Design and implementation of packet filter firewall using Binary Decision Diagram

Packet filtering is the one of the major contemporary firewall design techniques. An important design goal is to arrive at the decision at the packet only. Implementation of such packet filter using Binary Decision Diagram (BDD) gives more advantages in terms of memory usage and look up time. In the case of the list-based packet filter firewall where rules are checked one by one for each incoming packet, the time taken to decide on a packet is proportional to the number of rules. The performance is improved with rule promotion but that itself a slow procedure. In this work we present a BDD-based approach which gives much better result in terms of number of comparisons or accesses the rule list make. Results on 1 million packets show that for most-accept packets, on an average, 75% reduction happens in such comparisons when BDD-based approach is used over list-based with promotion approach. For most-reject packets this reduction is nearly 34%.

[1]  William Cheswick,et al.  Firewalls and Internet Security , 1994 .

[2]  Randal E. Bryant,et al.  Symbolic Boolean manipulation with ordered binary-decision diagrams , 1992, CSUR.

[3]  Emmanuel Fleury,et al.  An MTIDD Based Firewall , 2004, Telecommun. Syst..

[4]  Albert G. Greenberg,et al.  Simulation study of firewalls to aid improved performance , 2006, 39th Annual Simulation Symposium (ANSS'06).

[5]  Sheldon B. Akers,et al.  Binary Decision Diagrams , 1978, IEEE Transactions on Computers.

[6]  Scott Hazelhurst,et al.  BINARY DECISION DIAGRAM REPRESENTATIONS OF FIREWALL AND ROUTER ACCESS LISTS , 1998 .

[7]  Tein-Yaw Chung,et al.  PFC: A New High-Performance Packet Filter Architecture , 2007 .

[8]  Albert G. Greenberg,et al.  Traffic-Aware Firewall Optimization Strategies , 2006, 2006 IEEE International Conference on Communications.

[9]  C. Edward Chow,et al.  Enhance network security with dynamic packet filter , 1998, Proceedings 7th International Conference on Computer Communications and Networks (Cat. No.98EX226).

[10]  Venkatachary Srinivasan,et al.  Packet classification using tuple space search , 1999, SIGCOMM '99.

[11]  Stephen J. Tarsa,et al.  Trie-based policy representations for network firewalls , 2005, 10th IEEE Symposium on Computers and Communications (ISCC'05).

[12]  Sofia Cassel,et al.  Graph-Based Algorithms for Boolean Function Manipulation , 2012 .