Abstract:Abstract-Firewalls enforce a security policy by inspecting packets arriving or departing a network. This is often accomplished by sequentially comparing the policy rules with the header of an arriving packet until the first match is found. This process becomes time consuming as policies become larger and more complex. Therefore determining the appropriate action for arriving packets must be done as quickly as possible.The process of packet header matching can be improved if more popular rules appear earlier in… Show more
“…Results presented here are most closely associated with the techniques developed in [10]. However, there are important differences between their and our methods.…”
Section: A Related Workmentioning
confidence: 95%
“…In this section, we focus our literature study on related research that is close to our work in the areas of firewall rule conflict detection and optimization analysis [1], [4], [6], [8] and [10].…”
In this paper, we investigate the problem of improving the performance and scalability of large firewall policies that comprise thousands of rules by detecting and resolving any potential conflicts among them. We present a novel, highly scalable data structure that requires O(n) space where n is the number of rules in the policy to represent the dependency among rules. After that, we describe a practical heuristic that utilizes our data structure to find conflicting rules, and consequently find an optimal ordering of consistent ones. Our algorithm has time complexity O(n 2 log n), making it the fastest to-date known algorithm for firewall rule anomaly discovery and resolution. We validate the practicality of our algorithm through real-life firewall policies and synthetic firewall policies of large data. Performance results show that our heuristic algorithm achieves from 40% to 87% improvement in the number of comparisons overhead, comparatively with the original policies.
“…Results presented here are most closely associated with the techniques developed in [10]. However, there are important differences between their and our methods.…”
Section: A Related Workmentioning
confidence: 95%
“…In this section, we focus our literature study on related research that is close to our work in the areas of firewall rule conflict detection and optimization analysis [1], [4], [6], [8] and [10].…”
In this paper, we investigate the problem of improving the performance and scalability of large firewall policies that comprise thousands of rules by detecting and resolving any potential conflicts among them. We present a novel, highly scalable data structure that requires O(n) space where n is the number of rules in the policy to represent the dependency among rules. After that, we describe a practical heuristic that utilizes our data structure to find conflicting rules, and consequently find an optimal ordering of consistent ones. Our algorithm has time complexity O(n 2 log n), making it the fastest to-date known algorithm for firewall rule anomaly discovery and resolution. We validate the practicality of our algorithm through real-life firewall policies and synthetic firewall policies of large data. Performance results show that our heuristic algorithm achieves from 40% to 87% improvement in the number of comparisons overhead, comparatively with the original policies.
“…Tapdiya and Fulp used a directed acyclic graph (DAG) reflecting the rule dependencies of a rule set and rearranged the rules so as to reduce the cost of rule comparisons [5]. Their method takes a further O(n 3 ) time to reorder the rules associated with the DAG.…”
Abstract:A novel packet filter reconfiguration method was proposed by Hamed et al. We found that this method has the potential to cause a policy violation. We improve Hamed's method without increasing the time complexity so as to maintain rule dependencies.
“…The authors of [12] presented a heuristic algorithm for optimized policy RR that is able to re-order a policy containing precedence relationships (or a sub-graph in the DAG) in such a way that the policy integrity is maintained. A short synopsis of the most important aspects of this algorithm is given below.…”
Designing and implementing efficient firewall strategies in the age of the Internet of Things (IoT) is far from trivial. This is because, as time proceeds, an increasing number of devices will be connected, accessed and controlled on the Internet.Additionally, an ever-increasingly amount of sensitive information will be stored on various networks. A good and efficient firewall strategy will attempt to secure this information, and to also manage the large amount of inevitable network traffic that these devices create. The goal of this paper is to propose a framework for designing optimized firewalls for the IoT. Further, by performing a rigorous suite of experiments, we demonstrate that both algorithms are capable of optimizing the constraints imposed for obtaining an efficient firewall.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.