A method for moving rules in a network with multiple packet filters

In a network where multiple packet filtering firewalls exist, it can be beneficial to distribute the filtering rules in a certain way, for example, move all the rules towards the edge (main gateway) of the network, or to evenly distribute the rules over the firewalls. Configuring firewalls is a complex task and can be very error prone. To move rules between firewalls, many factors need to be considered to ensure the global security policy remains unchanged. In this paper we present a novel method which describes how to move rules between the firewalls and what, if any, changes need to be made to the rule(s). With this work we have also presented a generic network model which can be applied to any network topology and therefore allows the method for moving rules to be applied to any network topology (so long as it meets the criteria). Applications of the work include improving the network bandwidth utilisation, when unwanted traffic is filtered out early, and also improving the processing loads on each firewall, thus reducing delays and increasing traffic throughput. Factors to be considered when moving filtering rules include the relationships which can exist between filtering rules. Naive removal and insertion of filtering rules can alter inter-rule relationships and therefore also alter the security policy - the method we present ensures the security policy remains unchanged.