TUNG UNIVERSITY
Ying-Dar Lin (ydlin@cis.nctu.edu.tw) received his M.S. and Ph.D. degrees in computer science from UCLA in 1990 and 1993, respectively. He was a technical staff member at IBM Taiwan and Bell Communications Research. Since 1999 he has been a professor at National Chiao Tung University in Taiwan. His research interests include the design, analysis, and implementation of network protocols and algorithms, quality of services, network security, and content networking. He is a member of ACM and IEEE. He is the founder and head of Network Benchmarking Lab (NBL). He can be reached at ydlin@cis.nctu.edu.tw and http://www.cis.nctu.edu.tw/+ydlin.
Ying-Dar Lin (ydlin@cis.nctu.edu.tw) received his M.S. and Ph.D. degrees in computer science from UCLA in 1990 and 1993, respectively. He was a technical staff member at IBM Taiwan and Bell Communications Research. Since 1999 he has been a professor at National Chiao Tung University in Taiwan. His research interests include the design, analysis, and implementation of network protocols and algorithms, quality of services, network security, and content networking. He is a member of ACM and IEEE. He is the founder and head of Network Benchmarking Lab (NBL). He can be reached at ydlin@cis.nctu.edu.tw and http://www.cis.nctu.edu.tw/+ydlin.View more
NATION CHIAO TUNG UNIVERSITY
Huan-Yun Wei (hywei@cis.nctu.edu.tw) is a Ph.D. candidate in computer and information science at National Chiao Tung University. His interests include TCP rate shaping algorithms, integration of security gateway functions in Linux/FreeBSD/NetBSD kernels, and testbed design and evaluation. He can be reached at hywei@cis.nctu.edu.tw.
Huan-Yun Wei (hywei@cis.nctu.edu.tw) is a Ph.D. candidate in computer and information science at National Chiao Tung University. His interests include TCP rate shaping algorithms, integration of security gateway functions in Linux/FreeBSD/NetBSD kernels, and testbed design and evaluation. He can be reached at hywei@cis.nctu.edu.tw.View more
National Chiao Tung University, Taiwan
NATION CHIAO TUNG UNIVERSITY
Shao-Tang Yu (styu@cis.nctu.edu.tw) received his M.S. degree in computer and information science at National Chiao Tung University in 2001. His interests include the integration of security gateway functions in Linux kernels, and testbed design. He is now an engineer at D-Link and can be reached at gis88530@cis.nctu.edu.tw.
Shao-Tang Yu (styu@cis.nctu.edu.tw) received his M.S. degree in computer and information science at National Chiao Tung University in 2001. His interests include the integration of security gateway functions in Linux kernels, and testbed design. He is now an engineer at D-Link and can be reached at gis88530@cis.nctu.edu.tw.View more

Contact IEEE to Subscribe

References

References is not available for this document.

IEEE Account

Purchase Details

Profile Information

Need Help?

A not-for-profit organization, IEEE is the world's largest technical professional organization dedicated to advancing technology for the benefit of humanity.
© Copyright 2025 IEEE - All rights reserved. Use of this web site signifies your agreement to the terms and conditions.