High-speed policy-based packet forwarding using efficient multi-dimensional range matching
Proceedings of the ACM SIGCOMM '98 conference on Applications, technologies, architectures, and protocols for computer communication
BPF+: exploiting global data-flow optimization in a generalized packet filter architecture
Proceedings of the conference on Applications, technologies, architectures, and protocols for computer communication
Packet classification using tuple space search
Proceedings of the conference on Applications, technologies, architectures, and protocols for computer communication
Packet classification on multiple fields
Proceedings of the conference on Applications, technologies, architectures, and protocols for computer communication
Simulation Study of Firewalls to Aid Improved Performance
ANSS '06 Proceedings of the 39th annual Symposium on Simulation
The BSD packet filter: a new architecture for user-level packet capture
USENIX'93 Proceedings of the USENIX Winter 1993 Conference Proceedings on USENIX Winter 1993 Conference Proceedings
Improving cloud network security using the Tree-Rule firewall
Future Generation Computer Systems
| Hi-index | 0.00 |
Given a list of filtering rules with individual hitting probabilities, it is known that the average processing time of a linear-search based firewall can be minimized by searching rules in some appropriate order. This paper proposes a new yet simple technique called the linear-tree structure. It utilizes an advanced feature of modern firewalls, the "goto"-like statement, to transform the given rule list into a rule set that is functionally equivalent to the original but organized in a more efficient structure. We show it is possible to achieve much more improvement than previous, rule-reordering based studies. To demonstrate this, we study by both simulation experiment and test with real firewall.