Dynamic Rule and Rule-Field Optimization for Improving Firewall Performance and Security
Zouheir Trabelsi, Liren Zhang and Safaa Zeidan Faculty of Information Technology
UAE University Al-Ain, UAE
{trabelsi, lzhang, safaa.z}@uaeu.ac.ae
Abstract. This paper presents a novel approach to improve firewall packet filtering through optimizing the order of
firewall rules for early packet acceptance as well as the order of rule-fields for early packet rejection. The proposed approach is based on the calculation of the histograms of packet matching rules and of packet not matching rule-fields. These histograms are able to effectively monitor firewall performance in real-time and to predict the patterns of packet filtering in terms of rules order and rule-fields order. Furthermore, the proposed approach becomes even more significant when firewall is heavily loaded with burst traffic. A comparison of the proposed approach and the other conventional approaches, including static rule order approach and dynamic rule order approach is presented. The numerical results obtained by simulations demonstrate that the proposed approach is able to significantly improve the firewall efficiency in terms of cumulative processing time compared to other conventional approaches. Furthermore, the proposed scheme also has capability to significantly reduce the effect of many common network attacks on firewall performance.
Keywords: firewall early rejection, packet flow matching histogram, optimization of rules ordering, optimization of rule-fields ordering.
1. Introduction
Firewall is considered as one of the most important components in today's IP network security architectures. In
general, packet filtering in firewall is based on a security policy, which consists of a set of filtering rules, each
rule is defined by a set of filtering fields and associated with an action either to block or forward a packet to its
destination. The last rule in the security policy is the default rule which is assumed to be “Deny”.
Packet filtering in a firewall is performed in a sequential order starting from the first rule until a matching rule
is found. If no matching rule is found, the packet is processed by the default rule. Likewise, the packet filtering
in each individual rule is also done in a sequential order starting from the first field until a non-matching field is
found. If a packet matches all the fields in a rule, then the packet is said to match that rule. In this case, the
processing for this packet filtering is completed. Otherwise, the packet goes to the next rule until a match rule is
found. It is clear that, the computational complexity of packet filtering process depends on the number of fields
defined in each rule as well as the depth of finding a matched rule in the policy. Hence, the order of rules, the
order of rule-fields, and the characteristics of the packet flows have a significant impact on firewall’s efficiency.
In addition, unwanted traffic targeting the default rule may cause more harm than others by producing an
overhead to the system through increasing the overall filtering time. This overhead is proportional to the number
of rules used in the security policy. Such unwanted traffic may cause a denial of service (DoS) attack and
degrade considerable the firewall’s performance. From this point of view, it is very important to reject such
traffic as early as possible.
With the rapid development of broadband IP network infrastructure, it is important to support high-bandwidth
services over the Internet, such as voice over IP, video streaming, Internet TV, interactive on-line game, high
quality multimedia service as well as delay sensitivity. From end-to-end connectivity point of view, packet
flows of such services may need to pass through a number of firewalls between source and destination. In this
case the cumulative delay due to multiple firewall packet filtering may become significant. Furthermore, the
burst nature of such applications may make this problem even more critical, especially when application-level
filtering policy is used in firewall. Thus, packet filtering techniques need to be dynamically adjusted to match
the characteristics of packet flows in order to reduce the processing time of packet filtering. Efficient yet easy to
implement packet filtering techniques by taking into account both the characteristics of traffic flow and the
order of rules as well as the order of rule-fields is a crucial issue in the design of firewalls.
In this paper, we propose an approach to optimize packet early acceptance and rejection by dynamically
adjusting the rule and rule-fields orders using the histograms of both packet matching rule and packet not
matching rule-fields. A novel algorithm to calculate the histograms in terms of packet matching and non-
matching probabilities on real-time segment basis is presented. The proposed approach uses the obtained
histograms for predicting the next optimized rules order and rule-fields order. Compared to previous related
work, the major contribution of this paper is that the approach for early acceptance and rejection is to
dynamically adjust both rules and rule-fields orders to match the statistics of packet flows, which are measured
by histograms.
The paper is organized as follows: Section 2 discusses the related work. Section 3 presents the algorithm for
calculating the histograms of packet rule matching process and packet rule-fields matching process. Section 4
describes the optimization of the rules and rule-fields orders. Section 5 presents numerical results obtained from
experiments based on simulations, in order to evaluate the firewall performance for the proposed mechanism.
Finally, Section 6 concludes the paper.
2. Related Work
Since packet filtering in firewall is done by sequentially searching the rule list until a matching is found, the
scalability of such searching approach is generally poor due to the searching time is proportional to the policy
size as well as the order of rules and the order of fields contained in each rule. Packet filtering optimization is
studied extensively. The most relevant research works focus on the improvement of searching times using
various approaches, including hardware-based solutions [6, 7], specialized data structures [8, 9, 5, 10, 11, 12],
and heuristics [5]. Although these research have significant contributions to the packet classification, but their
major objectives focus on improving the worst-case matching performance rather than the optimization for the
best performance. This is because these approaches only exploit the characteristics of filtering rules rather than
the effects of packet flow characteristics on searching time in firewall.
There are several research works as [1, 2, 4, 13 and 14] focusing on the statistical firewall packet filtering
approaches to improve the average packet filtering time. In [13], a technique, called depth-constrained
alphabetic trees, is used to reduce the lookup time by only searching packet destination IP addresses rather than
the entries of routing table. However, its significance is limited by only searching of a single field with arbitrary
statistics. By contrast, research presented in [1, 2] maximize the early rejection of unwanted flows without
impacting other flows. This is done through a number of rejection rules that are examined before the real
firewall policy these rejection rules utilize the important traffic characteristics and minimize the average packet
matching time The candidate rejection rule list is built using a set cover approximation algorithm, and then these
rules are periodically added/removed according to the performance gain/loss of each rule. This technique can be
used to search packet flow that eventually hit the default rule after a mismatch with every single rule in the
policy. However, its weakness is not scalable with the number of fields and rules if they are used for Intrusion
Detection Systems (IDSs) because we will end up with a large set of rejection rules to be checked before
proceeding with normal filtering process.
The searching structure by taking into account of packet flow dynamics is introduced by [14] and [15]. In
order to optimize firewall filtering policies by utilizing the characteristics of packet flow over Internet [16], an
approach timely and actively calculates statistics based on traffic conditions and dynamically adjusts the order
of packet filtering rules, in which both rule matching patterns and dependency between rules are considered.
However, this work does not use histogram statistics of packet flows, which makes the approach hardly to
handle the burst nature of packet flows.
Segments-Based Tree Search (STS) approach [4] uses bounded depth Huffman trees to enhance the filtering
process according to statistics collected from segments. However, this scheme may need large overheads for
maintaining the tree periodically. To reduce the overheads, Segments-based List Search (SLS) [4] has been
introduced. SLS will suffer the most from DoS attack due to the fact that its worst case is much higher than its
average. So, SLS can be used only when traffic is in a steady state. But if the firewall or IDS is close to its full
computational capacity, then STS will be safer to use if the traffic behavior is highly dynamic. According to the
numerical results presented in [4] and [1] which demonstrate that both SLS and STS are superior in performance
and scalability with respect to some other traffic awareness techniques such as Linear, Alpha-tree, DRO and
DT-CB.
Other tightly related traffic aware techniques are presented in [17, 18, 20, 22]. The idea of early rejection was
introduced in [2, 17, 18]. In [2] a new approach named FVSC is proposed to optimize the rejection path, this
technique uses set cover approximation algorithm to construct early rejection rules from the original security
policy common field values, which makes it suitable for smaller security policies, with low diversity of field
values. PBER technique in [18] is considered as a generalization of FVSC [2] in the sense that FVSC [2]
focuses only on rejection path while PBER [18] finds short cuts for both accepted and rejected packets. In [18]
the Boolean expression representing the policy acceptance space is implemented using BDD tree and according
to traffic statistics a depth is chosen to truncate the BDD tree for faster evaluation. In [17], a binary search on
prefix length algorithm is applied to every policy filtering field along with the property of splaying the search
tree nodes handling the early accepted packets. The packets early rejection is done through maintaining the
position of the minimum node to the root.left position. Even though SA-BSPL [17] uses the splay tree data
structure that can change dynamically to traffic flows, no traffic statistics were involved in this technique.
The non-heuristic general framework for rule based firewall optimization proposed in [20] captures the
semantics of an ACL in terms of whether each packet is forwarded or denied instead of profiling the rules to
determine their importance as in [1]. In [21] the authors propose an architecture algorithm to automatically adapt
packet filtering devices configuration according to traffic behavior. The ACO algorithm provides adaptive
conflict free optimization in the security policy, in which each rule is given a probability rate and cost weight.
Both [16 and 22] propose mechanisms to perform rules reordering. In a Firewall security policy, rules may
not be disjoint. So packets may match multiple rules, but the rule with higher precedence will be executed. In
this case, these rules are said to be dependent and their order must be preserved, with smaller rule order means
higher precedence. In [16], the authors presented a heuristic optimized rule ordering technique based on rule
frequency and recency that derived from traffic characteristics. This optimized rule ordering changes
dynamically according to the traffic flows. While, in [22] the proposed statistical model rebuilds the firewall
security policy using the FDT algorithm. As a result, the newly derived security policy contains only disjoint
rules. These rules are ordered according to their frequencies under a certain threshold qualification.
As indicated by the research works presented in [1 – 4], it is important to take into account the effects of
traffic statistics in firewall performance improvement.
3. Histogram of rule matching probability and field not matching probability
Considering that packet matching test in firewall is based on a security policy with N independent rules,
excluding the default “Deny” rule which has the order N+1. Each rule consists of a maximum number of M
fields, excluding the action field. A N×M matrix vector F represents the security policy, that is:
21
21
222212
112111
2
1
2
1
⎥⎥⎥⎥⎥⎥⎥⎥⎥
⎦
⎤
⎢⎢⎢⎢⎢⎢⎢⎢⎢
⎣
⎡
=
⎥⎥⎥⎥⎥⎥⎥⎥⎥
⎦
⎤
⎢⎢⎢⎢⎢⎢⎢⎢⎢
⎣
⎡
=
)F(N,M...F(N,j)...)F(N,)F(N,
..................
)F(i,M...F(i,j)...)F(i,)F(i,
..................
),MF(...,j)F(...),F(),F(
),MF(...,j)F(...),F(),F(
N
i
N
i
R
...
R
...
R
R
F
(1)
where { }Ni ,,2,1 !∈ and { }iMj ,,2,1 !∈ are indices of rule and field, respectively. Since the number of
active fields defined by security policy can be varied from rule to rule, we assume that the non-active fields have
a zero value and are not being used for packet filtering. We consider that packet flow input into a firewall is
divided into a sequence of W equal size windows, denoted as w ( { }Ww ,,2,1 !∈ }), in which each window
consists of S equal size segments with L packets per segment.
The packet flow assembled using a two-layer structure in terms of segments and windows is based on the
following considerations. (1) The window defined here consists of a large population space of LS × packets,
which is able to guarantee the accuracy of histogram. (2) The mechanism proposed in this paper is focusing on
real-time adjustment of both rule order and field order using histogram statistics. From practice point of view,
such real-time adjustment needs a relative large time scale. (3) The reason to divide each window
into S segments is to match the burst nature of packet flow in terms of rule order and field order.
Let aw,s(i,j)l and bw,s(i,j)l present the status of the lth packet matching and not matching an active field F(i,j) in
rule R(i), respectively. Where w, s and l are the window, segment and packet indices, respectively. We define
aw,s(i,j)0 =0 and bw,s(i,j)0 =0 be the values of the initial state at the beginning of the sth segment. During the
process, when the lth packet matches the field F(i,j) in the rule R(i), the state value of aw,s(i,j)l is incremented by
“1”, while bw,s(i,j)l remains unchanged. That is:
),( ),(
1),( ),(
1,,
1,,
⎩⎨⎧
=
+=
−
−
lswlsw
lswlswjibjibjiajia
.
(2)
By contrast, when the lth packet does not match the field F(i,j) in the rule R(i), the state of bw,s(i,j)l is
incremented by “1”, while aw,s(i,j)l remains unchanged. That is:
1),( ),(
),( ),(
1,,
1,,
⎩⎨⎧
+=
=
−
−
lswlsw
lswlswjibjibjiajia
(3)
Note that if the lth packet is not tested for the field F(i,j) in the rule R(i) due to either the lth
packet is rejected
by the field F(i,j-1) or the field F(i,j) is a non-active field, the state value of aw,s(i,j)l and bw,s(i,j)l remain
unchanged. That is:
Therefore, for a given rule i, a packet is compared with field F(i, j) for j = 1, 2,…, k,…,Mi until a k is found
such that the packet is not matching F(i, k), then the filtering process for this packet against rule R(i) is
completed eq. (3) and the packet starts its filtering process in rule R(i+1). Otherwise, if the packet matches all
fields defined in rule R(i), then the packet matches rule R(i) eq. (2) and the filtering process for this packet at the
firewall is completed.
Lemma 1. When all L packets in the sth (s �{1,2,…,S}) segment complete the processing in firewall based on
the algorithm presented in eq. (2) and (3) , the accumulated value of aw,s(i,Mi)L represents the number of packet
in the sth segment matching the rule R(i). Likewise, the accumulated value of bw,s(i,j)L represents the number of
packets in the sth segment not matching the field F(i, j) in rule R(i).
Proof: At the beginning of the sth segment, we have initial value of aw,s(i,j)0 =0 and bw,s(i,j)0 =0. All L packets
contained in the sth segment is tested in a sequential order based on the algorithm defined in eq. (2) and (3). If
the lth packet matches the field F(i,j)|j=1,2,…,Mi contained in the rule R(i)|i=1,2,…,N , then we have
⎩⎨⎧
=
+=
),( ),(1),( ),(
,,
,,
jibjibjiajia
swsw
swsw and the thl packet continuous to be tested by the next field F(i, j+1) in the same rule,
where j+1≤Mi , until the field F(i,Mi). On the other hand, if the field F(i,j)|j=1,2,…,Mi contained in the rule
R(i)|i=1,2,…,N is a non-active field, then we have ⎩⎨⎧
=
=
−
−
1,,
1,,
),( ),(),( ),(
lswlsw
lswlsw
jibjibjiajia
and the lth packet continuous to be
tested by the next field F(i, j+1), where j+1≤Mi, until the field F(i,Mi). Since the condition of the lth packet
matching the rule R(i)|i=1,2,…,N is that, the packet must match all the active fields contained in the rule. Also, Note
that if the lth packet matches the rule R(i), its processing in the firewall is completed, i.e., the lth packet is not
tested by the rule R(i+1), where i+1≤N. Therefore, we can conclude that when all L packets in the sth segment
complete their processing in the firewall, the accumulated value of aw,s(i,Mi)L represents the number of packets in
the sth segment matching the rule R(i).
On the other hand, if the lth packet does not match the field F(i,j) then we have⎩⎨⎧
=
+=
lswlsw
lswlsw
jiajiajibjib),( ),(
1),( ),(
,,
,, . In
this case, the lth packet is rejected by the rule R(i) and the accumulative value of aw,s(i,j+k)l and bw,s(i,j+k)l for the
rest fields F(i,j+k) in the rule R(i) remain unchanged, that is⎩⎨⎧
+=+
+=+
lswlsw
lswlsw
kjiakjiakjibkjib
),( ),(),( ),(
,,
,, , where
jMk i −= ,...,2,1 . On the other hand, the lth packet rejected by the rule R(i) continuous to be tested by the rule
R(i+1) unless )()( NRiR = .
Therefore, we can conclude that when all L packets in the sth segment complete their processing in the
firewall, the accumulated value of bw,s(i,j)L represents the number of packets in the sth segment not matching the
field F(i,j) in the rule R(i) .
From Lemma 1, it can be seen that both aw,s(i,Mi)L and bw,s(i,j)L are discrete random processes, with a state
space of integers between 0 and the maximum number of L on segment basis. let Cw,s(i) and Dw,s(i,j) be the
values of aw,s(i,Mi) and bw,s(i,j) at the end of segment s of window w, respectively. Then the probability of
packet matching rule R(i) on segment basis can be defined as:
⎪⎪
⎩
⎪⎪
⎨
⎧
=
∑−
=
=−
=
NikCL
iC
iL
C
iPi
ksw
sw
sw
sw ,...,2 )(
)(
1 )1(
)(1
1,
,
,
,
(4)
where term ∑ )(1-
1=,
i
ksw kC-L is the number of packets in the segment being tested for rule R(i)|i=1,2,…,N .
Likewise, the probability of packet not matching field F(i,j)|j=1,2,…,Mi in the rule R(i) on segment basis can be
defined as:
2,2for ),(),1(
),(
1,2for ),1(
)1,(
2 1,ifor ),1(
),1(
1,1for )1,1(
),(
1
1
1
1,,
,
1
1,
,
11
1,
,
,
,
⎪⎪⎪⎪⎪⎪⎪
⎩
⎪⎪⎪⎪⎪⎪⎪
⎨
⎧
≤≤≤≤
∑ ∑−−
=≤≤
∑ −
≤≤=
∑−
==
=
−
=
−
=
−
=
−
=
iiM
k
j
kswsw
sw
iM
ksw
sw
j
ksw
sw
sw
sw
MjNikiDkiD
jiD
jNikiD
iD
MjkDL
jD
jiL
D
jiq
(5)
where term ∑−
=
1
1, ),1(
j
ksw kD is the number of packets in the ths segment are rejected by the F(1,j-1)|j=2,…,M1 in
the rule R(1), term ∑ −−
=
1
1, ),1(
iM
ksw kiD is the number of packets in the sth segment rejected by the fields contained
in the rule R(i-1) due to not matching, and term ∑−
=
1
1, ),(
j
ksw kiD is the number of packets rejected by the field
F(i,k)|k=1,2,…,j-1 in the rule R(i)|i=1,2,…,N due to not matching.
The histogram, denoted as wψ , is defined as the statistics of packets matching the rule R(i) on window basis,
in which we assume that both the rule order and field order in each rule are unchanged during the window time.
The histogram wψ consists of a set of probabilities )(, iP sw corresponding to the Cw,s(i) in sth segment for the rule
R(i)|i=1,2,…,N , that is:
)(,...,)(,...,)(...
)(,...,)(,...,)(
...
)1(,...,)1(,...,)1(
,,1,
,,1,
,,1,
⎥⎥⎥⎥⎥⎥⎥⎥
⎦
⎤
⎢⎢⎢⎢⎢⎢⎢⎢
⎣
⎡
=
NPNPNP
iPiPiP
PPP
Swsww
Swsww
Swsww
wψ
(6)
Likewise, the histogram of packet not matching field F(i,j)|i=1,2,…,N ,j=1,2,…,Mi on window basis, denoted as sw,ξ ,
consists of a set of probabilities ),(, jiq sw corresponding to Dw,s(i,j) in sth segment, where we assume that both
the rule order and rule-field order in each rule are unchanged during the window time. Therefore, sw,ξ can be
presented as:
[ ] ),(ξ...),(ξ...),(ξ ,1, jijiji w,Sw,swsw =ξ (7)
Where element Ssjiξw,s 1,2,...,=
),( is presented as:
),(...),(...)1,(
...............
),(...),(...)1,(
...............
),1(...),1(...)1,1(
,,,
,,,
1,,,
⎥⎥⎥⎥⎥⎥⎥⎥
⎦
⎤
⎢⎢⎢⎢⎢⎢⎢⎢
⎣
⎡
=
Nswswsw
iswswsw
swswsw
w,s
MNqjNqNq
Miqjiqiq
Mqjqq
jiξ ),(
(8)
Both histograms defined in eq. (6) and (7) are measured under the condition that packet flows are presented in
a format of grouped probability distributions (GFD) on window basis.
4. Optimization of rule and Rule-field orders on window basis
In this section, we present a novel mechanism to predict the order of rules and the order of rule-fields based on
the statistics of histogram patterns defined by eq. (6) and (7).
4.1 Optimization of rule order on window basis
Let )(wQ represent the number of packets waiting for processing in a firewall at the end of the thw )1( − window.
We assume that the packet flow arriving at the firewall is stationary if the pending packets convergence to a
finite value. The processing of packets in the firewall is on first come first served basis. Then Q(w) can be
expressed using a recurrence eq. as:
{ })w(D)w(A)w(Q,max)w(Q 1--1-+1-0= (9)
where )1( −wQ is the cumulative number of packets waiting for processing at the beginning of the
thw )1( − , )1( −wA is the number of packets arriving during the thw )1( − window and )1( −wD is the
number of processed packets during the thw )1( − window.
Note that in eq. (9), when 1)-<1)-+1- w(Dw(A)w(Q , the number of packets waiting at the firewall
decrease. In this case, the effects of rule order and rule-field order on the firewall performance
become insignificance. By contrast, when 1)-≥1)-+1- w(Dw(A)w(Q , the number of packets waiting
in the firewall increases until the buffer is full. Especially, when 1)->>1)-+1- w(Dw(A)w(Q , the
effects of rule order and rule-field order on the efficiency of firewall performance become significant.
Therefore, in the following analysis, we focus on the situation of 1)->>1)-+1- w(Dw(A)w(Q and K
>> Q(w) where K is the firewall buffer capacity. In this case, the probability that segments in the
thw window are matching rule )(iR can be estimated by applying the histogram obtained from the (w-1)th
window to eq. (9), that is
∑ )(1))((1
,1S
sswwr iP
SiQP
=−=
(10)
where S is the number of segments in the (w-1)th window and term ( ))(,1 iCP swr − can be obtained from eq. (6).
Hence, the results obtained from eq. (10) for Ni ,...,2,1= indicate the statistical pattern of packet matching the
rule R(i) for the wth window, denoted as:
)(1...
)(1
)1(1
~
1,1
1,1
1,1
⎥⎥⎥⎥⎥⎥⎥⎥
⎦
⎤
⎢⎢⎢⎢⎢⎢⎢⎢
⎣
⎡
∑
∑
∑
=
=−
=−
=−
S
ssw
S
ssw
S
ssw
w
NPS
iPS
PS
ψ
(11)
Furthermore, the statistical pattern of packet matching the rule R(i)|i=1,2,…,N as shown in eq. (11), which is
estimated using the histogram in the (w-1)th window. Therefore, the rule order in the wth window can be
optimized as:
)(ˆ
)(ˆ
)1(ˆ
ˆ
⎥⎥⎥⎥⎥⎥
⎦
⎤
⎢⎢⎢⎢⎢⎢
⎣
⎡
=
N
i
w
w
w
w
R
R
R
ψ!
!
by organizing the elements in eq. (11) in a decreasing order, that is
)(ˆ...)(ˆ...)(ˆ NRRR www ≥≥≥≥ i1 (12)
Likewise, for a given histograms 1−wξ of packet not matching field F(i,j)|i=1,2,…,N, j=1,2,…,Mi obtained from the (w-
1)th window, we are able to estimate the statistical patterns of packet not matching field F(i,j)|i=1,2,…,N, j=1,2,…,Mi in
the wth window, that is:
⎥⎥⎥⎥⎥⎥⎥⎥⎥⎥⎥⎥⎥
⎦
⎤
⎢⎢⎢⎢⎢⎢⎢⎢⎢⎢⎢⎢⎢
⎣
⎡
∑∑∑
∑∑∑
∑∑∑
=
=−
=−
=−
=−
=−
=−
=−
=−
=−
S
sNsw
S
ssw
S
ssw
S
sisw
S
ssw
S
ssw
S
ssw
S
ssw
S
ssw
MNψS
jNψS
NψS
MiψS
jiψS
iψS
MψS
jψS
ψS
w
1,1
1,1
1,1
1,1
1,1
1,1
11,1
1,1
1,1
,1...1...1
...............
1...1...1
...............
1...1...1
~
)(),(,1)(
),(),(,1)(
)(1,)(1,(1,1)
ξ
(13)
Hence, the field order for the wth window can be optimized by organizing the elements in eq. (13) in a
decreasing order, that is:
⎥⎥⎥⎥⎥⎥⎥⎥⎥
⎦
⎤
⎢⎢⎢⎢⎢⎢⎢⎢⎢
⎣
⎡
≥≥≥≥≥
≥≥≥≥≥
≥≥≥≥≥
=
),(ˆ...),(ˆ...)2,(ˆ)1,(ˆ
...............
),(ˆ...),(ˆ...)2,(ˆ)1,(ˆ
...............
),1(ˆ...),1(ˆ...)2,1(ˆ)1,1(ˆ
ˆ
,,,,
,,,,
,,,,
Nswswswsw
iswswswsw
iswswswsw
w,s
MNjNNN
Mijiii
Mj
ξξξξ
ξξξξ
ξξξξ
ξ
(14)
4.2 Optimization of segment size
In this paper, we emphasize the advantages of using such statistical histograms. First, both (i)ψw and j)(i,ξw
can be calculated in real-time on segment basis. On the other hand, these histograms can be also shared among
multiple segments within the same window to trace the traffic behavior. Second, the accuracy and complexity of
histogram calculation are relevant to the number of packets contained in the segment. When segment size is
very large, the histograms convergence to a complete trace of the statistics of packet matching rule R(i)|i=1,2,…,N
and packet not matching field F(i,j)|i=1,2,…,N, j=1,2,…,Mi. However, the corresponding observation time is also large,
which may not be suitable for practical implementation. Therefore, it is necessary to properly select the size of
segment with the trade-off between accuracy and complexity to meet requirement for practical use. Third, the
burst nature of packet flows has effects on the trade-off between the mean and the corresponding variance. From
this point of view, we define the average histogram of packet matching rule R(i) over the wth window, which
consists of S segments. That is:
Ssw,s
w,s
w,s
w
N
i
,...,2,1
...
...
=⎥⎥⎥⎥⎥⎥
⎦
⎤
⎢⎢⎢⎢⎢⎢
⎣
⎡
=
)(ψ
)(ψ
(1)ψ
ψ
(15)
where S
iPi
S
ssw
w,s
∑= =1
, )()(ψ and w is the window index. Likewise, the variance histogram of packet matching
rule R(i)|i=1,2,…,N is defined as:
[ ] ψψ∑1
1))(ψ( 2
1)(-)( ii
NiVar ww
N
iw
=− (16)
where wψ is defined in eq. (6). Furthermore, the optimum window size with minimum variance can be
obtained from eq. (16) to find the suitable value of S matching the following equation:
[ ] 0)()(
2
=⎪⎭
⎪⎬⎫
⎪⎩
⎪⎨⎧
⎥⎦
⎤⎢⎣
⎡ ∑−
=dx
Sxxd
iψdiψVard
w
w)()(
(17)
where [ ] [ ]NiiP...iP...iPx Swsww ,...,2,1 ,)()()( ,,1, ∈= Clearly, the solution of eq. (17) is:
[ ]NiiPiψSsw
wopt ,...,2,1
)()
,∈
⎥⎥⎥
⎤
⎢⎢⎢
⎡=
)( (18)
Eq. (18) indicates that the optimum size of observation window is to find a suitable value S that satisfies eq.
(11). That is, we need to keep the segment histogram to be varied within a pre-defined margin of the average
value of histograms over a number of consecutive windows. If the segment histogram is significantly out the
limited margin, we need to start a new window run.
5. Performance evaluation
5.1 Evaluation of the effect of dynamic rule and rule-field orders on firewall performance
The performance gain of the proposed optimization scheme is measured through simulation in terms of the
reduction in packet matching processing time compared to the use of static rule and dynamic rule ordering
schemes. In the simulation, the histograms of packet flows are computed using eq. (6) and (7).
Multiple simulation runs are carried out independently. In this case, the results obtained from each single
simulation run depend on the particular stream of pseudorandom numbers to drive the simulation. Hence, the
obtained results may typically vary from one run to another. To ensure the accuracy of simulation results, the
confidence intervals are calculated using independent replication method as follows [23]:
1. Simulation is independently repeated by M times, and M groups of data are thus obtained. Each
simulation run has a length of 108 slots excluding a warm-up period of 1000 slots, which is set up to
ensure that the results are estimated on the basis of a steady simulation process, each simulation run
starts with an empty firewall system. Actually, before we decided to 1000 slots as the warm-up period,
we compare the results, which were obtained from the simulations using different warm-up period of
100, 500, 1000, 2000 and 5000 slots, respectively. The comparison shows that a warm-up period of
1000 slots is adequate.
2. The confidence margin is calculated as that at least of 90% of estimated values, denoted as ρ from
those M simulation runs fall in a margin ).( ),( ρδδρδρ <<+−
3. We note that this paper is mainly devoted to the statistics of packet filtering under high traffic load
conditions. This is applicable for relatively high cumulative processing time. In this case, the
confidence margin of the simulations is not difficult to implement. However, when traffic load is low,
the simulations require an excessive amount of computing resources, and we have not addressed that
condition in this paper.
The security policy used in simulation is implemented by 500 TCP, UDP, and ICMP rules. TCP rules have six
types of fields, including Protocol, Source-IP, Destination-IP, Source-Port, Destination-Port, and TCP flags.
ICMP rules have the following fields: Protocol, Source-IP, Destination-IP, Type and Code. The UDP rules have
5 types of fields, including Protocol, Source-IP, Destination-IP, Source-Port, and Destination-Port. The number
of active fields in each individual rule is a combination of different types of available fields in random order,
while the number of fields is also randomly and independently selected.
Figure 1. Burst-silence packet flow source model.
TABLE I. PARAMETERS ARE USED TO GENERATE INDEPENDENT TCP, UDP AND ICMP PACKET FLOWS
Ton Ts
TCP 10ms 2ms
UDP 0.8ms 0.5ms
ICMP 0.07ms 0.045ms Hence, in our simulation experiments, parameters, as shown in Table 1, are independently used to generate
TCP, UDP and ICMP packet flows. These three packet flows are multiplexed as a stream of 200 equal size
windows with 10 segments per window. Each segment consists of 1000 packets. We note that the packet
filtering occurs in bursts, especially under the condition of heavy traffic loading with burst arrivals. This is
important to understand the histograms of packet filtering and their statistical dependency when the cumulative
processing time is evaluated.
Figure 2 shows the characteristics of packet flows including TCP, UDP and ICMP, which are generated by
three independent discrete-time burst-silence sources with different parameters.
Figure 2. Characteristics of packet flows using burst-silence sources.
Figure 3 shows the accumulated packet processing time for static rule order, dynamic rule order and
optimized dynamic rule and rule-field orders. It is clear that the average gain in cumulative processing time uses
the rule and rule-field ordering scheme is about 61% compared to the static rule ordering scheme. On the other
hand, the proposed scheme saves about 56% compared to dynamic rule ordering scheme.
Figure 4 shows the percentages of packet processing time gain saved when using dynamic rule order and
dynamic rule and rule-field orders mechanisms versus static rule order mechanism. It can be seen that in average
11% and 67% of packet processing time are gained using dynamic rule order and rule and rule-field orders,
respectively.
Figure 3. Accumulated packet processing time for different mechanisms.
Figure 4. The percentages of matching processing time gain.
5.2 Evaluation of the effect of dynamic rule and rule-field order in defending against DoS attacks
In this section, we investigate the effect of implementing static rule ordering, dynamic rule ordering and
dynamic rule and rule-field ordering approaches on the firewall performance in defending against common DoS
attacks.
5.2.1 DoS attack classification
DoS attacks are commonly divided in the following categories: flood attacks, amplification attacks, protocol
exploit attacks and malformed packet attacks [19].
In a flood attack, the zombies send large volumes of IP traffic to a victim system in order to congest the
victim system’s bandwidth. Some of the well-known flood attacks are UDP flood attacks, ICMP flood attacks
and Port scanning.
In amplification attacks, the attacker exploit the broadcast IP address feature found on most routers to amplify
and reflect the attack and send messages to a broadcast IP address. This instructs the routers servicing the
packets within the network to send them to all the IP addresses within the broadcast address range. This way the
malicious traffic that is produced reduces the victim system’s bandwidth. Some well known amplification
attacks are Smurf and Fraggle attacks.
Protocol exploit attacks exploit a specific feature or implementation bug of some protocol installed at the
victim in order to consume excess amounts of its resources. A representative example of protocol exploit attacks
is TCP SYN flood attacks. Other examples of protocol exploit attacks are PUSH+ACK attacks, CGI request
attacks and the authentication server attacks.
Malformed packet attacks rely on incorrectly formed IP packets that are sent from agents to the victim in
order to crash the victim system. A representative example of malformed packet attack is the Land attack.
DoS attacks are generated usually using either a flooding non-matching traffic, or a flooding matching traffic.
Non-matching DoS traffic includes packets that do not match any filtering rule, and consequently it is filtered by
the default security policy. However, matching DoS traffic includes packets that match the filtering rules.
5.2.2 Firewall performance
A packet generator is used to generate DoS attacks. The firewall uses the same set of filtering rules, described in
Section 4.
Two experiments have been performed using non-matching and matching DoS attack traffics, respectively. In
the first DoS attack experiment, most packets received by the firewall do not match any filtering rule, and these
packets are finally rejected by the default security policy. UDP flood, ICMP echo flood and Port scanning are
examples of such attacks.
To investigate the effect of the proposed optimization approaches, we generated a special packet flow
consisting of only 10% of packets matching the filtering rules, and the other 90% of packets not matching any
filtering rule. Figure 5 shows the cumulative packet filtering processing time for static rule order approach,
dynamic rule order only approach and dynamic rule and rule-field order approach. It can be seen that the
cumulative processing time for the static rule order approach and the dynamic rule order only approach are very
close to each other. That means that the improvement provided by dynamic rule order only approach is very
limited. By contrast, gain provided by dynamic rule and rule-field orders approach is significant. This is because
the filtering process may have to check most of the rule fields to reach a decision regarding a given packet when
the firewall is heavily loaded with the filtering of the non-matching malicious packets. However, by applying
dynamic rule and rule-field ordering approach, the position order of the fields in each filtering rule is optimized
to make the matching process much faster, especially for malicious packets, compared to the ones related to
static rule ordering approach and dynamic rule ordering only approach.
Figure 5. Cumulative processing time for DoS attack with high non-matching traffic.
In the second DoS attack experiment, the firewall is flooded by matching packets, such as SYN flood attack,
in which TCP SYN packets are accepted by the firewall in order to allow external hosts to establish TCP
connections on particular ports with internal servers. If the external hosts are allowed to access an internal web
server, then for the particular HTTP port (80), the security policy should include a filtering rule allowing the
firewall to accept SYN packets to that web server. However, flooding the network with SYN packets that have
spoofed source IP addresses may damage the firewall performance and create a congestion situation. Special
packet flows with 90% of the packets matching the filtering rules, and 10% of the packets not matching any
filtering rule are used in the experiment.
Figure 6 shows the cumulative processing time for static rule ordering approach, dynamic rule ordering only
approach and dynamic rule and rule-field ordering, respectively. It can be seen that the dynamic rule and rule-
field ordering approach is able to improve the processing time significantly compared to the other two
approaches.
In conclusion, this investigation shows that once dynamic rule and rule-field ordering is implemented, the
effect of many common DoS attacks on the firewall performance may be reduced significantly. In contrast,
firewalls that use Static rule ordering or Dynamic rule only ordering are more vulnerable to common DoS
attacks, especially when the malicious traffic includes mostly non-matching packets.
Figure 6. Cumulative processing time for DoS attack with high matching traffic.
6. Conclusion
Histogram is an effective stochastic function to describe the characteristics of packet filtering in firewall.
Furthermore, the algorithm to calculate histograms on segment basis presented in this paper is efficient and
deployable in practice for effectively monitoring traffic flow and optimizing firewall performance in real-time.
These histograms can be shared over multiple segments to estimate the optimum rules and rule-fields orders for
early packet acceptance and rejection, especially when firewall is heavily loaded with burst traffic flows. The
simulation results demonstrated that the proposed mechanism improved significantly the firewall performance
compared to related conventional mechanisms, in terms of packet filtering processing time. Also the numerical
results demonstrated that the proposed approach reduced significantly the effect of common DoS attacks on the
firewall performance.
Acknowledgment
The authors acknowledge the support of Emirates Foundation through Research Grants (21T010 and 2011/161)
References
[1] H. Hamed, A. El-Atawy, and E. Al-Shaer. On Dynamic Optimization of Packet Matching in High-Speed Firewalls, IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 24, NO. 10, OCTOBER 2006.
[2] H. Hamed, A. El-Atawy, and E. Al-Shaer. Adaptive statistical optimization techniques for firewall packet filtering. In IEEE INFOCOM’06, April 2006.
[3] K. Lan and J. Heidemann. On the correlation of internet flow characteristics. Technical Report ISI-TR-574, USC/ISI, 2003.
[4] A. El-Atawy, T. Samak, E. Al-Shaer and H.Li. Using online traffic statistical matching for optimizing packet filtering performance. IEEE INFOCOM’07, pages 866-874, 2007.
[5] P. Gupta and N. McKeown. Algorithms for packet classification. IEEE Network, 15(2):24–32, 2001. [6] F. Baboescu and G. Varghese. Scalable packet classification. In ACM SIGCOMM’01, 2001. [7] A. J. McAulay and P. Francis. Fast routing table lookup using CAMs. In IEEE INFOCOM’93, March 1993. [8] V. Srinivasan, Subhash Suri, and George Varghese. Packet classification using tuple space search. In Computer ACM
SIGCOMM Communication Review, pages 135–146, October 1999. [9] A. Feldmann and S. Muthukrishnan. Tradeoffs for packet classification. In IEEE INFOCOM’00, March 2000. [10] P. Gupta and N. McKeown. Packet classification using hierarchical intelligent cuttings. In Interconnects VII, August
1999. [11] E. Cohen and C. Lund. Packet classification in large isps: design and evaluation of decision tree classifiers. In
SIGMETRICS ’05: Proceedings of the 2005 ACM SIGMETRIC international conference on Measurement and modeling of computer systems, pages 73–84, New York, NY, USA, 2005. ACM Press.
[12] Thomas Y. C. Woo. A modular approach to packet classification: Algorithms and results. In IEEE INFOCOM’00, pages 1213–1222, March 2000.
[13] P. Gupta, B. Prabhakar, and S. Boyd. Near optimal routing lookups with bounded worst case performance. In IEEE INFOCOM’00, 2000.
[14] L. Kencl and C. Schwarzer. Traffic-adaptive packet filtering of denial of service attacks. In WOWMOM’06: The 2006 International Symposium on on World of Wireless, Mobile and Multimedia Networks, pages 485–489, Washington, DC, USA, 2006.
[15] S. Acharya, M. Abliz, B. Mills and T.F. Znati, Optwall: a hierarchical traffic-aware firewall, Proceedings of 14th Annual Network & Distributed System Security Symposium (NDSS), San Diego, US, February 2007 .
[16] H. Hamed and E. Al-shear: Dynamic Rule-ordering optimization for High-speed Firewall Filtering. In ASIACCs’ 06, March 21-24, 2006, Tuipei, Taiwam.
[17] N. Neji, A. Bouhououla: Dynamic Scheme for Packet Classification Using Splay trees, Information Assurance and Security, pp. 1-9, 2009.
[18] E. Al-Shear, A. El-Atawy, T. Tran: Adaptive Early Packet filtering for Defending firewalls against DoS Attack. In Proceeding of IEEE INFOCOM, pp. 1-9, 2009.
[19] C. Douligeris, A. Mitrokotsa. DDoS attacks and defense mechanisms: classification and state-of-the-art. Computer Networks: The International Journal of Computer and Telecommunications Networking, Volume 44 Issue 5, 5 April 2004.
[20] G. Misgherghi, L. Yuan, Z. Su, C-N. Chuah, and H. Chen. A General Framework for Benchmarking Firewall Optimization Techniques. IEEE Transactions on Network and Service Management (TNSM), vol. 5, no. 4, pp. 227-238, December, 2008. Downloaded (2009).
[21] G. Maiolini, A. Nicotra, P. Tornari, A. Baiocchi. Automated framework for policy optimization in firewalls and security gateways. Journal of Information Assurance and Security (ISSN 1554-1010), vol. 4, no. 4, pp. 301-310, 2009.
[22] Weiping Wang, Heran Chen, Jiayao Chen, Bowen Liu. Firewall Rule Ordering Based On Statistical Model. International Conference on Computer Engineering and Technology (ICCET 2009), Singapore, 22-24 January 2009.
[23] T. Gan, K. Ma and L. Zhang. Dual-Plan Bandwidth Smoothing for Layered-Encoded Video. IEEE Transaction of Multimedia, Vol. 7, No. 2, pp. 379 – 392, 2005.