Enabling flexible packet filtering through the K-map priority elimination technique

The process of packet filtering becomes time consuming as filtering policies become larger and more complex. New firewall designs are needed to meet the challenges associated with the high-speed networks. For this reason, access control lists in firewalls need to be flexible enough to give us the possibility to implement efficiently new high-performance filtering strategies. The precedence relationships within the access control rules are considered as being one of the most important handicap remaining unsolved in the context of optimization. In this paper, we introduce a Karnaugh map (k-map) based technique able to remove totally the dependencies between rules without changing the filtering behavior (i.e. input and output lists of rules remain semantically equivalent). On one hand, statistical rule ordering models become easy to implement, provide a differentiated quality of service and enable to reach a good processing time. On the other hand, dependency removal is very useful in the context parallelization especially when the access policy has to be equitably distributed among multiple firewalls. We have implemented this new technique and the first computer experiments were very promising.