| Network technology greatly facilitates people's life, but the network security problems also bring great threat to people. A firewall is one of the important measures to protect the safety of network, and firewall configuration strategy is the core of its function.Firewall policy configuration is correct and the reasonable directly affect the performance of the firewall.Add rules to the firewall configuration strategies often cause new rules conflict in firewall, at the same time, the existence of the redundant rules in firewall will increase the packet matching time, Both will severely degrade the performance of the firewall.So in the above two cases,this article focuses on the following two key techniques:A major cause of firewall policy error is the change of firewall configuration strategy,with the development of the network changes and new network security problems happen, in order to allow or protect some new service's operation, users who use the firewall often need the administrator modify the original set of rules. This paper propose the trie algorithm for analysis of firewall policy change effect. This algorithm takes the original firewall strategy and a new added rule as input and submit to the administrator of the precise effect changes of the original firewall strategy. The administrator can evaluate the firewall according to the effect changes to rethink of the position of the new rule or whether there is a need to add it.Cause of the packets matches with the firewall by order, therefore the key method to improve the efficiency of packets matching is reducing the firewall rules set. As enterprises'scale gradually increase, the firewall rules can reach hundreds or even thousands of, to make matters worse, one firewall policy may be configured be different administrators. So the redundant rules are inevitable. Current firewall redundancy detection research mostly between every two rules, it is difficult to detect the hidden redundant rules between multiple rules. |
PDF Full Text Request