TY - JOUR
T1 - Dynamic rule and rule-field optimisation for improving firewall performance and security
AU - Trabelsi, Zouheir
AU - Zhang, Liren
AU - Zeidan, Safaa
PY - 2014
Y1 - 2014
N2 - A novel approach is presented to improve firewall packet filtering through optimising the order of firewall rules for early packet acceptance as well as the order of rule-fields for early packet rejection. The proposed approach is based on the calculation of the histograms of packet matching rules and of packet not matching rule-fields. These histograms are able to effectively monitor firewall performance in real-time and to predict the patterns of packet filtering in terms of rules order and rule-fields order. Furthermore, the proposed approach becomes even more significant when firewall is heavily loaded with burst traffic. A comparison of the proposed approach and the other conventional approaches, including static rule order approach and dynamic rule order approach is presented. The numerical results obtained by simulations demonstrate that the proposed approach is able to significantly improve the firewall efficiency in terms of cumulative processing time compared to other conventional approaches. Furthermore, the proposed scheme also has the capability to significantly reduce the effect of many common network attacks on firewall performance.
AB - A novel approach is presented to improve firewall packet filtering through optimising the order of firewall rules for early packet acceptance as well as the order of rule-fields for early packet rejection. The proposed approach is based on the calculation of the histograms of packet matching rules and of packet not matching rule-fields. These histograms are able to effectively monitor firewall performance in real-time and to predict the patterns of packet filtering in terms of rules order and rule-fields order. Furthermore, the proposed approach becomes even more significant when firewall is heavily loaded with burst traffic. A comparison of the proposed approach and the other conventional approaches, including static rule order approach and dynamic rule order approach is presented. The numerical results obtained by simulations demonstrate that the proposed approach is able to significantly improve the firewall efficiency in terms of cumulative processing time compared to other conventional approaches. Furthermore, the proposed scheme also has the capability to significantly reduce the effect of many common network attacks on firewall performance.
UR - http://www.scopus.com/inward/record.url?scp=84902584649&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84902584649&partnerID=8YFLogxK
U2 - 10.1049/iet-ifs.2011.0146
DO - 10.1049/iet-ifs.2011.0146
M3 - Article
AN - SCOPUS:84902584649
SN - 1751-8709
VL - 8
SP - 250
EP - 257
JO - IET Information Security
JF - IET Information Security
IS - 4
ER -