L. Zhao, A. Shimae, and H. Nagamochi (Japan)
firewall, packet filter, firewall optimization, linear search, packet filtering, network security
Given a list of filtering rules with individual hitting prob abilities, it is known that the average processing time of a linear-search based firewall can be minimized by searching rules in some appropriate order. This paper proposes a new yet simple technique called the linear-tree structure. It uti lizes an advanced feature of modern firewalls, the “goto” like statement, to transform the given rule list into a rule set that is functionally equivalent to the original but orga nized in a more efficient structure. We show it is possible to achieve much more improvement than previous, rule reordering based studies. To demonstrate this, we study by both simulation experiment and test with real firewall.
Important Links:
Go Back
