Firewalls are crucial elements that enhance network security by examining the field values of every packet and deciding whether to accept or discard a packet according to the firewall policies. With the development of networks, the number of rules in firewalls has rapidly increased, consequently degrading network performance.In addition, because most real-life firewalls have been plagued with policy conflicts, malicious traffics can be allowed or legitimate traffics can be blocked. Moreover, because of the complexity of the firewall policies, it is very important to reduce the number of rules in a firewall while keeping the rule semantics unchanged and the target firewall rules conflict-free. In this study, we make three major contributions. First, we present a new approach in which a geometric model, multidimensional rectilinear polygon, is constructed for the firewall rules compression problem.Second, we propose a new scheme, Firewall Policies Compression(FPC), to compress the multidimensional firewall rules based on this geometric model. Third, we conducted extensive experiments to evaluate the performance of the proposed method. The experimental results demonstrate that the FPC method outperforms the existing approaches, in terms of compression ratio and efficiency while maintaining conflict-free firewall rules.
the National Natural Science Foundation of China (Nos.61672543 and 61402542)
Research Foundation of the Education Department of Hunan Province (No.17B022)
Hunan Provincial Innovation Foundation for Postgraduate (No.CX2014B081).
Yuzhu Cheng received the BS degree from Hunan University of Science and Technology in 2002and the MS degree from Hunan University in 2005.He is a faculty of Changsha Social Work College and currently working toward the PhD degree with Central South University, Changsha,China.His research interestsinclude network security,privacy protection,and related areas.E-mail:peter_cheng @csu.edu.cn;Weiping Wang received the BS degree from Southeast University in 1991, and MS and PhD degrees from Central South University in 1994and 2004, respectively.She joined Central South University in 1994.Currently,she is a full professor and PhD adviser at Central South University.Her research interests includecyber security and privacy,network coding,and anonymous communication.She has published more than 70papers in referred journals and conference proceedings.She has presided over four National Natural Science Foundation Projects and participated in more than ten other major scientific research projects.Her teaching courses include computer network, network security,and security of network and system.E-mail: wpwang @mail.csu.edu.cn;Jianxin Wang received the BS and MS degrees from Central South University in 1992and 1996,respectively,and received the PhD degree from Central South University in 2001.He is'a vice dean and a professor in School of Information Science and Engineering at Central South University,China.Hiscurrent research interests include algorithm analysis and optimization,parameterized algorithm,bioinformatics,and computer network.He has published more than 150papers in various international journals and refereed conferences.He is a senior member of IEEE.jxwang @mail.csu.edu.cn;Haodong Wang is an associate professor in the Department of Electrical Engineering and Computer Science at Cleveland State University.He received the Phi)degree in computer science from College of William and Mary.His research interests focus on information assurance in cyber-physical systems,privacy preservingand user access control in sensor ne