FPC: A New Approach to Firewall Policies Compression

Yuzhu Cheng; Weiping Wang; Jianxin Wang; Haodong Wang

doi:10.26599/TST.2018.9010003

Tsinghua Science and Technology 2019, 24(1): 65-76 https://doi.org/10.26599/TST.2018.9010003

Issue | Published: 08 November 2018

FPC: A New Approach to Firewall Policies Compression

Show Author's Information Hide Author's Information Yuzhu Cheng, Weiping Wang(

), Jianxin Wang, Haodong Wang

School of Information Science and Engineering, Central South University, Changsha

410083

School of Software, Changsha Social work College, Changsha 410004, China.

Department of Electrical Engineering and Computer Science, Cleveland State University, Cleveland, OH 44115, USA.

Keywords:

network security, firewall, firewall policy, firewall rules compression

Cite this article:

Cheng Y, Wang W, Wang J, et al. FPC: A New Approach to Firewall Policies Compression. Tsinghua Science and Technology, 2019, 24(1): 65-76. https://doi.org/10.26599/TST.2018.9010003

Download citation

EndNote(RIS)

BibTeX

475

Views

Downloads

Citations

Crossref

N/A

WoS

Scopus

CSCD

Abstract Full text About this article

Abstract

Firewalls are crucial elements that enhance network security by examining the field values of every packet and deciding whether to accept or discard a packet according to the firewall policies. With the development of networks, the number of rules in firewalls has rapidly increased, consequently degrading network performance. In addition, because most real-life firewalls have been plagued with policy conflicts, malicious traffics can be allowed or legitimate traffics can be blocked. Moreover, because of the complexity of the firewall policies, it is very important to reduce the number of rules in a firewall while keeping the rule semantics unchanged and the target firewall rules conflict-free. In this study, we make three major contributions. First, we present a new approach in which a geometric model, multidimensional rectilinear polygon, is constructed for the firewall rules compression problem. Second, we propose a new scheme, Firewall Policies Compression (FPC), to compress the multidimensional firewall rules based on this geometric model. Third, we conducted extensive experiments to evaluate the performance of the proposed method. The experimental results demonstrate that the FPC method outperforms the existing approaches, in terms of compression ratio and efficiency while maintaining conflict-free firewall rules.

Full text

Abstract

Full text

Outline

About this article

FPC: A New Approach to Firewall Policies Compression

Show Author's information Hide Author's Information Yuzhu Cheng, Weiping Wang(

), Jianxin Wang, Haodong Wang

School of Information Science and Engineering, Central South University, Changsha

410083

School of Software, Changsha Social work College, Changsha 410004, China.

Department of Electrical Engineering and Computer Science, Cleveland State University, Cleveland, OH 44115, USA.

Abstract

Keywords: network security, firewall, firewall policy, firewall rules compression

References(21)

[1]

Meiners C. R., Liu A. X., and Torng E., Bit weaving: A non-prefix approach to compressing packet classifiers in tcams, IEEE/ACM Transactions on Networking (ToN), vol. 20, no. 2, pp. 488-500, 2012.

DOI Google Scholar

[2]

Cheng Y., Wang W., Min G., and Wang J., A new approach to designing firewall based on multidimensional matrix, Concurrency and Computation: Practice and Experience vol. 27, no. 12, pp. 3075-3088, 2015.

DOI Google Scholar

[3]

Divekar D. A. and Dowell R. I., Corner stitching: A data-structuring technique for VLSI layout tools, IEEE Transactions on Computer-Aided Design, vol. 3, no. 1, p. 87, 1984.

DOI Google Scholar

[4]

Wu S. Y. and Sahni S., Covering rectilinear polygons by rectangles, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, vol. 9, no. 4, pp. 377-388, 1990.

DOI Google Scholar

[5]

Applegate D. A., Calinescu G., Johnson D. S., Karloff H., Ligett K., and Wang J., Compressing rectilinear pictures and minimizing access control lists, in Proc. 18th Ann. ACM-SIAM Symp. Discrete Algorithms, New Orleans, LA, USA, 2007, pp. 1066-1075.

[6]

Liu A. X., Torng E., and Meiners C. R., Firewall compressor: An algorithm for minimizing firewall policies, in Proc. 27th Conf. Computer Communications, Phoenix, AZ, USA, 2008, pp. 176-180.

DOI

[7]

Daly J., Liu A. X., and Torng E., A difference resolution approach to compressing access control lists, IEEE/ACM Transactions on Networking, vol. 24, no. 1, pp. 610-623, 2016.

DOI Google Scholar

[8]

Draves R. P., King C., Venkatachary S., and Zill B. D., Constructing optimal IP routing tables, in Proc. 18th Ann. Joint Conf. IEEE Computer and Communications Societies, New York, NY, USA, 1999, pp. 88-97.

DOI

[9]

Wang J., Tan P., Yao J., Feng Q., and Chen J., On the minimum link-length rectilinear spanning path problem: Complexity and algorithms, IEEE Transactions on Computers, vol. 63, no. 12, pp. 3092-3100, 2014.

DOI Google Scholar

[10]

Kumar V. S. A. and Ramesh H., Covering rectilinear polygons with axis-parallel rectangles, in Proc. 31st Annu. ACM Symp. Theory of Computing, Atlanta, GA, USA, 1999, pp. 445-454.

[11]

Berman P. and DasGupta B., Complexities of efficient solutions of rectilinear polygon cover problems, Algorithmica, vol. 17, no. 4, pp. 331-356, 1997.

DOI Google Scholar

[12]

Liou W., Tan J. M., and Lee R. C., Minimum rectangular partition problem for simple rectilinear polygons, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, vol. 9, no. 7, pp. 720-733, 1990.

DOI Google Scholar

[13]

Karp R. M. and Wigderson A., A fast parallel algorithm for the maximal independent set problem, J. ACM, vol. 32, no. 4, pp. 762-773, 1985.

DOI Google Scholar

[14]

Suri S., Sandholm T., and Warkhede P., Compressing twodimensional routing tables, Algorithmica, vol. 35, no. 4, pp. 287-300, 2003.

DOI Google Scholar

[15]

Taylor D. E. and Turner J. S., Classbench: A packet classification benchmark, IEEE/ACM Transactions on Networking (ToN), vol. 15, no. 3, pp. 499-511, 2007.

DOI Google Scholar

[16]

Liu A. X. and Gouda M. G., Diverse firewall design, IEEE Transactions on Parallel and Distributed Systems, vol. 19, no. 9, pp. 1237-1251, 2008.

DOI Google Scholar

[17]

Wang M., Liu J., Mao J., Cheng H., Chen J., and Qi C., Routeguardian: Constructing secure routing paths in software-defined networking, Tsinghua Science and Technology, vol. 22, no. 4, pp. 400-412, 2017.

DOI Google Scholar

[18]

Ye X., Privacy preserving and delegated access control for cloud applications, Tsinghua Science and Technology, vol. 21, no. 1, pp. 40-54, 2016.

DOI Google Scholar

[19]

Li W., Cao Y., Chen J., and Wang J., Deeper local search for parameterized and approximation algorithms for maximum internal spanning tree, Information and Computation, vol. 252, pp. 187-200, 2017.

DOI Google Scholar

[20]

Chen J. E., Xu C., and Wang J. X., Dealing with 4-variables by resolution: An improved maxsat algorithm, Theor. Comput. Sci., vol. 670, pp. 33-44, 2017.

DOI Google Scholar

[21]

You J., Wang J., and Cao Y., Approximate association via dissociation, Discrete Applied Mathematics, vol. 219, pp. 202-209, 2017.

DOI Google Scholar

About this article

Publication history

Acknowledgements

Publication history

Received: 13 July 2017

Accepted: 07 August 2017

Published: 08 November 2018

Issue date: February 2019

Copyright

Acknowledgements

This work was supported by the National Natural Science Foundation of China (Nos. 61672543 and 61402542), Research Foundation of the Education Department of Hunan Province (No. 17B022), and Hunan Provincial Innovation Foundation for Postgraduate (No. CX2014B081).