TY - GEN
T1 - A stateful mechanism for the tree-rule firewall
AU - Chomsiri, Thawatchai
AU - He, Xiangjian
AU - Nanda, Priyadarsi
AU - Tan, Zhiyuan
N1 - Publisher Copyright:
© 2014 IEEE.
PY - 2015/1/15
Y1 - 2015/1/15
N2 - In this paper, we propose a novel connection tracking mechanism for Tree-rule firewall which essentially organizes firewall rules in a designated Tree structure. A new firewall model based on the proposed connection tracking mechanism is then developed and extended from the basic model of Net filter's Conn Track module, which has been used by many early generation commercial and open source firewalls including IPTABLES, the most popular firewall. To reduce the consumption of memory space and processing time, our proposed model uses one node per connection instead of using two nodes as appeared in Net filter model. This can reduce memory space and processing time. In addition, we introduce an extended hash table with more hashing bits in our firewall model in order to accommodate more concurrent connections. Moreover, our model also applies sophisticated techniques (such as using static information nodes, and avoiding timer objects and memory management tasks) to improve its processing speed. Finally, we implement this model on Linux Cent OS 6.3 and evaluate its speed. The experimental results show that our model performs more efficiently in comparison with the Net filter/IPTABLES.
AB - In this paper, we propose a novel connection tracking mechanism for Tree-rule firewall which essentially organizes firewall rules in a designated Tree structure. A new firewall model based on the proposed connection tracking mechanism is then developed and extended from the basic model of Net filter's Conn Track module, which has been used by many early generation commercial and open source firewalls including IPTABLES, the most popular firewall. To reduce the consumption of memory space and processing time, our proposed model uses one node per connection instead of using two nodes as appeared in Net filter model. This can reduce memory space and processing time. In addition, we introduce an extended hash table with more hashing bits in our firewall model in order to accommodate more concurrent connections. Moreover, our model also applies sophisticated techniques (such as using static information nodes, and avoiding timer objects and memory management tasks) to improve its processing speed. Finally, we implement this model on Linux Cent OS 6.3 and evaluate its speed. The experimental results show that our model performs more efficiently in comparison with the Net filter/IPTABLES.
KW - Connection tracking
KW - Firewall
KW - Network security
KW - Stateful firewall
KW - Tree-rule firewall
UR - http://www.scopus.com/inward/record.url?scp=84923013716&partnerID=8YFLogxK
U2 - 10.1109/TrustCom.2014.20
DO - 10.1109/TrustCom.2014.20
M3 - Conference contribution
AN - SCOPUS:84923013716
T3 - Proceedings - 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2014
SP - 122
EP - 129
BT - Proceedings - 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2014
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 13th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2014
Y2 - 24 September 2014 through 26 September 2014
ER -
