A Classification for Access Control List To Speed Up Packet-Filtering Firewall CHEN FAN 970349 Student Of University Of Bridgeport chenfan@my.bridgeport.edu LONG TAN 955176 Student Of University Of Bridgeport longtan@my.bridgeport.edu Abstract—Packet filtering firewall is to view the data flows through packet header, which determines the fate of the entire package. It may decide to discard (DROP) this package, or may accept (ACCEPT) package (let the packet through), may also perform other more complex actions. The traditional packet filtering firewall will match the new client request with the rules in ACL(Access Control List) one by one, it will cause the response delay and slow down the data access speed. In recent years, the number of network users continue to increase, the user wants to access the network data faster and faster, therefore, how to improve the filtering speed of packet-filtering firewall is especially important. In this paper, according to the traditional packet filtering firewall technology basis, based on the nature and requirements of computer network security, we change the architecture of packet-filtering firewall and improve the response speed. As keeping the traditional packet-filtering firewall, we classify the existing similar rules as a set, then, use a header to represent that set of rules. So, when a new client request coming, it doesn't need to compare with the rules one by one like the TPF(Traditional Packet-Filtering Firewall), it only needs to compare with a few headers. We call it NPF(New PacketFiltering Firewall) and we can say it will improve the speed of packet-filtering firewall. Keywords-component; packet; filter; firewall; classification I. RAWAD INTRODUCTION Firewall products using this technology, to filter the packet in appropriate location in the network, according to check data flow source address, destination address of each packet, all TCP and TCP port numbers link status and other factors, and then according to a predefined set of rules to allow logical data packets through the firewall into the internal network, and delete the illogical data packet. Because routers are usually distributed in different network security requirements and security policies of the junction, so you can achieve by using packet filtering, where possible, and allow only authorized network to enter the router. It is a more economical use of packet filtering firewall functions to increase the existing routing infrastructure mechanisms on these routers. As the name suggests, packet filtering in the routing process for the specified packet filtering (discard). The judgment is usually based on the filtered contents of a single packet headers included (such as source address, destination 984335 Student Of University Of Bridgeport Rf2030@hotmail.com address, protocol, port, etc.). As computer networking and globalization, people in their daily lives, many activities will be gradually transferred to use network. Internet technology has penetrated into every aspect of human social life. With the continuous development of information technology networks become more widely used with computer technology and communication technology in various fields, network security issues have gradually revealed, attracting more and more attention. According to the survey, the annual economic losses due to the global computer network security around tens of billions of dollars, so the research on network and information security have emerged, increasingly wide range of research. New industries, cooperation and business models emerging, the world's rapidly into the Internet age, the existing enterprise network, including a wide variety of systems and platforms, and network security are also facing challenges. The arrival of the digital age, making the network applications to penetrate into all areas of society, and to provide people with a great convenience, the continuous development of Internet technology and its applications, so that the computer, communications and information processing to form a large and complex network information system, this time in the network systems, communications security, computer security, operational security, information security has become a problem that people are most concerned about. Fig.1 Traditional firewall work model Packet filtering firewalls have all the functions of basic firewall. But it is designed to be controlled the network packets as clients asked, and shield those unhelpful connections. II. BACKGROUND Fig.3 Default rule A. ACL III. ACL (Access Control List, ACL) is a list of routers command interface to control the port and out of the packet. ACL is applied to all routing protocols, such as IP, IPX, AppleTalk and so on. It is an essential business need that information point communication between all internal and external communications, in order to guarantee the security of the network, it is necessary to protect the security policy from non-authorized users . In a word, ACL can filter network traffic, and it is a good technology to control access flow. ACL can limit network traffic and improve network performance. For example, according to the protocol, ACL can specify the packet priority. ACL provides traffic control measures. For example, ACL can limit or simplify the length of updated message. ACL provides access authentication method. ACL allows host A to access a network of human resources, and refuses host B to access it. Fig.2 A traditional Access Control List B. ACL Work Model The Fig.2 shows a typical access control list in which many filtering rules are defined. The rules have five fields: the permit or deny type, the protocol, a source address, destination address and a flag function for fine-tuning. Each parameter may be a single value or a range of allowable matches. If the absence of any field such as a address, protocol or flag function the rules will match a packet with any such values fields which are present. The interpretation of an ACL is that its rules are considered as being processed in sequential order from the top. That is, each incoming packet is tested against the first rule; if it matches, it passed or blocked accordingly and no further rules are considered otherwise it is tested against the second rule, and so on. There is a default rule normally let most of the packet pass. PROPOSED METHOD A. Introduction As we know, there are many rules in ACLs(access control lists), these rules will help us to control the IP (pass or deny) which will connect to us. The filter rules established is based on IP packet, which contains five basic elements: the protocol source address destination address source port and destination port and so on. But if we match the IP address one by one with the ACLs, it will cause a lot of delay, so now we want to use the NPF(new packet filtering). B. Model and steps Fig.4 NPF Model like Fig.6. Every time the header been matched the counter will be added by 1 , so we will get a sequence of the headers depend on the counter. The most used headers will have a larger number and the others will have a smaller number. When a new IP comes in the ACLs, we could match the IP to the headers which have a larger number first, since that one been used more frequently like Fig.7. It will save our time instead of match the rules one by one. Fig.7 Different Level of headers Fig.5 Algorithm of classification First of all , the rules are already exist in the ACLs (which set up by the Administrator ), what we will do is to let the ACLs works more efficiently. We could classify some of the rules in a header. Assume we have a rule about the ip 168.10.0.1 ( pass ) and another IP 168.10.0.* ( pass ), obviously these two IP are repeated, we could make the two in one IP 168.10.0.*( pass ). Also , there have some other rules could be classified like equivalent rules, part of irrespective and cross-related rules. It will help administrator configure security policy. and provide great convenience, when the administrator insert, delete or modify rules. Enhance the intelligence of the firewall. At the same time , there is a problem about our solution , the counter will use some of our router's memory to run and will need some space to store the number of each rule. But we thought the router will have more memory and space in the future and everyone could get benefit from the more efficient packet filtering. IV. SOFTWARE SIMULATION A. Code Fig.8 Software Layout The whole program can use C# to make a progress simulation. Program Layout like Fig.8. It includes protocol, source IP address, destination IP address, source port , destination port, data length, packet length, IP version, and packet count. Fig.6 Algorithm for separating headers After we classify the rules we will have a header which keep all the rules classified. Then we make a counter to count the number of the headers been match during the working time The software can detect network IP and packet. Then record it, administrator can make a rule list, decide to let the packet through or drop. After that, the program will classify it like what we talk ahead. It will reduce the system workload, increase the speed , and make it more efficient. namespace SimpleSniff { public partial class SniffWindow : Form { private SniffSocket mySniffSocket; public static int index; // initial Window public SniffWindow() { InitializeComponent(); Control.CheckForIllegalCrossThreadCalls = false; //abort thread error } //create Window private void SniffWindow_Load(object sender, EventArgs e) { ManagementObjectSearcher query = new ManagementObjectSearcher("select * from Win32_NetworkAdapterConfiguration"); ManagementObjectCollection querycollection = query.Get(); string[] IPString = new string[10]; int x = 0; string[] temp; foreach (ManagementObject mo in querycollection) { temp = mo["IPAddress"] as string[]; if (temp != null) { foreach (string str in temp) { IPString[x] = str; x++; } } } mySniffSocket = new SniffSocket(); for (int y = 0; y < x; y++) { if (IPString[y] != "") { cbbAddress.Items.Add(IPString[y]); } } cbbAddress.Text = cbbAddress.Items[0] as string; try { mySniffSocket.CreateAndBind(cbbAddress.Text); } catch (SniffSocket.SniffSocketException ex) { MessageBox.Show(this, ex.Message); } // mySniffSocket.PacketArrival += new SniffSocket.PacketArrivedEventHandler(mySniffSocket_P acketArrival); } void mySniffSocket_PacketArrival(object sender, SniffSocket.PacketArrivedEventArgs args) { BindlvResult(args); } //Insert the result to ListView private void BindlvResult(SniffSocket.PacketArrivedEventArgs args) { bool IsExist = false; //recognize source IP exist or not for (int j = 0; j < lvResult.Items.Count; j++) { ListViewItem lvi = this.lvResult.Items[j]; if ((lvi.SubItems[1].Text == args.OriginationAddress)) { lvi.SubItems[8].Text = (int.Parse(lvi.SubItems[8].Text) + 1).ToString(); IsExist = true; } } if (IsExist == false) { ListViewItem lvi = new ListViewItem(); lvi.Text = args.Protocol; //protocol type lvi.SubItems.Add(args.OriginationAddress); lvi.SubItems.Add(args.DestinationAddress); lvi.SubItems.Add(args.OriginationPort); lvi.SubItems.Add(args.DestinationPort); lvi.SubItems.Add(args.MessageLength.ToString()); lvi.SubItems.Add(args.PacketLength.ToString()); lvi.SubItems.Add("IPv" + args.IPVersion); lvi.SubItems.Add("1"); lvResult.Items.Add(lvi); } } The whole simulation will only access few website like baidu.com, youtube.com, facebook.com. This simulation will show how many IP addresses will pass by using TPF(Traditional Packet-Filtering firewall) and NPF(New Packet-filtering firewall) in 10 seconds. If NPF can pass more IP addresses than TPF, then, it can prove NPF is more efficient. After that, we will compare the difference of speed between TPF and NPF. Fig.11 Simulation Comparison Ⅴ. Fig.9 TPF(Traditional Packet-filtering firewall) result In this paper the problem of large amount of time required to match the rule for the request in the ACL has been solved. We have introduced a new approach for faster packet filtering. In this approach a header will instead a set of rules for matching any given packet and employed in the real network. It is observed that the proposed method results into significant improvement in packet matching time in packet filters. This results in at least two times more speed in packet filtering compared to a traditional packet-filtering firewall that browses through the set of rules to find the matching rule for a packet. But at the same time, there is also a problem, when we first use this system, it takes time to classify the rules. It will use some of our router's memory to run and will need some space to store the data. It may cause hardware resources limited problem. But we thought the router will have more memory and space in the future. We will continue to find other solution to fix hardware resources limited problem. Fig.10 NPF(New Packet-filtering firewall) result B. Simulation Conclusion According to Fig.9 and Fig.10, it shows NPF is more efficient than TPF at the same time. We can draw a map like Fig.11 and see the difference clearly. CONCLUSION REFERENCES [1] [2] [3] [4] A. El-Atawy, T. Samak, E. Al-Shaer, and H.Li., “Using online traffic statistical matching for optimizing packet filtering performance.” in IEEE INFOCOM’07, 2007, pp. 866–874. P. Gupta, B. Prabhakar, and S. Boyd. Near optimal routing lookups with bounded worst case performance. In IEEE INFOCOM’00, 2000. T. H. Ptacek and T. N. Newsham. Insertion, evasion and denial of service: Eluding network intrusion detection. Technical Report, Secure Networks (McAfee) Inc., Santa Clara, CA, USA, January 1998. http://citeseer.ist.psu.edu/ptacek98insertion.html. E. Al-Shear, A. El-Atawy, T. Tran: Adaptive Early Packet filtering for Defending firewalls against DoS Attack. In Proceeding of IEEE INFOCOM, pp. 1-9, 2009. [5] [6] W. Wang, R. Ji, W. Chen, B. Chen, and Z. Li., “Firewall rules sorting baseb on markov model.” in International Symposium on Data Privacy and E-Comerce., 2007. R. P. Lippmann, S. E. Webster, and D. Stetson. The effect of identifying vulnerabilities and patching software on the utility of network intrusion detection. Computer Networks: The International Journal of Computer and Telecommunications Networking, 3949 of Lecture Notes in Computer Science:307–326, 2002. [7] [8] Thomas Y. C. Woo. A modular approach to packet classification: Algorithms and results. In IEEE INFOCOM’00, pages 1213–1222, March 2000. Zouheir Trabelsi and Safaa Zeidan. Multilevel Early Packet Filtering Technique based on Traffic Statistics and Splay Trees for Firewall Performance Improvement. InIEEE, 2012.