ABSTRACT
Packet filtering plays a critical role in many of the current high speed network technologies such as firewalls and IPSec devices. The optimization of firewall policies is critically important to provide high performance packet filtering particularly for high speed network security. Current packet filtering techniques exploit the characteristics of the filtering policies, but they do not consider the traffic behavior in optimizing their search data structures. This results in impractically high space complexity, which undermines the performance gain offered by these techniques. Also, these techniques offer upper bounds for the worst case search times; nevertheless, average case scenarios are not necessarily optimized. Moreover, the types of packet filtering fields used in most of these techniques are limited to IP header fields and cannot be generalized to cover transport and application layer filtering.In this paper, we present a novel technique that utilizes Internet traffic characteristics to optimize firewall filtering policies. The proposed technique timely adapts to the traffic conditions using actively calculated statistics to dynamically optimize the ordering of packet filtering rules. The rule importance in traffic matching as well as its dependency on other rules are both considered in our optimization algorithm. Through extensive evaluation experiments using simulated and real Internet traffic traces, the proposed mechanism is shown to be efficient and easy to deploy in practical firewall implementations.
- E. Al-Shaer and H. Hamed. Modeling and management of firewall policies. IEEE Transactions on Network and Service Management, 1(1), April 2004. Google ScholarDigital Library
- D. Bertsimas and J. Tsitsiklis. Introduction to Linear Optimization. Athena Scientific, 1997. Google ScholarDigital Library
- D. Chapman and E. Zwicky. Building Internet Firewalls. Orielly & Associates Inc., second edition edition, 2000. Google ScholarDigital Library
- E. Cohen and C. Lund. Packet classification in large ISPs: Design and evaluation of decision tree classifiers. ACM SIGMETRICS Performance Evaluation Review, 33(1):73--84, 2005. Google ScholarDigital Library
- A. Feldmann and S. Muthukrishnan. Tradeoffs for packet classification. In IEEE INFOCOM'00, March 2000.Google ScholarCross Ref
- R. Graham, E. Lawler, J. Lenstra, and A. Kan. Optimizing and applixation in deterministic seuquencing and scheduling: A surevey. Annals of Discrete Mathematics, 5, 1979.Google Scholar
- P. Gupta and N. McKeown. Algorithms for packet classification. IEEE Network, 15(2):24--32, 2001. Google ScholarDigital Library
- P. Gupta and N. McKeown. Packet classification using hierarchical intelligent cuttings. In Interconnects VII, August 1999.Google Scholar
- P. Gupta, B. Prabhakar, and S. Boyd. Near optimal routing lookups with bounded worst case performance. In IEEE INFOCOM'00, 2000.Google ScholarCross Ref
- H. Hamed and E. Al-Shaer. Adaptive statistical optimization techniques for firewall packet filtering. Technical Report TR-05-012, DePaul University, 2005.Google Scholar
- D. Knuth. Fundamental Algorithms, volume 1 of The Art of Computer Programming. Addison-Wesley, Reading, Massachusetts, third edition.Google Scholar
- K. Lan and J. Heidemann. On the correlation of internet flow characteristics. Technical Report ISI-TR-574, USC/ISI, 2003.Google Scholar
- E. Lawler. Sequencing jobs to minimize total weighted completion time subject to precedence constraints. Annals of Discrete Mathematics, 2, 1978.Google Scholar
- J. Lenstra and A. Kan. Complexity of scheduling under precendence constraints. Operations Research, 26(1), 1978.Google Scholar
- A. J. McAulay and P. Francis. Fast routing table lookup using CAMs. In IEEE INFOCOM'93, March 1993.Google ScholarCross Ref
- Passive Measurement and Analysis Project, National Laboratory for Applied Network Research. Auckland-VIII Traces. http://pma.nlanr.net/Special/auck8.html, December 2003.Google Scholar
- J. Qian, S. Hinrichs, and K. Nahrstedt. ACLA: A framework for access control list (ACL) analysis and optimization. In IFIP Communications and Multimedia Security, 2001. Google ScholarDigital Library
- R. Rivest. On self-organizing sequenctial search heuristics. Communications of the ACM, 19(2), 1976. Google ScholarDigital Library
- A. Schulz. Scheduling to minimize total weighted completion time: Performance guarantees of LP-based heuristics and lower bounds. In The 5th International IPCO Conference, 1996. Google ScholarDigital Library
- V. Srinivasan, Subhash Suri, and George Varghese. Packet classification using tuple space search. In Computer ACM SIGCOMM Communication Review, pages 135--146, October 1999. Google ScholarDigital Library
- Cisco Systems. Optimizing ACLs. User Guide for ACL Manager 1.4, Cisco Works2000, 2002.Google Scholar
- Cisco Systems. Netflow services solutions guide, October 2004.Google Scholar
- D. Taylor and J. Turner. Scalable packet classification using distributed crossproducting of field labels. In IEEE INFOCOM, 2005.Google ScholarCross Ref
- SimJava v2.0. Process based discrete event simulation package for java. http://www.dcs.ed.ac.uk/home/hase/simjava/, 2002.Google Scholar
- J. Wallerich, H. Dreger, A. Feldmann, B. Krishnamurthy, and W. Willinger. A methodology for studying persistency aspects of internet flows. SIGCOMM Computer Communication Review, 35(2), 2005. Google ScholarDigital Library
- Thomas Y. C. Woo. A modular approach to packet classification: Algorithms and results. In IEEE INFOCOM'00, pages 1213--1222, March 2000.Google ScholarCross Ref
- A. Wool. A quantitative study of firewall configuration errors. IEEE Computer, 37(6):62--67, 2004. Google ScholarDigital Library
- L. Zhang. Virtual clock: a new traffic control algorithm for packet switching networks. In The ACM symposium on Communications Architectures and Protocols, 1990. Google ScholarDigital Library
- G. Zipf. Human Behaviour and the Principle of Least-Effort. Addison-Wesley, 1949.Google Scholar
Index Terms
- Dynamic rule-ordering optimization for high-speed firewall filtering
Recommendations
High-Speed Dynamic Packet Filtering
One problem encountered while monitoring gigabit networks, is the need to filter only those packets that are interesting for a given task while ignoring the others. Popular packet filtering technologies enable users to specify complex filters but do not ...
Dynamic rule and rule‐field optimisation for improving firewall performance and security
A novel approach is presented to improve firewall packet filtering through optimising the order of firewall rules for early packet acceptance as well as the order of rule‐fields for early packet rejection. The proposed approach is based on the calculation ...
Ant Colony Optimization based approach for efficient packet filtering in firewall
A firewall is a security guard placed at the point of entry between a private network and the outside network. The function of a firewall is to accept or discard the incoming packets passing through it based on the rules in a ruleset. Approaches ...
Comments