| Firewall is widespread used device for security protection nowadays. Firewall policy is the heart of firewall to realize its predefined security policy. Currently, there are some flaws for those firewall policy algorithms. Some anomaly algorithms can only detect a certain kind of anomaly, such as intersect conflict, others may have some restricts to the filter field of rules in policy. Packet match algorithms have not reached the circuit level and still need optimize further.To detect all kinds of anomaly and break those restrictions, after studying the policy in real life, and the algorithms that are successful in a certain aspect, we came up with an algorithm for conflict detection and elimination named with CDE which means conflict detection and elimination and validate it in practice through experiment.Through the study on IP field representation techniqe, we proposed a new trie structure called LE-Trie which can be used for data structure of IP prefix, and has a character of lazy extending, which is designed for quick search and less space demand. The LE-Trie can be used in all occasions to build IP prefix, CDE algorithm included. For the purpose of extending the Grid-of-tries to multi-dimensional use, we proposed a concept called relative weight. We proposed an algotithm named LE-GoT by distributing relative weight for rules in policy, and using LE-Trie to substitute the usual trie structure, and finally it is validated by experiment with the LE-GoT. |
PDF Full Text Request