Reducing Packet Delay through Filter Merging

The use of packet filters has increased considerably due to the growth of Internet users and network services. A number of header fields must be examined by the filter, causing delay for each packet processed. The problem is compounded when considering multiple filters across a network. To maximize network performance, it would be desirable to minimize the number of packet filters for each path across a domain. Due to the interactions of rules between filters, the underlying network topology and the actions of dynamic routing protocols, it is computationally infeasible to implement this strategy by collectively considering all packet filters across the network. A simpler approach is the elimination of a filter by merging two filters on a common network segment. This work presents a novel packet filter merging algorithm using decision diagrams. A large number of practical and simulated experimental results are provided to demonstrate the effectiveness of the technique and possible enhancements are considered in the conclusion. The results show an average 20% performance improvement can be obtained using the technique.

[1]  Scott Hazelhurst Algorithms for Analysing Firewall and Router Access Lists , 2000, ArXiv.

[2]  Eric Torng,et al.  Hardware Based Packet Classification for High Speed Internet Routers , 2010 .

[3]  Scott Hazelhurst,et al.  Algorithms for improving the dependability of firewall and filter rule lists , 2000, Proceeding International Conference on Dependable Systems and Networks. DSN 2000.

[4]  Eric Torng,et al.  A difference resolution approach to compressing Access Control Lists , 2013, 2013 Proceedings IEEE INFOCOM.

[5]  Eric Torng,et al.  Firewall Compressor: An Algorithm for Minimizing Firewall Policies , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[6]  Hrishikesh B. Acharya,et al.  Firewall verification and redundancy checking are equivalent , 2011, 2011 Proceedings IEEE INFOCOM.

[7]  Randal E. Bryant,et al.  Symbolic Boolean manipulation with ordered binary-decision diagrams , 1992, CSUR.

[8]  Avishai Wool,et al.  The Geometric Efficient Matching Algorithm for Firewalls , 2004, IEEE Transactions on Dependable and Secure Computing.

[9]  Zhan Zhang,et al.  Reducing the Size of Rule Set in a Firewall , 2007, 2007 IEEE International Conference on Communications.

[10]  Alex X. Liu,et al.  Firewall Design and Analysis , 2011, Computer and Network Security.

[11]  Eric Torng,et al.  TCAM Razor: A Systematic Approach Towards Minimizing Packet Classifiers in TCAMs , 2007, 2007 IEEE International Conference on Network Protocols.

[12]  References , 1971 .

[13]  Isaac Keslassy,et al.  Worst-Case TCAM Rule Expansion , 2010, 2010 Proceedings IEEE INFOCOM.

[14]  Eric Torng,et al.  TCAM Razor: a systematic approach towards minimizing packet classifiers in TCAMs , 2010, TNET.

[15]  Tuomas Sandholm,et al.  Compressing Two-Dimensional Routing Tables , 2003, Algorithmica.

[16]  Hrishikesh B. Acharya,et al.  Projection and Division: Linear-Space Verification of Firewalls , 2010, 2010 IEEE 30th International Conference on Distributed Computing Systems.

[17]  Adel Bouhoula,et al.  NAF conversion: An efficient solution for the range matching problem in packet filters , 2011, 2011 IEEE 12th International Conference on High Performance Switching and Routing.

[18]  David S. Johnson,et al.  Compressing rectilinear pictures and minimizing access control lists , 2007, SODA '07.

[19]  Mohamed G. Gouda,et al.  Firewall design: consistency, completeness, and compactness , 2004, 24th International Conference on Distributed Computing Systems, 2004. Proceedings..

[20]  Ehab Al-Shaer,et al.  Measuring firewall security , 2011, 2011 4th Symposium on Configuration Analytics and Automation (SAFECONFIG).

[21]  Ehab Al-Shaer,et al.  Discovery of policy anomalies in distributed firewalls , 2004, IEEE INFOCOM 2004.

[22]  Chen-Nee Chuah,et al.  FIREMAN: a toolkit for firewall modeling and analysis , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[23]  Emmanuel Fleury,et al.  An Interval Decision Diagram Based Firewall , 2009 .

[24]  Pankaj Gupta,et al.  Algorithms for routing lookups and packet classification , 2000 .

[25]  Eric Torng,et al.  Compressing Network Access Control Lists , 2011, IEEE Transactions on Parallel and Distributed Systems.

[26]  Kathi Fisler,et al.  The Margrave Tool for Firewall Analysis , 2010, LISA.

[27]  Eric Torng,et al.  Bit Weaving: A Non-Prefix Approach to Compressing Packet Classifiers in TCAMs , 2012, IEEE/ACM Transactions on Networking.

[28]  Heejo Lee,et al.  Classifying Rules by In-out Traffic Direction to Avoid Security Policy Anomaly , 2010, KSII Trans. Internet Inf. Syst..

[29]  Alex X. Liu,et al.  A cross-domain privacy-preserving protocol for cooperative firewall optimization , 2011, 2011 Proceedings IEEE INFOCOM.