Dissertations / Theses on the topic 'Comparison of Linux Firewalls'

The use of internet has increased over the past years. Many users may not have good intentions. Some people use the internet to gain access to the unauthorized information. Although absolute security of information is not possible for any network connected to the Internet however, firewalls make an important contribution to the network security. A firewall is a barrier placed between the network and the outside world to prevent the unwanted and potentially damaging intrusion of the network. This thesis compares the performance of Linux packet filtering firewalls, i.e. iptables and shorewall. The firewall performance testing helps in selecting the right firewall as needed. In addition, it highlights the strength and weakness of each firewall. Both firewalls were tested by using the identical parameters. During the experiments, recommended benchmarking methodology for firewall performance testing is taken into account as described in RFC 3511. The comparison process includes experiments which are performed by using different tools. To validate the effectiveness of firewalls, several performance metrics such as throughput, latency, connection establishment and teardown rate, HTTP transfer rate and system resource consumption are used. The experimental results indicate that the performance of Iptables firewall decreases as compared to shorewall in all the aspects taken into account. All the selected metrics show that large numbers of filtering rules have a negative impact on the performance of both firewalls. However, UDP throughput is not affected by the number of filtering rules. The experimental results also indicate that traffic sent with different packet sizes do not affect the performance of firewalls.
Muhammad Zeeshan Ahmad: +46-700228942

Today’s market offers a wide range of available firewalls, there are many manufacturers andeach of them has at least several series of possible solutions. As organisations and companiesseek to protect their assets against current and new hostile threats, the demands for networksecurity increases and drives the development of firewalls forward. With new firewalltechnologies emerging from a wide variety of firewall vendors, choosing the right firewall canbe both costly and time consuming. Requirements for a concrete network are needed to becorrelated with security functionalities, i.e., metrics for firewalls. Incorrect requirementsformulation or their incorrect mapping to metrics can lead to a financial loss or a firewallfailure in providing desired security functionalities. In this thesis, firewalls from three differentmanufacturers are investigated. Firewalls are compared and evaluated by using requirementsderived for Eskilstuna municipals network. To identify solutions fulfilling the requirements,metrics related to the requirements are identified. Two different placements for firewalldeployment are considered separately, as they have different requirements. The firewallcomparison consists of two steps. The first step of the comparison is done by evaluatingfirewalls from each manufacturer separately. After the best suited firewall from eachmanufacturer has been identified, the second step in the comparison is performed. The steptwo consists of comparing the best solution from each manufacturer between each other. Theoutcome of the comparison is a firewall solution that fulfills all requirements and can beconsidered as optimal choice for the investigated network environment.

The goal of this thesis is to compare two process schedulers for the Linux operating system. In order to provide a responsive and interactive user experience, an efficient process scheduling algorithm is important. This thesis seeks to explain the potential performance differences by analysing the schedulers' respective designs. The two schedulers that are tested and compared are Con Kolivas's MuQSS and Linux's default scheduler, CFS. They are tested with respect to three main aspects: latency, turn-around time and interactivity. Latency is tested by using benchmarking software, the turn-around time by timing software compilation, and interactivity by measuring video frame drop percentages under various background loads. These tests are performed on a desktop PC running Linux OpenSUSE Leap 15.2, using kernel version 5.11.18. The test results show that CFS manages to keep a generally lower latency, while turn-around times differs little between the two. Running the turn-around time test's compilation using a single process gives MuQSS a small advantage, while dividing the compilation evenly among the available logical cores yields little difference. However, CFS clearly outperforms MuQSS in the interactivity test, where it manages to keep frame drop percentages considerably lower under each tested background load. As is apparent by the results, Linux's current default scheduler provides a more responsive and interactive experience within the testing conditions, than the alternative MuQSS. However, MuQSS's slightly superior performance using single process compilation may suggest that it is compatible with machines with a lower amount of logical cores.

In last few years we have observed a significant increase in the usage of computing devices and their capabilities to communicate with each other. With the increase in usage and communicating capabilities the higher level of network security is also required. Today the main devices used for the network security are the firewalls and IDS/IPS that provide perimeter defense. Both devices provide many overlapping security features but they have different aims, different protection potential and need to be used together. A firewall is an active device that implements ACLs and restricts unauthorized access to protected resources. An IDS only provides information for further necessary actions, not necessarily perimeter related, but some of these needed actions can be automated, such as automatic blocking in the firewall of attacking sites, which creates an IPS. This thesis report analyzed some common firewall and IDS products, and described their security features, functionalities, and limitations in detail. It also contains the comparison of the security features of the both devices. The firewall and IDS perform different functions for the network security, so they should be used in layered defense architecture. The passwords, firewalls, IDSs/IPSs and physical security all together provide a layered defense and complement each other. The firewall and IDS alone cannot offer sufficient network protection against the network attacks, and they should be used together to enhance the defense-in-depth or layered approach.

In this thesis, the average throughput of Btrfs and ZFS on Linux is compared by conducting a set of experiments. Btrfs and ZFS are two enterprise-grade file systems that are designed with data integrity and scalability in mind and they bring numerous of other useful features as well. Btrfs is a relatively young file system whereas ZFS is more mature. However, the implementation of ZFS on the Linux platform was released only recently. The main conclusions that can be drawn from the analysis of the gathered data is that Btrfs has improved greatly in recent years and is today showing great throughput whereas ZFS on Linux is performing considerably worse than Btrfs.

Big data is a developing term that describes any large amount of structured and unstructured data that has the potential to be mined for information. To store this type of large amounts of data, cloud storage systems are necessary. These cloud storage systems are developed such that they are capable of keeping the data accessible and available to the users over a network. To store big data new platforms are required. Some of the popular big data platforms are Mongo, Cassandra and Hadoop. In this thesis we used Cassandra database system because it is a distributed database and also open source. Cassandra’s architecture is master less ring design that is easy to setup and easy to maintain. Apache Cassandra is a highly scalable distributed database designed to handle big data management with linear scalable and seamless multiple data center deployment. It is a NoSQL database system which allow schema free tables so that a data item could have a variable set of columns unlike in relational databases. Cassandra provides with high scalability with no single point of failure. For the past few years’ container based virtualization has been evolving rapidly. Container based virtualization such as LXC have been focused here. Linux Containers (LXC) is an operating system level virtualization method for running multiple isolated Linux systems on a single control host. It does not resemble a virtual machine, but provides a virtual environment that has its own CPU, memory, network, etc. space and the resource control mechanism. In this thesis work performance of Apache Cassandra database has been analyzed between bare metal and Linux Containers(LXC). A three node Cassandra cluster has been created on both bare metal and Linux container. Assuming one node as seed and Cassandra stress utility tool has been used to test the load of Cassandra cluster. The performance of Cassandra cluster database has been evaluated in bare metal and Linux Container which is the goal of this thesis work. Linux containers (LXC) are deployed in all the servers. A three node Cassandra database cluster has been created in these servers and also in Linux Container(LXC). Port forwarding is the technique used here for making communication between Cassandra in LXC which is the goal of this thesis work. The performance metrics which determine the performance of Cassandra cluster database are selected according to it. The network configuration parameters are changed according to the behavior of Cassandra. By doing changes in these parameters Cassandra starts running according to the required configuration, after this Cassandra cluster performance will be analyzed. This is done with different write, read and mixed load operations and compared with Cassandra cluster performance on bare metal. The results of the thesis show an analysis of measurements of performance metrics like CPU utilization, Disk throughput and latency while running on Cassandra cluster in both bare metal and Linux Containers. A quantitative and statistical analysis of performance of Cassandra cluster is compared. The physical resources utilized by the Cassandra database on native bare metal and Linux Containers (LXC) is similar. According to the results, CPU utilization is more for Cassandra database in Linux Containers. Disk throughput is also more in Linux Containers except in the case of 66% load write operation. Bare metal has less latency compared to Linux Containers in all the scenarios.

Context: Cloud computing is one of the most widely used technologies all over the world that provides numerous products and IT services. Virtualization is one of the innovative technologies in cloud computing which has advantages of improved resource utilisation and management. Live migration is an innovative feature of virtualization that allows a virtual machine or container to be transferred from one physical server to another.  Live migration is a complex process which can have a significant impact on cloud computing when used by the cloud-based software.  Objectives: In this study, live migration of LXC and OpenVZ containers has been performed.  Later the performance of LXC and OpenVZ has been conducted in terms of total migration time and downtime. Further CPU utilisation, disk utilisation and an average load of the servers is also evaluated during the process of live migration. The main aim of this research is to compare the performance of LXC and OpenVZ during live migration of containers.  Methods: A literature study has been done to gain knowledge about the process of live migration and the metrics that are required to compare the performance of LXC and OpenVZ during live migration of containers. Further an experiment has been conducted to compute and evaluate the performance metrics that have been identified in the literature study. The experiment was done to investigate and evaluate migration process for both LXC and OpenVZ. Experiments were designed and conducted based on the objectives which were to be met. Results:  The results of the experiments include the migration performance of both LXC and OpenVZ. The performance metrics identified in the literature review, total migration time and downtime, were evaluated for LXC and OpenVZ. Further graphs were plotted for the CPU utilisation, disk utilisation, and average load during the live migration of containers. The results were analysed to compare the performance differences between OpenVZ and LXC during live migration of containers. Conclusions.  The conclusions that can be drawn from the experiment. LXC has shown higher utilisation, thus lower performance when compared with OpenVZ. However, LXC has less migration time and downtime when compared to OpenVZ.

Virtualization is used extensively by Enterprise IT architecture and cloud computing, it is used to provide customers a part of their hardware resources as a service. Container technology is the new generation of virtualization and provides performance benefits due to less overhead. Earlier research has compared different container technologies regarding their performance, including Docker which is the most popular container technology. Most of this research has been focusing on Linux based container technologies. Even though there is interest in knowing how other container technologies under different operating systems perform. In this study we explore the performance of Docker in contrast to the performance of a contending container technology named Jails. We present how well each container technology performs running one or multiple containers, in the areas of CPU, memory, read from disk, write to disk, network and startup time efficiency. The comparison was done using collected statistics from different benchmarking tools. Results from this study have shown that Docker is utilizing shared resources and has better stability compared to Jails. We also discuss what unexplored benefits Docker and Jails can have by implementing each other’s unique features. Future work could consist of writing to disk or reading from disk performance tests under one common filesystem, e.g., ZFS file system.
Virtualisering används i stor utsträckning av Enterprise IT-arkitektur och molntjänster, den används för att kunna erbjuda sina kunder en del av sina hårdvaruresurser som en tjänst. Containerteknologi är den nya generationen virtualisering och ger prestandafördelar på grund av mindre omkostnader. Tidigare forskning har jämfört olika containerteknologier angående deras prestanda, inklusive Docker, som är den mest populära containertekniken. Merparten av tidigare forskning har fokuserat på Linuxbaserade containerteknologier, även om det finns intresse för att veta hur andra containerteknologier under olika operativsystem fungerar. I denna studie undersöker vi Dockers prestanda jämfört med prestandan till containerteknologin med namnet Jails. Vi presenterar hur bra varje containerteknologi fungerar med att köra en eller flera containrar inom områdena CPU, minne, läsa från disk, skriva till disk, nätverkshastighet och starttid. Jämförelsen gjordes med insamlad statistik från olika referensverktyg. Resultat från denna studie har visat att Docker använder delade resurser på ett effektivare sätt och har bättre stabilitet jämfört med Jails. Vi diskuterar också vilka outforskade fördelar Docker och Jails kan ha genom att implementera varandras unika funktioner. Framtida arbete kan bestå av att skriva till disk eller läsa från diskprestanda under ett gemensamt filsystem, t.ex. ZFS-filsystem.

This thesis deals with the development problems and creating of the multi- purpose hardware platform, which supports operating system Linux. It is focused on the microprocessors using ARM architecture with architecture ARM7, ARM9 and ARM11. The scope of the first part of this thesis was searching the sales of available 32 bit ARM microprocessors. The second part is attended to a particular Mini2440 development kit, its animation and the subsequent development of the kernel drivers for OS Linux platform. One of this thesis details was also the development of my own expansive hardware module and a capacity keypad for a usage with Mini2440 developmental kit.

Scheduling is extremely important for modern real-time systems. It enables several programs to run in parallel and succeed with their tasks. Many systems today are real-time systems, which means that good scheduling is highly needed. This thesis aims to evaluate the real-time scheduling algorithm earliest deadline first, newly introduced into the Linux kernel, and compare it to the already existing real-time scheduling algorithms first in, first out and round robin in the context of firm tasks. By creating a test program that can create pthreads and set their scheduling characteristics, the performance of earliest deadline first can be evaluated and compared to the others.
Schemaläggning är extremt viktigt för dagens realtidssystem. Det tillåter att flera program körs parallellt samtidigt som deras processer inte misslyckas med sina uppgifter. Idag är många system realtidssystem, vilket innebär att det finns ett ytterst stort behov för en bra schemaläggningsalgoritm. Målet med det här examensarbetet är att utvärdera schema-läggningsalgoritmen earliest deadline first som nyligen introducerats i operativsystemet Linux. Målet är även att jämföra algoritmen med två andra schemaläggningsalgoritmer (first in, first out och round robin), vilka redan är väletablerade i Linux kärnan. Det här görs med avseende på processer klassificerade som firm. Genom att skapa ett program som kan skapa pthreads med önskvärda egenskaper kan prestandan av earliest deadline first algoritmen utvärderas, samt jämföras med de andra algoritmerna.

This thesis discusses the area of a control system for application testing in Linux. There is a need for testing software and its quality using automated software tools. Huge number of testing tools is available, Red Hat Test System (RHTS) being one of them. Dierent approaches to classi cation and evaluation of a testing tools are presented. Selected software testing tools were evaluated and compared with RHTS. The thesis then presents a design of a system for non-interactive application testing in Linux with support for RHTS tests and with focus on future enhancements. Implemented system is nally tested using proposed set of tests and several usage examples are described.

Firewall testing is important because fifewall faults can lead to security failures. Firewall testing is hard because firewall rules havdp&a+eters, producing a huge number of possible parameter combinations. This thesis presents a firewall testing methodology based on test templates, which are parameterized test cases. A firewall testing framework for iptables, the Linux firewall subsystem, has been implemented. Twelve test templates have been created for testing iptables parameters and extensions. A GUI tool is also provided to integrate these test templates with various test generation strategies. The most important of these strategies, painvise generation, has been investigated in detail. Based on the investigation, we developed an improved painvise generation algorithm.

The increasing interest to connect small sensors to the internet took the development of operating systems able to operate in any hardware ensuring all network, graphical and server functionalities. Globaltronic, a company in Águeda, has developed a hardware platform call WiiPiiDo, that can be described as a embedded computer, power by an ARM SoC, highly specialized for IoT, ensuring connection to the Internet even in harsh conditions using NB-IoT- LTE Cat NB1 (Narrow Band IoT), does ensuring rapid development of complete IoT solutions for endusers. The development of a Linux image that exposes all the potential of the hardware platform is a must and will provide extra value to it. In this context, we take a look at the Yocto Project, which is a building environment that allows the creation of such a operating system, and that is gaining a crescent community of users and specially enterprises. Nevertheless, Yocto is not the only choice for the developer community for embedded platforms, in fact, a distribution like Armbian, a Debian/Ubuntu based Distribution that is specialized for ARM boards, appears as a popular alternative for embedded development in ARM development boards. In this work we will see the steps necessary to test the first boot of the hardware platform until the development of the supporting operating system, passing through the driver development and performance tests. In the end, the used build system will be compared, from the results of the tests performance, to the build system in itself.
O crescente interesse na ligação de pequenos sensores à internet levou ao aparecimento de sistemas operacionais capazes de operar em qualquer hardware assegurando todas as funcionalidades de rede, interface gráfica, servidor, etc. A Globaltronic, uma empresa sedeada em Águeda, tem vindo a desenvolver a plataforma de hardware WiiPiiDo, que se caracteriza por ser um computador embebido altamente especializado para IoT e capaz de assegurar a ligação às redes NB-IoTLTE Cat NB1 (Narrow Band IoT), permitindo o rápido desenvolvimento de soluções IoT completas para os utilizadores. Por tudo isto, é indispensável criar uma imagem Linux que garanta a fácil utilização de todas as potencialidades da plataforma de hardware. Neste contexto, analisamos o Projecto Yocto, que oferece um sistema de desenvolvimento composto por diversas ferramentas para criação de distribuições Linux para sistemas embutidos, e que tem ganho popularidade numa grande comunidade de utilizadores, especialmente empresas. Contudo, o Yocto não é a única escolha da comunindade de desenvolvedores de sistemas embutidos. De facto, o Armbian, que é uma distribuição baseada em Debian/Ubuntu especializada para sistemas ARM, aparece como uma escolha popular para o desenvolvimento de imagens nestes ambientes. Neste trabalho, iremos ver os passos necessários para testar a plataforma de hardware WiiPiiDo, desde o primeiro arranque até ao desenvolvimento do sistema operativo de suporte, não esquecendo o desenvolvimento dos drivers de suporte aos dispositivos integrados e os testes de desempenho. No final, as ferramentas de desenvolvimento para a criação das imagens vão ser comparadas, desde os resultados obtidos nos testes de performance, ao sistemas de construção em si.
Mestrado em Engenharia de Computadores e Telemática

碩士
國立東華大學
物理學系
105
In this study, we analyze Linux kernels after version 3.0 by the complex network approach. The evolution of various network quantities such as degree exponents, clustering coefficients, and shortest paths are determined and compared with the results of the previous study for Linux kernels before versions 2.6. We further reduce the entire Linux kernel networks to smaller networks according to compiler settings to ensure these smaller networks are complete networks for real situations. The networks constructed by files only in the directory of arch or drivers are also considered. These classifications of Linux kernel networks show more details of evolution of Linux Kernel structures.