A stateful mechanism for the tree-rule firewall

© 2014 IEEE. In this paper, we propose a novel connection tracking mechanism for Tree-rule firewall which essentially organizes firewall rules in a designated Tree structure. A new firewall model based on the proposed connection tracking mechanism is then developed and extended from the basic model of Net filter's Conn Track module, which has been used by many early generation commercial and open source firewalls including IPTABLES, the most popular firewall. To reduce the consumption of memory space and processing time, our proposed model uses one node per connection instead of using two nodes as appeared in Net filter model. This can reduce memory space and processing time. In addition, we introduce an extended hash table with more hashing bits in our firewall model in order to accommodate more concurrent connections. Moreover, our model also applies sophisticated techniques (such as using static information nodes, and avoiding timer objects and memory management tasks) to improve its processing speed. Finally, we implement this model on Linux Cent OS 6.3 and evaluate its speed. The experimental results show that our model performs more efficiently in comparison with the Net filter/IPTABLES

Tree rule firewall

University of Technology Sydney. Faculty of Engineering and Information Technology.Firewall is a network component for deciding packets whether they will be accepted or denied. The packet decision results are dependent on rule policy pre-defined by firewall administrators. In traditional firewalls, the rule policy will be arranged in a list of rule line called 'listed rule'. The listed rule can cause three significant problems consisting of speed, security, and user friendly problems. The speed problems can occur because many packets will be matched with the rule positioned in bottom positions. Firewall may waste time to verify packets with many rules positioned above the matched rule. Moreover, the traditional firewalls also face to rule conflicts, e.g., shadowed rules. Many rules written to prevent attacking packets may be shadowed by some rules above them and cannot block any packet so that dangerous packets originated from outside can reach internal networks. Additionally, the traditional firewalls are involved with the lack of user-friendly features because administrators must have enough experience in order to create enough efficiency rules. This research proposes a novel firewall by using a tree structure of rules to solve the above problems. In the proposed approach, firewall administrators are able to design rules in the tree format, and then a core processor of firewall will process packets according to this format. The tree structure can be seen in both users' view and firewall's view. Packets will be verified with the tree shape of rule called 'tree rule'. To decide packet, searching for a data in the tree rule can be done quickly in comparison to searching data in the listed rule of traditional firewalls. This is because searching data in the Tree is faster than sequential searching data in Arrays. Moreover, rule conflicts can be eradicated, since each packet will be verified with the corresponding 'rule path' in the tree rule. This can avoid rule conflicts and shadowed rules. Thus, security problems caused by shadowed rules cannot be found in the tree rule firewall. Moreover, administrators can create rules easier with the GUI (Graphical User Interface) rule editor. They can design tree rule by creating nodes and links. There are ranges of IP addresses or ports inside each node. The GUI can sort the data inside nodes automatically and maintain consistency of the rule. Thus, the tree rule can be designed easily. Therefore, the Tree-Rule firewall can provide faster functional speed, be more secure, and be easier to use compared to traditional Listed-Rule firewalls