AI Chat Paper
Note: Please note that the following content is generated by AMiner AI. SciOpen does not take any responsibility related to this content.
{{lang === 'zh_CN' ? '文章概述' : 'Summary'}}
{{lang === 'en_US' ? '中' : 'Eng'}}
Chat more with AI
Powered by AMiner. Clicking this button will take you away from SciOpen.
Home Tsinghua Science and Technology Article
PDF (2 MB)
Cite
EndNote(RIS) BibTeX
Collect
Submit Manuscript AI Chat Paper
Show Outline
Outline
Show full outline
Hide outline
Outline
Show full outline
Hide outline

FPC: A New Approach to Firewall Policies Compression

School of Information Science and Engineering, Central South University, Changsha 410083
School of Software, Changsha Social work College, Changsha 410004, China.
Department of Electrical Engineering and Computer Science, Cleveland State University, Cleveland, OH 44115, USA.
Show Author Information

Abstract

Firewalls are crucial elements that enhance network security by examining the field values of every packet and deciding whether to accept or discard a packet according to the firewall policies. With the development of networks, the number of rules in firewalls has rapidly increased, consequently degrading network performance. In addition, because most real-life firewalls have been plagued with policy conflicts, malicious traffics can be allowed or legitimate traffics can be blocked. Moreover, because of the complexity of the firewall policies, it is very important to reduce the number of rules in a firewall while keeping the rule semantics unchanged and the target firewall rules conflict-free. In this study, we make three major contributions. First, we present a new approach in which a geometric model, multidimensional rectilinear polygon, is constructed for the firewall rules compression problem. Second, we propose a new scheme, Firewall Policies Compression (FPC), to compress the multidimensional firewall rules based on this geometric model. Third, we conducted extensive experiments to evaluate the performance of the proposed method. The experimental results demonstrate that the FPC method outperforms the existing approaches, in terms of compression ratio and efficiency while maintaining conflict-free firewall rules.

Keywords

firewallfirewall policynetwork securityfirewall rules compression

References

[1]
Meiners C. R., Liu A. X., and Torng E., Bit weaving: A non-prefix approach to compressing packet classifiers in tcams, IEEE/ACM Transactions on Networking (ToN), vol. 20, no. 2, pp. 488-500, 2012.
Crossref Google Scholar
[2]
Cheng Y., Wang W., Min G., and Wang J., A new approach to designing firewall based on multidimensional matrix, Concurrency and Computation: Practice and Experience vol. 27, no. 12, pp. 3075-3088, 2015.
Crossref Google Scholar
[3]
Divekar D. A. and Dowell R. I., Corner stitching: A data-structuring technique for VLSI layout tools, IEEE Transactions on Computer-Aided Design, vol. 3, no. 1, p. 87, 1984.
Crossref Google Scholar
[4]
Wu S. Y. and Sahni S., Covering rectilinear polygons by rectangles, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, vol. 9, no. 4, pp. 377-388, 1990.
Crossref Google Scholar
[5]
Applegate D. A., Calinescu G., Johnson D. S., Karloff H., Ligett K., and Wang J., Compressing rectilinear pictures and minimizing access control lists, in Proc. 18th Ann. ACM-SIAM Symp. Discrete Algorithms, New Orleans, LA, USA, 2007, pp. 1066-1075.
[6]
Liu A. X., Torng E., and Meiners C. R., Firewall compressor: An algorithm for minimizing firewall policies, in Proc. 27th Conf. Computer Communications, Phoenix, AZ, USA, 2008, pp. 176-180.
Crossref
[7]
Daly J., Liu A. X., and Torng E., A difference resolution approach to compressing access control lists, IEEE/ACM Transactions on Networking, vol. 24, no. 1, pp. 610-623, 2016.
Crossref Google Scholar
[8]
Draves R. P., King C., Venkatachary S., and Zill B. D., Constructing optimal IP routing tables, in Proc. 18th Ann. Joint Conf. IEEE Computer and Communications Societies, New York, NY, USA, 1999, pp. 88-97.
Crossref
[9]
Wang J., Tan P., Yao J., Feng Q., and Chen J., On the minimum link-length rectilinear spanning path problem: Complexity and algorithms, IEEE Transactions on Computers, vol. 63, no. 12, pp. 3092-3100, 2014.
Crossref Google Scholar
[10]
Kumar V. S. A. and Ramesh H., Covering rectilinear polygons with axis-parallel rectangles, in Proc. 31st Annu. ACM Symp. Theory of Computing, Atlanta, GA, USA, 1999, pp. 445-454.
[11]
Berman P. and DasGupta B., Complexities of efficient solutions of rectilinear polygon cover problems, Algorithmica, vol. 17, no. 4, pp. 331-356, 1997.
Crossref Google Scholar
[12]
Liou W., Tan J. M., and Lee R. C., Minimum rectangular partition problem for simple rectilinear polygons, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, vol. 9, no. 7, pp. 720-733, 1990.
Crossref Google Scholar
[13]
Karp R. M. and Wigderson A., A fast parallel algorithm for the maximal independent set problem, J. ACM, vol. 32, no. 4, pp. 762-773, 1985.
Crossref Google Scholar
[14]
Suri S., Sandholm T., and Warkhede P., Compressing twodimensional routing tables, Algorithmica, vol. 35, no. 4, pp. 287-300, 2003.
Crossref Google Scholar
[15]
Taylor D. E. and Turner J. S., Classbench: A packet classification benchmark, IEEE/ACM Transactions on Networking (ToN), vol. 15, no. 3, pp. 499-511, 2007.
Crossref Google Scholar
[16]
Liu A. X. and Gouda M. G., Diverse firewall design, IEEE Transactions on Parallel and Distributed Systems, vol. 19, no. 9, pp. 1237-1251, 2008.
Crossref Google Scholar
[17]
Wang M., Liu J., Mao J., Cheng H., Chen J., and Qi C., Routeguardian: Constructing secure routing paths in software-defined networking, Tsinghua Science and Technology, vol. 22, no. 4, pp. 400-412, 2017.
Crossref Google Scholar
[18]
Ye X., Privacy preserving and delegated access control for cloud applications, Tsinghua Science and Technology, vol. 21, no. 1, pp. 40-54, 2016.
Crossref Google Scholar
[19]
Li W., Cao Y., Chen J., and Wang J., Deeper local search for parameterized and approximation algorithms for maximum internal spanning tree, Information and Computation, vol. 252, pp. 187-200, 2017.
Crossref Google Scholar
[20]
Chen J. E., Xu C., and Wang J. X., Dealing with 4-variables by resolution: An improved maxsat algorithm, Theor. Comput. Sci., vol. 670, pp. 33-44, 2017.
Crossref Google Scholar
[21]
You J., Wang J., and Cao Y., Approximate association via dissociation, Discrete Applied Mathematics, vol. 219, pp. 202-209, 2017.
Crossref Google Scholar
Tsinghua Science and Technology
Volume 24 Issue 1,
February 2019
Pages 65-76
DOI: 10.26599/TST.2018.9010003
Cite this article:
Cheng Y, Wang W, Wang J, et al. FPC: A New Approach to Firewall Policies Compression. Tsinghua Science and Technology, 2019, 24(1): 65-76. https://doi.org/10.26599/TST.2018.9010003

633

Views

32

Downloads

13

Crossref

N/A

Web of Science

18

Scopus

0

CSCD

Altmetrics
Received: 13 July 2017
Accepted: 07 August 2017
Published: 08 November 2018
© The author(s) 2019
Return