A stateful mechanism for the tree-rule firewall

Thawatchai Chomsiri, Xiangjian He, Priyadarsi Nanda, Zhiyuan Tan

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

7 Citations (Scopus)
24 Downloads (Pure)

Abstract

In this paper, we propose a novel connection tracking mechanism for Tree-rule firewall which essentially organizes firewall rules in a designated Tree structure. A new firewall model based on the proposed connection tracking mechanism is then developed and extended from the basic model of Netfilter's ConnTrack module, which has been used by many early generation commercial and open source firewalls including IPTABLES, the most popular firewall. To reduce the consumption of memory space and processing time, our proposed model uses one node per connection instead of using two nodes as appeared in Netfilter model. This can reduce memory space and processing time. In addition, we introduce an extended hash table with more hashing bits in our firewall model in order to accommodate more concurrent connections. Moreover, our model also applies sophisticated techniques (such as using static information nodes, and avoiding timer objects and memory management tasks) to improve its processing speed. Finally, we implement this model on Linux Cent OS 6.3 and evaluate its speed. The experimental results show that our model performs more efficiently in comparison with the Netfilter/IPTABLES.
Original languageEnglish
Title of host publication13th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2014
Place of PublicationUSA
PublisherIEEE Computer Society
Pages122-129
Number of pages8
ISBN (Electronic)978-1-4799-6513-7
ISBN (Print)978-1-4799-6514-4
DOIs
Publication statusPublished - 19 Jan 2015
Externally publishedYes
Event13th IEEE International Conference on Trust, Security and Privacy in Computing and Communications 2014 - Future Internet Technology (FIT) Building, Tsinghua University, Beijing, China
Duration: 24 Sep 201426 Sep 2014
Conference number: 13
http://www.greenorbs.org/TrustCom2014/

Publication series

Name
PublisherIEEE Computer Society

Conference

Conference13th IEEE International Conference on Trust, Security and Privacy in Computing and Communications 2014
Abbreviated titleTrustCom 2014
CountryChina
CityBeijing
Period24/09/1426/09/14
Internet address

Keywords

  • EWI-25642
  • SCS-Cybersecurity
  • Stateful firewall
  • IR-93920
  • METIS-309858
  • Firewall
  • Network Security
  • Tree-Rule firewall
  • Connection Tracking

Fingerprint Dive into the research topics of 'A stateful mechanism for the tree-rule firewall'. Together they form a unique fingerprint.

  • Cite this

    Chomsiri, T., He, X., Nanda, P., & Tan, Z. (2015). A stateful mechanism for the tree-rule firewall. In 13th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2014 (pp. 122-129). USA: IEEE Computer Society. https://doi.org/10.1109/TrustCom.2014.20