| With the development of internet, more and more companies began to expand their business through the internet, which brings up more and more network security problems. As a result, various network security products have being born. Firewall, as the earliest and the widest used security product, plays a key role in protecting networks. For the special position of firewall in networks, the correctness of the rule set affects the efficiency of the firewall, and then affects the whole network. Because of this, more and more attention is being paid to firewall researches.Generally, firewall rules are predetermined and have the strict priority restrictions. When the network flow characteristics changed, these rules may limit the performance of firewall. In order to improve the adaptive optimization ability of firewall, some experts and scholars propose a kind of firewall based on statistics analysis. This kind of firewall will dynamically reorder filtering rules according to the network flow characteristics, aimed at making the rules which have matched more packets in the past time own higher priority.The adjustment of rules order without any constraints will change the firewall security policy. On this paper, firstly we define various conflicts between rules and then design a kind of conflict detection algorithm. Consequently, we propose an algorithm which dynamically reorders filtering rules without breaking the firewall security policy.During the adjustment of rule set, previous algorithms ignored the packets matched with default rules. The special position of default rules in rule set makes it needs the most times of comparison when matching a packet. This paper proposes a firewall-optimization method based on default-rules. This method begins by the matching probability of firewall rules, extracting some simple rules from the default-rules based on the firewall logs. After analyzing the relationship between the simple rules and the existing rules, emerge these simple rules into the new rules. Then evaluate the impacts these new rules made on the firewall and add some of the new rules to the rules library selectively, to implement the optimization for the linear match of the firewall.The experiments of this paper contain two parts, one implements the method of reordering rules, the other implements the method of firewall-optimization based on default-rules. Through the results of two experiments, we can conclude that, generally, the two methods can reduce the average number of rules matches, elevating the performance of firewall.At the end of this paper, we analyzed and summarized the research achievement as well as the existing problems of this paper, which defines the further research directions for the author. |
PDF Full Text Request