Algorithms for improving the dependability of firewall and filter rule lists

Network firewalls and routers use a rule database to decide which packets will be allowed from one network on to another. By filtering packets, the firewalls and routers can improve security and performance. However, as the size of the rule list increases, it becomes difficult to maintain and validate the rules, and lookup latency may increase significantly. Both these factors tend to limit the ability of firewall systems to protect networks. This paper presents a new technique for representing rule databases. This representation (based on ordered binary decision diagrams) can be used in two ways: faster lookup algorithms can allow larger rule sets to be used without sacrificing performance; and algorithms for validating rule sets and changes to rule sets can be used. The overall dependability of the system is improved by allowing larger and more sophisticated rules sets, and by having greater confidence in the rule sets´ correctness