Advanced Search

Browse by Discipline

Scientific Societies

E-print Alerts

Add E-prints

E-print Network

  Advanced Search  

Journal of High Speed Networks 15 (2006) 209227 209 On autonomic optimization of firewall

Summary: Journal of High Speed Networks 15 (2006) 209227 209
IOS Press
On autonomic optimization of firewall
policy organization
Hazem Hamed and Ehab Al-Shaer
School of Computer Science, Telecommunications and Information Systems, DePaul University,
243 S Wabash Ave, Chicago, Illinois 60604, USA
E-mail: {hhamed, ehab}@cs.depaul.edu
Abstract. Security policies play a critical role in many of the current network security technologies such as firewalls, IPSec and IDS devices.
The configuration of these policies not only determines the functionality of such devices, but also substantially affects their performance. The
optimization of filtering policy configuration is critically important to provide high performance packet filtering particularly for high speed
network security.
Current packet filtering techniques exploit the characteristics of the filtering policies, but they do not consider the traffic behavior in opti-
mizing their search data structures. This often results in impractically high space complexity, which undermines the performance gain offered
by these techniques. Also, these techniques offer upper bounds for the worst case search times; nevertheless, the more common average case
scenarios are not necessarily optimized. Moreover, the types of packet filtering fields used in most of these techniques are limited to IP header
fields and cannot be generalized to cover transport and application layer filtering.
In this paper, we present a novel technique that utilizes Internet traffic characteristics to optimize the organization of firewall policies. The
proposed technique timely adapts to the traffic conditions using actively calculated statistics to dynamically optimize the ordering of packet
filtering rules. The rule importance in traffic matching as well as its dependency on other rules are both considered in our optimization algorithm.


Source: Al-Shaer, Ehab - School of Computer Science, Telecommunications and Information Systems, DePaul University


Collections: Computer Technologies and Information Sciences