An improvement of tree-Rule firewall for a large network: supporting large rule size and low delay

Thawatchai Chomsiri; Xiangjian He; Priyadarsi Nanda; Zhiyuan Tan

doi:10.1109/TrustCom.2016.0061

An improvement of tree-Rule firewall for a large network: supporting large rule size and low delay

Thawatchai Chomsiri, Xiangjian He, Priyadarsi Nanda, Zhiyuan Tan

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

1 Citation (Scopus)

Abstract

Firewalls are important network devices which provide first hand defense against network threat. This level of defense is depended on firewall rules. Traditional firewalls, i.e., Cisco ACL, IPTABLES, Check Point and Juniper NetScreen firewall use listed rule to regulate packet flows. However, the listed rules may lead to rule conflictions which make the firewall to be less secure or even slowdown in performance. Based on our previous research works, we proposed the Tree-Rule firewall which does not encounter such rule conflicts within its rule set and operates faster than the traditional firewalls. However, in big or complex networks, the Tree-Rule firewall still may face two main problems. 1. Firewall administrators may face difficulty to write big and complex rule. 2. Difficulty to select appropriate attribute column for the Root node. In this paper, we propose an improved model for the Tree-Rule firewall by extending our previous models. We offer the use of combination between IN and OUT interfaces of the firewall to separate a big rule to many small independent rules. Each separated rule then can be managed in an individual screen. Sequence of verifying attributes, i.e., Source IP, Destination IP and Destination Port numbers, can be ordered independently in each separated rule. We implement the two main schemes on Linux Cent OS 6.3. We found that the improved Tree-Rule firewall can be managed easily with low processing delay.

Original language	Undefined
Title of host publication	15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications
Place of Publication	USA
Publisher	IEEE Computer Society
Pages	178-184
Number of pages	7
DOIs	https://doi.org/10.1109/TrustCom.2016.0061
Publication status	Published - Aug 2016
Event	15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications 2016 - Tianjin University, Tianjin, China Duration: 23 Aug 2016 → 26 Aug 2016 Conference number: 15

Publication series

Name
Publisher	IEEE Computer Society

Conference

Conference	15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications 2016
Abbreviated title	TrustCom 2016
Country/Territory	China
City	Tianjin
Period	23/08/16 → 26/08/16

Keywords

SCS-Cybersecurity
Large Rule Size
EWI-27065
Firewall
IR-100643
Low Delay
Tree-Rule firewall
METIS-317222
Network Security

Access to Document

10.1109/TrustCom.2016.0061

http://eprints.eemcs.utwente.nl/secure2/27065/01/TrustCom_2016-06-27.pdf

Cite this

@inproceedings{6f23290efb8940498a53ab11b195f6fa,

title = "An improvement of tree-Rule firewall for a large network: supporting large rule size and low delay",

abstract = "Firewalls are important network devices which provide first hand defense against network threat. This level of defense is depended on firewall rules. Traditional firewalls, i.e., Cisco ACL, IPTABLES, Check Point and Juniper NetScreen firewall use listed rule to regulate packet flows. However, the listed rules may lead to rule conflictions which make the firewall to be less secure or even slowdown in performance. Based on our previous research works, we proposed the Tree-Rule firewall which does not encounter such rule conflicts within its rule set and operates faster than the traditional firewalls. However, in big or complex networks, the Tree-Rule firewall still may face two main problems. 1. Firewall administrators may face difficulty to write big and complex rule. 2. Difficulty to select appropriate attribute column for the Root node. In this paper, we propose an improved model for the Tree-Rule firewall by extending our previous models. We offer the use of combination between IN and OUT interfaces of the firewall to separate a big rule to many small independent rules. Each separated rule then can be managed in an individual screen. Sequence of verifying attributes, i.e., Source IP, Destination IP and Destination Port numbers, can be ordered independently in each separated rule. We implement the two main schemes on Linux Cent OS 6.3. We found that the improved Tree-Rule firewall can be managed easily with low processing delay.",

keywords = "SCS-Cybersecurity, Large Rule Size, EWI-27065, Firewall, IR-100643, Low Delay, Tree-Rule firewall, METIS-317222, Network Security",

author = "Thawatchai Chomsiri and Xiangjian He and Priyadarsi Nanda and Zhiyuan Tan",

note = "eemcs-eprint-27065 ; null ; Conference date: 23-08-2016 Through 26-08-2016",

year = "2016",

month = aug,

doi = "10.1109/TrustCom.2016.0061",

language = "Undefined",

publisher = "IEEE Computer Society",

pages = "178--184",

booktitle = "15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications",

address = "United States",

}

Chomsiri, T, He, X, Nanda, P & Tan, Z 2016, An improvement of tree-Rule firewall for a large network: supporting large rule size and low delay. in 15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications. IEEE Computer Society, USA, pp. 178-184, 15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications 2016, Tianjin, China, 23/08/16. https://doi.org/10.1109/TrustCom.2016.0061

An improvement of tree-Rule firewall for a large network: supporting large rule size and low delay. / Chomsiri, Thawatchai; He, Xiangjian; Nanda, Priyadarsi; Tan, Zhiyuan.

15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications. USA : IEEE Computer Society, 2016. p. 178-184.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - An improvement of tree-Rule firewall for a large network: supporting large rule size and low delay

AU - Chomsiri, Thawatchai

AU - He, Xiangjian

AU - Nanda, Priyadarsi

AU - Tan, Zhiyuan

N1 - Conference code: 15

PY - 2016/8

Y1 - 2016/8

N2 - Firewalls are important network devices which provide first hand defense against network threat. This level of defense is depended on firewall rules. Traditional firewalls, i.e., Cisco ACL, IPTABLES, Check Point and Juniper NetScreen firewall use listed rule to regulate packet flows. However, the listed rules may lead to rule conflictions which make the firewall to be less secure or even slowdown in performance. Based on our previous research works, we proposed the Tree-Rule firewall which does not encounter such rule conflicts within its rule set and operates faster than the traditional firewalls. However, in big or complex networks, the Tree-Rule firewall still may face two main problems. 1. Firewall administrators may face difficulty to write big and complex rule. 2. Difficulty to select appropriate attribute column for the Root node. In this paper, we propose an improved model for the Tree-Rule firewall by extending our previous models. We offer the use of combination between IN and OUT interfaces of the firewall to separate a big rule to many small independent rules. Each separated rule then can be managed in an individual screen. Sequence of verifying attributes, i.e., Source IP, Destination IP and Destination Port numbers, can be ordered independently in each separated rule. We implement the two main schemes on Linux Cent OS 6.3. We found that the improved Tree-Rule firewall can be managed easily with low processing delay.

AB - Firewalls are important network devices which provide first hand defense against network threat. This level of defense is depended on firewall rules. Traditional firewalls, i.e., Cisco ACL, IPTABLES, Check Point and Juniper NetScreen firewall use listed rule to regulate packet flows. However, the listed rules may lead to rule conflictions which make the firewall to be less secure or even slowdown in performance. Based on our previous research works, we proposed the Tree-Rule firewall which does not encounter such rule conflicts within its rule set and operates faster than the traditional firewalls. However, in big or complex networks, the Tree-Rule firewall still may face two main problems. 1. Firewall administrators may face difficulty to write big and complex rule. 2. Difficulty to select appropriate attribute column for the Root node. In this paper, we propose an improved model for the Tree-Rule firewall by extending our previous models. We offer the use of combination between IN and OUT interfaces of the firewall to separate a big rule to many small independent rules. Each separated rule then can be managed in an individual screen. Sequence of verifying attributes, i.e., Source IP, Destination IP and Destination Port numbers, can be ordered independently in each separated rule. We implement the two main schemes on Linux Cent OS 6.3. We found that the improved Tree-Rule firewall can be managed easily with low processing delay.

KW - SCS-Cybersecurity

KW - Large Rule Size

KW - EWI-27065

KW - Firewall

KW - IR-100643

KW - Low Delay

KW - Tree-Rule firewall

KW - METIS-317222

KW - Network Security

U2 - 10.1109/TrustCom.2016.0061

DO - 10.1109/TrustCom.2016.0061

M3 - Conference contribution

SP - 178

EP - 184

BT - 15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications

PB - IEEE Computer Society

CY - USA

Y2 - 23 August 2016 through 26 August 2016

ER -