An Improvement of Tree-Rule Firewall for a Large Network: Supporting Large Rule Size and Low Delay

Abstract

The firewalls were invented since 1990s [1] and have been developed to operate more secure and faster. From the first era of the firewalls until today, they still regulate packet based on a listed rule. The listed rule is the set of rule sequence which consists of a condition and action. If incoming packets' information, i.e., Source IP, Destination IP and Destination Port, are matched with the condition, the packets will be accepted else, denied followed by an action specified in the rule. In the listed rule set of traditional firewall, there may be shadowed rules [2] or redundant rules which can make firewall operate slower because the firewall will waste its operational time to verify against these rules. Moreover, shadowed rules can cause security problems because protection rules can be shadowed by other rules above. These problems of traditional firewalls have been identified and published in our previous research [3]. In [4], we proposed the new type of firewall called the ‘Tree-Rule firewall’, and proved that it can offer less rule conflict and can operate faster than the traditional firewall. However, the first version of Tree-Rule firewall [4] works as a packet filtering firewall not a stateful firewall. Consequently, we then proposed a stateful mechanism [5] providing more security for the networks. We also proposed the “Hybrid Tree-rule firewall” [6] which could reduce processing time in verifying packets. The Hybrid Tree-rule firewall applies the concepts of Tree-rule firewall in designing conflict-free rules and the concepts of traditional firewall in decision making. However, for a large network which consists of many servers, opened ports, user groups, and network branches, the Tree-Rule firewalls shown in [4]–[6] requires a big set of rules too. Therefore, in this paper, we will propose solutions for these problems. We firstly introduce background, previous works, and problems in Section II. We then explain the details of our approach in Section III. In Section IV, we provide implementation of our proposed scheme and conduct several experiments. Finally, we conclude this paper in Section V along with future directions for our research.