A Classification for Access Control List To Speed
Up Packet-Filtering Firewall
CHEN FAN
970349
Student Of University Of Bridgeport
chenfan@my.bridgeport.edu
LONG TAN
955176
Student Of University Of Bridgeport
longtan@my.bridgeport.edu
Abstract—Packet filtering firewall is to view the data flows
through packet header, which determines the fate of the entire
package. It may decide to discard (DROP) this package, or may
accept (ACCEPT) package (let the packet through), may also
perform other more complex actions. The traditional packet
filtering firewall will match the new client request with the rules
in ACL(Access Control List) one by one, it will cause the
response delay and slow down the data access speed. In recent
years, the number of network users continue to increase, the user
wants to access the network data faster and faster, therefore, how
to improve the filtering speed of packet-filtering firewall is
especially important. In this paper, according to the traditional
packet filtering firewall technology basis, based on the nature
and requirements of computer network security, we change the
architecture of packet-filtering firewall and improve the response
speed. As keeping the traditional packet-filtering firewall, we
classify the existing similar rules as a set, then, use a header to
represent that set of rules. So, when a new client request coming,
it doesn't need to compare with the rules one by one like the
TPF(Traditional Packet-Filtering Firewall), it only needs to
compare with a few headers. We call it NPF(New PacketFiltering Firewall) and we can say it will improve the speed of
packet-filtering firewall.
Keywords-component; packet; filter; firewall; classification
I.
RAWAD
INTRODUCTION
Firewall products using this technology, to filter the
packet in appropriate location in the network, according to
check data flow source address, destination address of each
packet, all TCP and TCP port numbers link status and other
factors, and then according to a predefined set of rules to allow
logical data packets through the firewall into the internal
network, and delete the illogical data packet. Because routers
are usually distributed in different network security
requirements and security policies of the junction, so you can
achieve by using packet filtering, where possible, and allow
only authorized network to enter the router. It is a more
economical use of packet filtering firewall functions to
increase the existing routing infrastructure mechanisms on
these routers. As the name suggests, packet filtering in the
routing process for the specified packet filtering (discard). The
judgment is usually based on the filtered contents of a single
packet headers included (such as source address, destination
984335
Student Of University Of Bridgeport
Rf2030@hotmail.com
address, protocol, port, etc.).
As computer networking and globalization, people in
their daily lives, many activities will be gradually transferred
to use network. Internet technology has penetrated into every
aspect of human social life. With the continuous development
of information technology networks become more widely used
with computer technology and communication technology in
various fields, network security issues have gradually revealed,
attracting more and more attention. According to the survey,
the annual economic losses due to the global computer
network security around tens of billions of dollars, so the
research on network and information security have emerged,
increasingly wide range of research. New industries,
cooperation and business models emerging, the world's rapidly
into the Internet age, the existing enterprise network, including
a wide variety of systems and platforms, and network security
are also facing challenges. The arrival of the digital age,
making the network applications to penetrate into all areas of
society, and to provide people with a great convenience, the
continuous development of Internet technology and its
applications, so that the computer, communications and
information processing to form a large and complex network
information system, this time in the network systems,
communications security, computer security, operational
security, information security has become a problem that
people are most concerned about.
Fig.1
Traditional firewall work model
Packet filtering firewalls have all the functions of basic
firewall. But it is designed to be controlled the network
packets as clients asked, and shield those unhelpful
connections.
II.
BACKGROUND
Fig.3 Default rule
A. ACL
III.
ACL (Access Control List, ACL) is a list of routers
command interface to control the port and out of the packet.
ACL is applied to all routing protocols, such as IP, IPX,
AppleTalk and so on.
It is an essential business need that information point
communication between all internal and external
communications, in order to guarantee the security of the
network, it is necessary to protect the security policy from
non-authorized users . In a word, ACL can filter network
traffic, and it is a good technology to control access flow.
ACL can limit network traffic and improve network
performance. For example, according to the protocol, ACL
can specify the packet priority.
ACL provides traffic control measures. For example,
ACL can limit or simplify the length of updated message.
ACL provides access authentication method. ACL
allows host A to access a network of human resources, and
refuses host B to access it.
Fig.2 A traditional Access Control List
B. ACL Work Model
The Fig.2 shows a typical access control list in which
many filtering rules are defined. The rules have five fields: the
permit or deny type, the protocol, a source address, destination
address and a flag function for fine-tuning. Each parameter
may be a single value or a range of allowable matches. If the
absence of any field such as a address, protocol or flag
function the rules will match a packet with any such values
fields which are present. The interpretation of an ACL is that
its rules are considered as being processed in sequential order
from the top. That is, each incoming packet is tested against
the first rule; if it matches, it passed or blocked accordingly
and no further rules are considered otherwise it is tested
against the second rule, and so on. There is a default rule
normally let most of the packet pass.
PROPOSED METHOD
A. Introduction
As we know, there are many rules in ACLs(access control
lists), these rules will help us to control the IP (pass or deny)
which will connect to us. The filter rules established is based
on IP packet, which contains five basic elements: the protocol
source address destination address source port and destination
port and so on. But if we match the IP address one by one with
the ACLs, it will cause a lot of delay, so now we want to use the
NPF(new packet filtering).
B. Model and steps
Fig.4 NPF Model
like Fig.6. Every time the header been matched the counter
will be added by 1 , so we will get a sequence of the headers
depend on the counter. The most used headers will have a
larger number and the others will have a smaller number.
When a new IP comes in the ACLs, we could match the IP to
the headers which have a larger number first, since that one
been used more frequently like Fig.7. It will save our time
instead of match the rules one by one.
Fig.7 Different Level of headers
Fig.5 Algorithm of classification
First of all , the rules are already exist in the ACLs
(which set up by the Administrator ), what we will do is to let
the ACLs works more efficiently. We could classify some of
the rules in a header. Assume we have a rule about the ip
168.10.0.1 ( pass ) and another IP 168.10.0.* ( pass ),
obviously these two IP are repeated, we could make the two in
one IP 168.10.0.*( pass ). Also , there have some other rules
could be classified like equivalent rules, part of irrespective
and cross-related rules. It will help administrator configure
security policy. and provide great convenience, when the
administrator insert, delete or modify rules. Enhance the
intelligence of the firewall.
At the same time , there is a problem about our solution ,
the counter will use some of our router's memory to run and
will need some space to store the number of each rule. But we
thought the router will have more memory and space in the
future and everyone could get benefit from the more efficient
packet filtering.
IV.
SOFTWARE SIMULATION
A. Code
Fig.8 Software Layout
The whole program can use C# to make a progress
simulation. Program Layout like Fig.8. It includes protocol,
source IP address, destination IP address, source port ,
destination port, data length, packet length, IP version, and
packet count.
Fig.6 Algorithm for separating headers
After we classify the rules we will have a header which
keep all the rules classified. Then we make a counter to count
the number of the headers been match during the working time
The software can detect network IP and packet. Then
record it, administrator can make a rule list, decide to let the
packet through or drop. After that, the program will classify it
like what we talk ahead. It will reduce the system workload,
increase the speed , and make it more efficient.
namespace SimpleSniff
{
public partial class SniffWindow : Form
{
private SniffSocket mySniffSocket;
public static int index;
// initial Window
public SniffWindow()
{
InitializeComponent();
Control.CheckForIllegalCrossThreadCalls =
false; //abort thread error
}
//create Window
private void SniffWindow_Load(object sender,
EventArgs e)
{
ManagementObjectSearcher query = new
ManagementObjectSearcher("select * from
Win32_NetworkAdapterConfiguration");
ManagementObjectCollection
querycollection = query.Get();
string[] IPString = new string[10];
int x = 0;
string[] temp;
foreach (ManagementObject mo in
querycollection)
{
temp = mo["IPAddress"] as string[];
if (temp != null)
{
foreach (string str in temp)
{
IPString[x] = str;
x++;
}
}
}
mySniffSocket = new SniffSocket();
for (int y = 0; y < x; y++)
{
if (IPString[y] != "")
{
cbbAddress.Items.Add(IPString[y]);
}
}
cbbAddress.Text = cbbAddress.Items[0] as
string;
try
{
mySniffSocket.CreateAndBind(cbbAddress.Text);
}
catch (SniffSocket.SniffSocketException
ex)
{
MessageBox.Show(this, ex.Message);
}
//
mySniffSocket.PacketArrival += new
SniffSocket.PacketArrivedEventHandler(mySniffSocket_P
acketArrival);
}
void mySniffSocket_PacketArrival(object
sender, SniffSocket.PacketArrivedEventArgs args)
{
BindlvResult(args);
}
//Insert the result to ListView
private void
BindlvResult(SniffSocket.PacketArrivedEventArgs args)
{
bool IsExist = false;
//recognize
source IP exist or not
for (int j = 0; j < lvResult.Items.Count;
j++)
{
ListViewItem lvi =
this.lvResult.Items[j];
if ((lvi.SubItems[1].Text ==
args.OriginationAddress))
{
lvi.SubItems[8].Text =
(int.Parse(lvi.SubItems[8].Text) + 1).ToString();
IsExist = true;
}
}
if (IsExist == false)
{
ListViewItem lvi = new ListViewItem();
lvi.Text = args.Protocol;
//protocol type
lvi.SubItems.Add(args.OriginationAddress);
lvi.SubItems.Add(args.DestinationAddress);
lvi.SubItems.Add(args.OriginationPort);
lvi.SubItems.Add(args.DestinationPort);
lvi.SubItems.Add(args.MessageLength.ToString());
lvi.SubItems.Add(args.PacketLength.ToString());
lvi.SubItems.Add("IPv" +
args.IPVersion);
lvi.SubItems.Add("1");
lvResult.Items.Add(lvi);
}
}
The whole simulation will only access few website like
baidu.com, youtube.com, facebook.com. This simulation will
show how many IP addresses will pass by using
TPF(Traditional Packet-Filtering firewall) and NPF(New
Packet-filtering firewall) in 10 seconds. If NPF can pass more
IP addresses than TPF, then, it can prove NPF is more
efficient. After that, we will compare the difference of speed
between TPF and NPF.
Fig.11 Simulation Comparison
Ⅴ.
Fig.9 TPF(Traditional Packet-filtering firewall) result
In this paper the problem of large amount of time
required to match the rule for the request in the ACL has been
solved. We have introduced a new approach for faster packet
filtering. In this approach a header will instead a set of rules
for matching any given packet and employed in the real
network. It is observed that the proposed method results into
significant improvement in packet matching time in packet
filters. This results in at least two times more speed in packet
filtering compared to a traditional packet-filtering firewall that
browses through the set of rules to find the matching rule for a
packet.
But at the same time, there is also a problem, when we
first use this system, it takes time to classify the rules. It will
use some of our router's memory to run and will need some
space to store the data. It may cause hardware resources
limited problem. But we thought the router will have more
memory and space in the future. We will continue to find other
solution to fix hardware resources limited problem.
Fig.10 NPF(New Packet-filtering firewall) result
B. Simulation Conclusion
According to Fig.9 and Fig.10, it shows NPF is more
efficient than TPF at the same time. We can draw a map like
Fig.11 and see the difference clearly.
CONCLUSION
REFERENCES
[1]
[2]
[3]
[4]
A. El-Atawy, T. Samak, E. Al-Shaer, and H.Li., “Using online traffic
statistical matching for optimizing packet filtering performance.” in
IEEE INFOCOM’07, 2007, pp. 866–874.
P. Gupta, B. Prabhakar, and S. Boyd. Near optimal routing lookups with
bounded worst case performance. In IEEE INFOCOM’00, 2000.
T. H. Ptacek and T. N. Newsham. Insertion, evasion and denial of
service: Eluding network intrusion detection. Technical Report, Secure
Networks (McAfee) Inc., Santa Clara, CA, USA, January 1998.
http://citeseer.ist.psu.edu/ptacek98insertion.html.
E. Al-Shear, A. El-Atawy, T. Tran: Adaptive Early Packet filtering for
Defending firewalls against DoS Attack. In Proceeding of IEEE
INFOCOM, pp. 1-9, 2009.
[5]
[6]
W. Wang, R. Ji, W. Chen, B. Chen, and Z. Li., “Firewall rules sorting
baseb on markov model.” in International Symposium on Data Privacy
and E-Comerce., 2007.
R. P. Lippmann, S. E. Webster, and D. Stetson. The effect of identifying
vulnerabilities and patching software on the utility of network intrusion
detection. Computer Networks: The International Journal of Computer
and Telecommunications Networking, 3949 of Lecture Notes in
Computer Science:307–326, 2002.
[7]
[8]
Thomas Y. C. Woo. A modular approach to packet classification:
Algorithms and results. In IEEE INFOCOM’00, pages 1213–1222,
March 2000.
Zouheir Trabelsi and Safaa Zeidan. Multilevel Early Packet Filtering
Technique based on Traffic Statistics and Splay Trees for Firewall
Performance
Improvement.
InIEEE,
2012.