Article

Dynamic rule-ordering optimization for high-speed firewall filtering

Authors:
Hazem Hamed

DePaul University, Chicago, Illinois

DePaul University, Chicago, Illinois
View Profile

,
Ehab Al-Shaer

DePaul University, Chicago, Illinois

DePaul University, Chicago, Illinois
View Profile

ASIACCS '06: Proceedings of the 2006 ACM Symposium on Information, computer and communications securityMarch 2006Pages 332–342https://doi.org/10.1145/1128817.1128867

Published:21 March 2006Publication History

ASIACCS '06: Proceedings of the 2006 ACM Symposium on Information, computer and communications security

Pages 332–342

ABSTRACT

Packet filtering plays a critical role in many of the current high speed network technologies such as firewalls and IPSec devices. The optimization of firewall policies is critically important to provide high performance packet filtering particularly for high speed network security. Current packet filtering techniques exploit the characteristics of the filtering policies, but they do not consider the traffic behavior in optimizing their search data structures. This results in impractically high space complexity, which undermines the performance gain offered by these techniques. Also, these techniques offer upper bounds for the worst case search times; nevertheless, average case scenarios are not necessarily optimized. Moreover, the types of packet filtering fields used in most of these techniques are limited to IP header fields and cannot be generalized to cover transport and application layer filtering.In this paper, we present a novel technique that utilizes Internet traffic characteristics to optimize firewall filtering policies. The proposed technique timely adapts to the traffic conditions using actively calculated statistics to dynamically optimize the ordering of packet filtering rules. The rule importance in traffic matching as well as its dependency on other rules are both considered in our optimization algorithm. Through extensive evaluation experiments using simulated and real Internet traffic traces, the proposed mechanism is shown to be efficient and easy to deploy in practical firewall implementations.

References

E. Al-Shaer and H. Hamed. Modeling and management of firewall policies. IEEE Transactions on Network and Service Management, 1(1), April 2004. Google ScholarDigital Library
D. Bertsimas and J. Tsitsiklis. Introduction to Linear Optimization. Athena Scientific, 1997. Google ScholarDigital Library
D. Chapman and E. Zwicky. Building Internet Firewalls. Orielly & Associates Inc., second edition edition, 2000. Google ScholarDigital Library
E. Cohen and C. Lund. Packet classification in large ISPs: Design and evaluation of decision tree classifiers. ACM SIGMETRICS Performance Evaluation Review, 33(1):73--84, 2005. Google ScholarDigital Library
A. Feldmann and S. Muthukrishnan. Tradeoffs for packet classification. In IEEE INFOCOM'00, March 2000.Google ScholarCross Ref
R. Graham, E. Lawler, J. Lenstra, and A. Kan. Optimizing and applixation in deterministic seuquencing and scheduling: A surevey. Annals of Discrete Mathematics, 5, 1979.Google Scholar
P. Gupta and N. McKeown. Algorithms for packet classification. IEEE Network, 15(2):24--32, 2001. Google ScholarDigital Library
P. Gupta and N. McKeown. Packet classification using hierarchical intelligent cuttings. In Interconnects VII, August 1999.Google Scholar
P. Gupta, B. Prabhakar, and S. Boyd. Near optimal routing lookups with bounded worst case performance. In IEEE INFOCOM'00, 2000.Google ScholarCross Ref
H. Hamed and E. Al-Shaer. Adaptive statistical optimization techniques for firewall packet filtering. Technical Report TR-05-012, DePaul University, 2005.Google Scholar
D. Knuth. Fundamental Algorithms, volume 1 of The Art of Computer Programming. Addison-Wesley, Reading, Massachusetts, third edition.Google Scholar
K. Lan and J. Heidemann. On the correlation of internet flow characteristics. Technical Report ISI-TR-574, USC/ISI, 2003.Google Scholar
E. Lawler. Sequencing jobs to minimize total weighted completion time subject to precedence constraints. Annals of Discrete Mathematics, 2, 1978.Google Scholar
J. Lenstra and A. Kan. Complexity of scheduling under precendence constraints. Operations Research, 26(1), 1978.Google Scholar
A. J. McAulay and P. Francis. Fast routing table lookup using CAMs. In IEEE INFOCOM'93, March 1993.Google ScholarCross Ref
Passive Measurement and Analysis Project, National Laboratory for Applied Network Research. Auckland-VIII Traces. http://pma.nlanr.net/Special/auck8.html, December 2003.Google Scholar
J. Qian, S. Hinrichs, and K. Nahrstedt. ACLA: A framework for access control list (ACL) analysis and optimization. In IFIP Communications and Multimedia Security, 2001. Google ScholarDigital Library
R. Rivest. On self-organizing sequenctial search heuristics. Communications of the ACM, 19(2), 1976. Google ScholarDigital Library
A. Schulz. Scheduling to minimize total weighted completion time: Performance guarantees of LP-based heuristics and lower bounds. In The 5th International IPCO Conference, 1996. Google ScholarDigital Library
V. Srinivasan, Subhash Suri, and George Varghese. Packet classification using tuple space search. In Computer ACM SIGCOMM Communication Review, pages 135--146, October 1999. Google ScholarDigital Library
Cisco Systems. Optimizing ACLs. User Guide for ACL Manager 1.4, Cisco Works2000, 2002.Google Scholar
Cisco Systems. Netflow services solutions guide, October 2004.Google Scholar
D. Taylor and J. Turner. Scalable packet classification using distributed crossproducting of field labels. In IEEE INFOCOM, 2005.Google ScholarCross Ref
SimJava v2.0. Process based discrete event simulation package for java. http://www.dcs.ed.ac.uk/home/hase/simjava/, 2002.Google Scholar
J. Wallerich, H. Dreger, A. Feldmann, B. Krishnamurthy, and W. Willinger. A methodology for studying persistency aspects of internet flows. SIGCOMM Computer Communication Review, 35(2), 2005. Google ScholarDigital Library
Thomas Y. C. Woo. A modular approach to packet classification: Algorithms and results. In IEEE INFOCOM'00, pages 1213--1222, March 2000.Google ScholarCross Ref
A. Wool. A quantitative study of firewall configuration errors. IEEE Computer, 37(6):62--67, 2004. Google ScholarDigital Library
L. Zhang. Virtual clock: a new traffic control algorithm for packet switching networks. In The ACM symposium on Communications Architectures and Protocols, 1990. Google ScholarDigital Library
G. Zipf. Human Behaviour and the Principle of Least-Effort. Addison-Wesley, 1949.Google Scholar

Index Terms

Dynamic rule-ordering optimization for high-speed firewall filtering
1. Networks
  1. Network services

Recommendations

High-Speed Dynamic Packet Filtering

One problem encountered while monitoring gigabit networks, is the need to filter only those packets that are interesting for a given task while ignoring the others. Popular packet filtering technologies enable users to specify complex filters but do not ...
Read More
Dynamic rule and rule‐field optimisation for improving firewall performance and security

A novel approach is presented to improve firewall packet filtering through optimising the order of firewall rules for early packet acceptance as well as the order of rule‐fields for early packet rejection. The proposed approach is based on the calculation ...
Read More
Ant Colony Optimization based approach for efficient packet filtering in firewall

A firewall is a security guard placed at the point of entry between a private network and the outside network. The function of a firewall is to accept or discard the incoming packets passing through it based on the rules in a ruleset. Approaches ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
ASIACCS '06: Proceedings of the 2006 ACM Symposium on Information, computer and communications security
March 2006
384 pages
ISBN:1595932720
DOI:10.1145/1128817
Conference Chair:
Ferng-Ching Lin
Executive Yuan, Taiwan
,
General Chairs:
Der-Tsai Lee
Academia Sinica, Taiwan
,
Bao-Shuh Lin
ITRI, Taiwan
,
Program Chairs:
Shiuhpyng Shieh
National Chiao Tung University, Taiwan
,
Sushil Jajodia
George Mason University, USA
Copyright © 2006 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 21 March 2006
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Qualifiers
- Article
Conference

Acceptance Rates
Overall Acceptance Rate418of2,322submissions,18%
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 66
  Total Citations
  View Citations
- 1,362
  Total Downloads
- Downloads (Last 12 months)35
- Downloads (Last 6 weeks)11
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Dynamic rule-ordering optimization for high-speed firewall filtering

ASIACCS '06: Proceedings of the 2006 ACM Symposium on Information, computer and communications security

ABSTRACT

References

Cited By

Index Terms

Recommendations

High-Speed Dynamic Packet Filtering

Dynamic rule and rule‐field optimisation for improving firewall performance and security

Ant Colony Optimization based approach for efficient packet filtering in firewall