An improvement of tree-Rule firewall for a large network: supporting large rule size and low delay

Thawatchai Chomsiri, Xiangjian He, Priyadarsi Nanda, Zhiyuan Tan

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    1 Citation (Scopus)

    Abstract

    Firewalls are important network devices which provide first hand defense against network threat. This level of defense is depended on firewall rules. Traditional firewalls, i.e., Cisco ACL, IPTABLES, Check Point and Juniper NetScreen firewall use listed rule to regulate packet flows. However, the listed rules may lead to rule conflictions which make the firewall to be less secure or even slowdown in performance. Based on our previous research works, we proposed the Tree-Rule firewall which does not encounter such rule conflicts within its rule set and operates faster than the traditional firewalls. However, in big or complex networks, the Tree-Rule firewall still may face two main problems. 1. Firewall administrators may face difficulty to write big and complex rule. 2. Difficulty to select appropriate attribute column for the Root node. In this paper, we propose an improved model for the Tree-Rule firewall by extending our previous models. We offer the use of combination between IN and OUT interfaces of the firewall to separate a big rule to many small independent rules. Each separated rule then can be managed in an individual screen. Sequence of verifying attributes, i.e., Source IP, Destination IP and Destination Port numbers, can be ordered independently in each separated rule. We implement the two main schemes on Linux Cent OS 6.3. We found that the improved Tree-Rule firewall can be managed easily with low processing delay.
    Original languageUndefined
    Title of host publication15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications
    Place of PublicationUSA
    PublisherIEEE Computer Society
    Pages178-184
    Number of pages7
    DOIs
    Publication statusPublished - Aug 2016
    Event15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications 2016 - Tianjin University, Tianjin, China
    Duration: 23 Aug 201626 Aug 2016
    Conference number: 15

    Publication series

    Name
    PublisherIEEE Computer Society

    Conference

    Conference15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications 2016
    Abbreviated titleTrustCom 2016
    CountryChina
    CityTianjin
    Period23/08/1626/08/16

    Keywords

    • SCS-Cybersecurity
    • Large Rule Size
    • EWI-27065
    • Firewall
    • IR-100643
    • Low Delay
    • Tree-Rule firewall
    • METIS-317222
    • Network Security

    Cite this

    Chomsiri, T., He, X., Nanda, P., & Tan, Z. (2016). An improvement of tree-Rule firewall for a large network: supporting large rule size and low delay. In 15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (pp. 178-184). USA: IEEE Computer Society. https://doi.org/10.1109/TrustCom.2016.0061
    Chomsiri, Thawatchai ; He, Xiangjian ; Nanda, Priyadarsi ; Tan, Zhiyuan. / An improvement of tree-Rule firewall for a large network: supporting large rule size and low delay. 15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications. USA : IEEE Computer Society, 2016. pp. 178-184
    @inproceedings{6f23290efb8940498a53ab11b195f6fa,
    title = "An improvement of tree-Rule firewall for a large network: supporting large rule size and low delay",
    abstract = "Firewalls are important network devices which provide first hand defense against network threat. This level of defense is depended on firewall rules. Traditional firewalls, i.e., Cisco ACL, IPTABLES, Check Point and Juniper NetScreen firewall use listed rule to regulate packet flows. However, the listed rules may lead to rule conflictions which make the firewall to be less secure or even slowdown in performance. Based on our previous research works, we proposed the Tree-Rule firewall which does not encounter such rule conflicts within its rule set and operates faster than the traditional firewalls. However, in big or complex networks, the Tree-Rule firewall still may face two main problems. 1. Firewall administrators may face difficulty to write big and complex rule. 2. Difficulty to select appropriate attribute column for the Root node. In this paper, we propose an improved model for the Tree-Rule firewall by extending our previous models. We offer the use of combination between IN and OUT interfaces of the firewall to separate a big rule to many small independent rules. Each separated rule then can be managed in an individual screen. Sequence of verifying attributes, i.e., Source IP, Destination IP and Destination Port numbers, can be ordered independently in each separated rule. We implement the two main schemes on Linux Cent OS 6.3. We found that the improved Tree-Rule firewall can be managed easily with low processing delay.",
    keywords = "SCS-Cybersecurity, Large Rule Size, EWI-27065, Firewall, IR-100643, Low Delay, Tree-Rule firewall, METIS-317222, Network Security",
    author = "Thawatchai Chomsiri and Xiangjian He and Priyadarsi Nanda and Zhiyuan Tan",
    note = "eemcs-eprint-27065",
    year = "2016",
    month = "8",
    doi = "10.1109/TrustCom.2016.0061",
    language = "Undefined",
    publisher = "IEEE Computer Society",
    pages = "178--184",
    booktitle = "15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications",
    address = "United States",

    }

    Chomsiri, T, He, X, Nanda, P & Tan, Z 2016, An improvement of tree-Rule firewall for a large network: supporting large rule size and low delay. in 15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications. IEEE Computer Society, USA, pp. 178-184, 15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications 2016, Tianjin, China, 23/08/16. https://doi.org/10.1109/TrustCom.2016.0061

    An improvement of tree-Rule firewall for a large network: supporting large rule size and low delay. / Chomsiri, Thawatchai; He, Xiangjian; Nanda, Priyadarsi; Tan, Zhiyuan.

    15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications. USA : IEEE Computer Society, 2016. p. 178-184.

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    TY - GEN

    T1 - An improvement of tree-Rule firewall for a large network: supporting large rule size and low delay

    AU - Chomsiri, Thawatchai

    AU - He, Xiangjian

    AU - Nanda, Priyadarsi

    AU - Tan, Zhiyuan

    N1 - eemcs-eprint-27065

    PY - 2016/8

    Y1 - 2016/8

    N2 - Firewalls are important network devices which provide first hand defense against network threat. This level of defense is depended on firewall rules. Traditional firewalls, i.e., Cisco ACL, IPTABLES, Check Point and Juniper NetScreen firewall use listed rule to regulate packet flows. However, the listed rules may lead to rule conflictions which make the firewall to be less secure or even slowdown in performance. Based on our previous research works, we proposed the Tree-Rule firewall which does not encounter such rule conflicts within its rule set and operates faster than the traditional firewalls. However, in big or complex networks, the Tree-Rule firewall still may face two main problems. 1. Firewall administrators may face difficulty to write big and complex rule. 2. Difficulty to select appropriate attribute column for the Root node. In this paper, we propose an improved model for the Tree-Rule firewall by extending our previous models. We offer the use of combination between IN and OUT interfaces of the firewall to separate a big rule to many small independent rules. Each separated rule then can be managed in an individual screen. Sequence of verifying attributes, i.e., Source IP, Destination IP and Destination Port numbers, can be ordered independently in each separated rule. We implement the two main schemes on Linux Cent OS 6.3. We found that the improved Tree-Rule firewall can be managed easily with low processing delay.

    AB - Firewalls are important network devices which provide first hand defense against network threat. This level of defense is depended on firewall rules. Traditional firewalls, i.e., Cisco ACL, IPTABLES, Check Point and Juniper NetScreen firewall use listed rule to regulate packet flows. However, the listed rules may lead to rule conflictions which make the firewall to be less secure or even slowdown in performance. Based on our previous research works, we proposed the Tree-Rule firewall which does not encounter such rule conflicts within its rule set and operates faster than the traditional firewalls. However, in big or complex networks, the Tree-Rule firewall still may face two main problems. 1. Firewall administrators may face difficulty to write big and complex rule. 2. Difficulty to select appropriate attribute column for the Root node. In this paper, we propose an improved model for the Tree-Rule firewall by extending our previous models. We offer the use of combination between IN and OUT interfaces of the firewall to separate a big rule to many small independent rules. Each separated rule then can be managed in an individual screen. Sequence of verifying attributes, i.e., Source IP, Destination IP and Destination Port numbers, can be ordered independently in each separated rule. We implement the two main schemes on Linux Cent OS 6.3. We found that the improved Tree-Rule firewall can be managed easily with low processing delay.

    KW - SCS-Cybersecurity

    KW - Large Rule Size

    KW - EWI-27065

    KW - Firewall

    KW - IR-100643

    KW - Low Delay

    KW - Tree-Rule firewall

    KW - METIS-317222

    KW - Network Security

    U2 - 10.1109/TrustCom.2016.0061

    DO - 10.1109/TrustCom.2016.0061

    M3 - Conference contribution

    SP - 178

    EP - 184

    BT - 15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications

    PB - IEEE Computer Society

    CY - USA

    ER -

    Chomsiri T, He X, Nanda P, Tan Z. An improvement of tree-Rule firewall for a large network: supporting large rule size and low delay. In 15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications. USA: IEEE Computer Society. 2016. p. 178-184 https://doi.org/10.1109/TrustCom.2016.0061