Title :
Optimising Rule Order for a Packet Filtering Firewall
Author :
Mothersole, Ian ; Reed, Martin J.
Author_Institution :
Sch. of Comput. Sci. & Electron. Eng., Univ. of Essex, Colchester, UK
Abstract :
A heuristic approximation algorithm that can optimise the order of firewall rules to minimise packet matching is presented. It has been noted that firewall operators tend to make use of the fact that some firewall rules match most of the traffic, and conversely that others match little of the traffic. Consequently, ordering the rules such that the highest matched rules are as high in the table as possible reduces the processing load in the firewall. Due to dependencies between rules in the rule set this problem, optimising the cost of the packet matching process, has been shown to be NP-hard. This paper proposes an algorithm that is designed to give good performance in terms of minimising the packet matching cost of the firewall. The performance of the algorithm is related to complexity of the firewall rule set and is compared to an alternative algorithm demonstrating that the algorithm here has improved the packet matching cost in all cases.
Keywords :
approximation theory; authorisation; computer network security; optimisation; telecommunication traffic; NP-hard problem; firewall rule set; heuristic approximation algorithm; load processing; packet filtering firewall operator; packet matching; rule order optimization; Algorithm design and analysis; Fires; Heuristic algorithms; IP networks; Internet; Optimization; Security;
Conference_Titel :
Network and Information Systems Security (SAR-SSI), 2011 Conference on
Conference_Location :
La Rochelle
Print_ISBN :
978-1-4577-0735-3
DOI :
10.1109/SAR-SSI.2011.5931399
