Title :
Towards a new design of firewall: Anomaly elimination and fast verifying of firewall rules
Author :
Khummanee, Suchart ; Khumseela, Atipong ; Puangpronpitag, Somnuk
Author_Institution :
Fac. of Inf., Mahasarkham Univ., Maha Sarakham, Thailand
Abstract :
Network security is usually protected by a firewall, which checks in-out packets against a set of defined policies or rules. Hence, the overall performance of the firewall generally depends on its rule management. For example, the performance can be decreased when there are firewall rule anomalies. The anomalies may happen when two sets of firewall rules are overlapped or their decision parts are both an acceptance and a denial simultaneously. In this paper, we propose a new paradigm of the firewall design, consisting of two parts: (1) Single Domain Decision firewall (SDD) -a new firewall rule management policy that is certainly not conflicts, and (2) the Binary Tree Firewall (BTF) -a data structure and an algorithm to fast check the firewall rules. Experimental results have indicated that the new design can fix conflicting anomaly and increase the speed of firewall rule checking from O(N2) to O(log2 N).
Keywords :
data structures; firewalls; trees (mathematics); BTF; SDD; anomaly elimination; binary tree firewall; data structure; decision parts; firewall design; firewall rule anomaly; firewall rule checking; firewall rule management policy; firewall rules; network security; single domain decision firewall; Binary trees; Companies; IP networks; Ports (Computers); Protocols; Time complexity; Anomaly; Binary Tree Firewall rule (BTF); Firewall rule optimization; Single Domain Decision firewall (SDD);
Conference_Titel :
Computer Science and Software Engineering (JCSSE), 2013 10th International Joint Conference on
Conference_Location :
Maha Sarakham
Print_ISBN :
978-1-4799-0805-9
DOI :
10.1109/JCSSE.2013.6567326
