A Bidirectional Redundancy Deletion Approach To High-throughput Cooperative Firewall

With the increasingly large size of the network, the network structure is morecomplex, the demand for network security also will be changed. Internal network,such as intranet, require that the firewall can be full and active defense of the externaland internal network attacks. Existing firewall, such as centralized firewall ordistributed firewall against external or internal network attacks, but mainly uses apassive defense. Therefore, collaborative firewalls, a new type of firewalls haveemerged. We can make full and active defense of network attacks through this kind offirewalls.Cooperative firewall is consisted of multiple single-firewalls in one-domain orcross-domain network, filtering packets cooperatively. A large number of studies haveshown that there are redundant rules in cooperative firewall. And it reduces theperformance of cooperative firewall.Considering the throughput of cooperative firewall, we discuss how to removethe redundant rules in cooperative firewall, and the main research contents are asfollows.1. Considering the placement of Cooperative firewall in the network,collaboration firewall is divided into these two categories of one-domain cooperativefirewall and cross-domain cooperative firewall. And we make a brief description ofthe structural characteristics of these two types of cooperative firewall seperately.2. According to the working mechanism of the cooperative firewall, we proposeda bidirectional redundancy deletion approach to high-throughput cooperative firewall.The method uses the all-matched FDD to describe the firewall rules, and use the ideathat delete redundant rules in the entry and exit firewall simultaneously to optimizecooperative firewall, achieving the purpose of reducing the number of cooperativefirewall rules. There are four steps in this method. In order to finish the first step andthe second step, ie, extracting valid rules and extracting false valid rule s, thedefinition of overlapping rules is adopted to design VRE algorithm and FVREalgorithm. In addition, in order to finish the forth step, ie, bidirectional redundancydeletion, the problem of how to determine the redundant rules is simplifiedcomparison of the numerical value. According to this, we design RRV algorithm toensure the smooth progress of the bidirectional redundancy deletion approach. Theexperimental results show that the proposed method effectively removed the redundant rules in cooperative firewall, reducing the number of rules, and the averagetotal redundancy ratio is twice of existing redundancy deletion approach. We use thisapproach to optimize the collaboration firewall, and impove8.2%of its throughput.3. In order to analyze and design firewall analysis tool, a bidirectionalredundancy deletion approach and C#three-tier architecture are adopted. And wepresent the overall design, functional design and interface design of this tool andimplement some function like ACL analysis centra, user management andconfiguration management.