Optimization Technology On Packet Filtering Of Firewall

Firewall technology is one of the primary elements of the network security. It plays animportant role to guarantee the information security and has been widely used in most enterprisenetworks. According to the built-in rules, a firewall could decide the action (accept or drop) of eacharriving packet. There are important social significances in optimizating packet filtering technology,enhancing the ability to defend against network attacks, and improving the packet filtering speed.In this thesis, we focus on the optimization of packet filtering technology and propose twonovel optimizing schemes of packet filtering in firewall. And it also adapt to the next generationInternet (IPv6). The goal of these schemes is to acquire the better defense of cyber attacks andimprove the processing speed of firewall. To summary, the works of this dissertation mainlyinclude the following aspects:(1) The combination of traditional firewall and path identification (Pi) for packet filtering(CTFPi).According to analyze the defects existing in current firewall packet filtering scheme, afterextensive research, we find that the Pi technology can be integrated into the traditional packetsfiltering mechanism. Then we propose the CTFPi, a new method for packet filtering of firewall.According to CTFPi, firstly, packet filtering can be transformed from the victim host to the firewall,which can reduce the burden of the victim host. Secondly, the destination host is placed in thesecurity domain. Thus the packets passed through the firewall will no longer need to be validatedtheir security. Therefore the packet transmission rate can be speeded up. Moreover, thecombination of two defensive attack technologies can improve the network security’s performance.Simulations show that CTFPi scheme is better to defeat attacks and greatly improve thefiltering rate. Compared with traditional packet filtering methods, the proposed scheme is better toadapt to the high-speed network and can protect the host well.(2) The optimization of the rules searching based on multi-tree and dual-index (MTADIS).We firstly use a statistical analysis strategy to analyze massive of firewall log files, and thenextract the two main characteristics, the finite value of the protocol field and the polymerizabilityof the IP address field. Based on the extracted features and combined with the index strategy andmulti-tree, we propose the MTADIS, a superior search scheme of firewall rules on the time andspace. On the one hand, we try to correct the deficiencies of the existing schemes and take advantage of previous schemes to continue to study at the same time. On the other hand, considerthe combination with IPv6, the scheme provides good scalabilities to be applied in the nextgeneration Internet.A large number of simulations show that comparing with previous scheme, the preprocessingtime and average filtering time has been greatly reduced. We consider the MTADIS scheme isbetter to adapt to the fast and complex network.In conclusion, this dissertation analyzes the theoretical models, presents the practicalsignificance of proposed schemes, and then conducts simulation experiments to validate theireffectiveness. However, shortcomings still exist in these schemes. Our future work will focus onthe deficiencies, and improve proposed schemes, and make the firewall adapt to network security.