Title :
Traffic-aware dynamic firewall policy management: techniques and applications
Author :
Qi Duan ; Al-Shaer, Ehab
Author_Institution :
Univ. of North Carolina at Charlotte, Charlotte, NC, USA
Abstract :
Firewalls are important network security devices that protect networks by blocking unwanted traffic based on filtering policies. However, the structure of firewall policies has a major impact on firewall security and performance. In this article, we classify, describe, and compare traffic-aware firewall policy management techniques based on their objectives, schemes, complexity, applicability, and limitations. We classify traffic-aware firewall policy techniques into two categories based on their goals: matching optimization and early rejection optimization schemes. Matching optimization techniques try to minimize the matching time of normal network traffic. Early rejection techniques create a minimum set of policy preamble rules (constraints) that can potentially filter out the maximum amount of denied traffic. Both categories are self-adaptive to ensure that the performance gain will always supersede the dynamic management maintenance overhead. We believe that our work provides important insights on the operation and use of trafficaware filtering.
Keywords :
filtering theory; firewalls; optimisation; telecommunication traffic; dynamic management maintenance; early rejection optimization schemes; firewall security; matching optimization techniques; network protection; network security devices; normal network traffic matching time; performance gain; policy preamble rules; rejection techniques; self-adaptive categories; traffic-aware dynamic firewall policy management; traffic-aware filtering use; traffic-aware firewall policy technique classification; unwanted traffic blocking; Approximation methods; Boolean functions; Data structures; Heuristic algorithms; Optimization; Ports (Computers); Telecommunication traffic;
Journal_Title :
Communications Magazine, IEEE
DOI :
10.1109/MCOM.2013.6553681
