FFF: Fast Firewall Framework to Enhance Rule Verifying over High-speed Networks
Main Article Content
Abstract
The current traffic trend on computer networks is growing exponentially, affecting network firewalls because they constantly have to filter out massive amounts of data. In this paper, we implement a firewall framework to improve traffic processing speed, named the Fast Firewall Framework (FFF). FFF can verify rules at Big-O(1) worst-case access time, and it also consumes a small amount of memory, which is only Big-O(nbit). To evaluate the firewalls' effectiveness, we benchmark the proposed firewall framework against the two fastest firewalls (The state of the art of opensource firewall), IPSets and IPack. The experimental results show that the Fast Firewall Framework can execute rules faster than both firewalls and consumes less memory. In particular, the proposed firewall framework has a simple structure that makes it easier to implement.
Article Details
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
References
Microsoft 2021: Windows Defender Firewall with Advanced Security. https://docs.microsoft.com/enus/windows/security/threatprotection/windows-firewall/windows-firewallwith-advanced-security (2021). Accessed 23 Apr 2021.
Diekmann, C., Hupel, L., Michaelis, J., Haslbeck, M., Carle, G.: Verified iptables Firewall Analysis and Verification. Journal of Automated Reasoning 61(1), 191-242 (2018). doi:10.1007/s10817-017-9445-1.
Richard Deal, Cisco Router Firewall Security, Cisco Press, 2004.
H. Hamed, A. El-Atawy and E. Al-Shaer, "On Dynamic Optimization of Packet Matching in High-Speed Firewalls," in IEEE Journal on Selected Areas in Communications, vol. 24, no. 10, pp. 1817-1830, Oct. 2006, doi: 10.1109/JSAC.2006.877140.
S. Khummanee, A. Khumseela and S. Puangpronpitag, "Towards a new design of firewall: Anomaly elimination and fast verifying of firewall rules," The 2013 10th International Joint Conference on Computer Science and Software Engineering (JCSSE), 2013, pp. 93-98, doi: 10.1109/JCSSE.2013.6567326.
T. Chomsiri, X. He, P. Nanda and Z. Tan, "Hybrid Tree-Rule Firewall for High Speed Data Transmission," in IEEE Transactions on Cloud Computing, vol. 8, no. 4, pp. 1237-1249, 1 Oct.- Dec. 2020, doi: 10.1109/TCC.2016.2554548.
D. Rovniagin and A. Wool, "The geometric efficient matching algorithm for firewalls," 2004 23rd IEEE Convention of Electrical and Electronics Engineers in Israel, 2004, pp. 153-156, doi: 10.1109/EEEI.2004.1361112.
H. Thomas, HiPAC High Performance Packet Classification for Netfilter", Master Thesis, Universitat des Saarlandes, Fachbereich, German, 2004.
IPSets. (2021, 10 Feb). IP set features. [Online]. Available: https://ipset.netfilter.org/features.html
J. Kadlecsik and G. Psztor, Netfilter perfor mance testing, Netfiler Research Report 2004, December, 2020.
Suchart Khummanee, "IP Packing Technique for High-speed Firewall Rule Verification," Journal of Internet Technology, vol. 20, no. 6 , pp. 1737-1751, Nov. 2019, doi: 10.3966/160792642019102006006.
E. S. Al-Shaer and H. H. Hamed, "Modeling and Management of Firewall Policies," in IEEE Transactions on Network and Service Management, vol. 1, no. 1, pp. 2-10, April 2004, doi: 10.1109/TNSM.2004.4623689.
Khummanee S. (2019) The Semantics Loss Tracker of Firewall Rules. In: Unger H., Sodsee S., Meesad P. (eds) Recent Advances in Information and Communication Technology 2018. IC2IT 2018. Advances in Intelligent Systems and Computing, vol 769. Springer, Cham. https://doi.org/10.1007/978-3-319-93692-5 22
L. C. Noll, The core of the FNV hash, FNV Research Report 2013, April, 2021. [15] R. Shahnaz, A. Usman and I. R. Chughtai, "Review of Storage Techniques for Sparse Matrices," 2005 Pakistan Section Multitopic Conference, 2005, pp. 1-7, doi: 10.1109/INMIC.2005.334453.
S. Khummanee, P. Chomphuwiset, P. Pruksasri "Decision Making System for Improving Firewall Rule Anomaly Based on Evidence and Behavior", Advances in Science, Technology and Engineering Systems Journal, vol. 5, no. 4, pp. 505-515 (2020), doi: 10.25046/aj050460
H. Byun and H. Lim, "Functional bloom filter, better than hash tables," 2018 International Conference on Electronics, Information, and Communication (ICEIC), 2018, pp. 1-3, doi: 10.23919/ELINFOCOM.2018.8330628.
B. A. Jon Dugan and E. Seth, IPERF - the ultimate speed test tool for TCP, UDP and SCTP, IPERF testing report 2017, June, 2020.