论文信息 - Linear-tree rule structure for firewall optimization

Linear-tree rule structure for firewall optimization

Given a list of filtering rules with individual hitting probabilities, it is known that the average processing time of a linear-search based firewall can be minimized by searching rules in some appropriate order. This paper proposes a new yet simple technique called the linear-tree structure. It utilizes an advanced feature of modern firewalls, the "goto"-like statement, to transform the given rule list into a rule set that is functionally equivalent to the original but organized in a more efficient structure. We show it is possible to achieve much more improvement than previous, rule-reordering based studies. To demonstrate this, we study by both simulation experiment and test with real firewall.

[1] Albert G. Greenberg,et al. Traffic-Aware Firewall Optimization Strategies , 2006, 2006 IEEE International Conference on Communications.

[2] Nick McKeown,et al. Packet classification on multiple fields , 1999, SIGCOMM '99.

[3] Steven McCanne,et al. BPF+: exploiting global data-flow optimization in a generalized packet filter architecture , 1999, SIGCOMM '99.

[4] Venkatachary Srinivasan,et al. Packet classification using tuple space search , 1999, SIGCOMM '99.

[5] Steven McCanne,et al. The BSD Packet Filter: A New Architecture for User-level Packet Capture , 1993, USENIX Winter.

[6] T. V. Lakshman,et al. High-speed policy-based packet forwarding using efficient multi-dimensional range matching , 1998, SIGCOMM '98.

[7] Albert G. Greenberg,et al. Simulation study of firewalls to aid improved performance , 2006, 39th Annual Simulation Symposium (ANSS'06).

[8] Hideo Yamamoto,et al. Delay Reduction for Liner-Search Based Packet Filters , 2004 .