Dynamic rule and rule-field optimisation for improving firewall performance and security

A novel approach is presented to improve firewall packet filtering through optimising the order of firewall rules for early packet acceptance as well as the order of rule-fields for early packet rejection. The proposed approach is based on the calculation of the histograms of packet matching rules and of packet not matching rule-fields. These histograms are able to effectively monitor firewall performance in real-time and to predict the patterns of packet filtering in terms of rules order and rule-fields order. Furthermore, the proposed approach becomes even more significant when firewall is heavily loaded with burst traffic. A comparison of the proposed approach and the other conventional approaches, including static rule order approach and dynamic rule order approach is presented. The numerical results obtained by simulations demonstrate that the proposed approach is able to significantly improve the firewall efficiency in terms of cumulative processing time compared to other conventional approaches. Furthermore, the proposed scheme also has the capability to significantly reduce the effect of many common network attacks on firewall performance.