Enabling Flexible Packet Filtering Through the K-map Priority Elimination Technique Nizar Ben Neji and Adel Bouhoula

Masato Kimura

Higher School of Communications of Tunis (SupCom) University of Carthage - Tunisia Email: {nizar.benneji,adel.bouhoula}@supcom.rnu.tn

Graduate School of Systems and Information Engineering University of Tsukuba - Japan Email: [email protected]

Abstract—The process of packet filtering becomes time consuming as filtering policies become larger and more complex. New firewall designs are needed to meet the challenges associated with the high-speed networks. For this reason, access control lists in firewalls need to be flexible enough to give us the possibility to implement efficiently new high-performance filtering strategies. The precedence relationships within the access control rules are considered as being one of the most important handicap remaining unsolved in the context of optimization. In this paper, we introduce a Karnaugh map (k-map) based technique able to remove totally the dependencies between rules without changing the filtering behavior (i.e. input and output lists of rules remain semantically equivalent). On one hand, statistical rule ordering models become easy to implement, provide a differentiated quality of service and enable to reach a good processing time. On the other hand, dependency removal is very useful in the context parallelization especially when the access policy has to be equitably distributed among multiple firewalls. We have implemented this new technique and the first computer experiments were very promising. Keywords—Firewall; packet filtering; security policy; priority elimination; statistical model; parallelization.

I. I NTRODUCTION Due to the complexity of the security needs, the packet filtering problem becomes more and more difficult to be resolved in an efficient time and with a low memory cost. Packet filtering is the process of determining the corresponding class of an incoming packet. Therefore, we perform the same action for all packets that belong to the same class. Generally, the set of a packet filtering rules can be expressed as follows: n o {Ri }1≤i≤n = {Cij }1≤j≤d → Di 1≤i≤n

We denote by i the relative position of the rule within the set of the filtering list, by n the size of the filtering list and by d the number of header fields to be inspected. Generally, the decision Di is a Boolean expression in {Accept, Deny}. A packet matches a rule if and only if the packet satisfies the rule’s conditions Cij and it is possible for a packet to match more than one rule, in that case, the first rule that appears in the list will be executed. The first matching strategy is used when we face exception statements, i.e., when some cases must be excluded of general rules that should always apply. Suppose we have a condition of the form C1 : (IPsrc ∈ (A ∧ ¬B))→ Accept with A and B are blocks of addresses such that B ⊂ A

and A∧¬B cannot be expressed in a single entry, C1 is usually expressed through the use of the following ordering of rules: R1.1

:

(IPsrc ∈ B) → Deny

R1.2

:

(IPsrc ∈ A) → Accept

If the exception statements appear in more than one packet header fields then the number of dependent rules increases. Suppose we have a more complex condition of the form C2 : (IPsrc ∈ (A ∧ ¬B)) and (IPdst ∈ (C ∧ ¬D))→ Accept such that B ⊂ A, D ⊂ C and A∧¬B, C ∧¬D cannot be expressed in single block of addresses each one, C2 is expressed through the use of three rules as follows: R1.1

:

(IPsrc ∈ B) and (IPdst ∈ C) → Deny

R1.2

:

(IPsrc ∈ A) and (IPdst ∈ D) → Deny

R1.3

:

(IPsrc ∈ A) and (IPdst ∈ C) → Accept

In a statistical packet filtering model, adjusting the rule order: moving the frequently matched rules to the top is not an easy task due to the precedence relationships within rules. The order of several rules must be preserved and any modification of their priorities may affect the overall integrity. In case of parallel packet matching using multiple firewalls, a list of dependent rules cannot be dispatched equitably between multiple firewalls while maintaining the integrity of the security policy. For all these reasons, packet filtering models require that the list of rules is totally conflict free (no interactions between rules) to guarantee a high flexibility and a good processing time. Actually, there is a manifested need to have efficient techniques able to generate an equivalent list of independent rules from a standard one. Therefore, in this paper, we introduce a novel k-map based method able to remove priorities from the filtering rules. Moreover, two additional techniques of redundancy removal and rule concatenation are used to minimize as much as possible the number of independent output rules. The rest of this paper is organized as follows. Section II recalls our motivation problem, by showing some representative examples and surveying the related solutions. Section III then introduces the proposed k-map conversion technique and Section IV shows the advantages of the conflict-free aspect. Section V gives an evaluation performance of the proposed work and finally, Section VI closes the paper.

II. S TATE OF A RT Although firewall security has been given strong attention in the research community, the emphasis was mostly on optimizing the filtering performance by adding code-saving techniques and new filtering capabilities without any consideration of the complexity of the filtering policies. Firewalls are difficult to manage because a slight difference in their lists of rules can cause dramatic changes in their behaviors [1]. In [2], the author defines a metric to measure the firewall complexity (RC) quantified in terms of number of rules, network objects and interfaces forgetting the importance of the order of rules in making filtering lists complicated. In many Firewall solutions, the rule set is order-sensitive. Reordering rules can make them interacting with each other, and this interaction is not clearly visible to the system administrators. In [3], a set of representative matrices were proposed to better analyze the pairwise relations between the filtering rules and to show the hidden interactions. Each matrix has an associated factor in [0,1] and the defined factors are introduced to measure the complexity of the filtering rules and to quantify the available reordering possibilities. Therefore, inter-dependency is one of the most important handicap remaining in the context of parallel and statistical filtering systems. In [4], the authors describes the possible anomalies that may happen in a centralized or a distributed filtering system. Gouda and Liu proposed a method called structured firewall design to reduce redundancy in the firewall policies [5] and they use the firewall decision diagram (FDD) to address the problem of completeness, compactness and consistency among the firewall rules. Hazelhurst et al. [6] suggested the use of BDD to represent access lists and their goal was to only achieve fast lookup whereas in [7], the author chooses BDD to represent not only individual rules but also the collective behavior of whole set of rules to check the correctness of the configuration. In addition, directed acyclical graphs (DAG) are used to efficiently express rules. A linear arrangement of a policy DAG represents the order of rules and it is proved as an NP-complete problem to find an optimal graph maintaining the policy integrity. In this context, an heuristic sorting technique called sub graph merging (SGM) algorithm is proposed by Tapdiya and Fulp in [8], their algorithm reorders the rule set and improves the firewall performance by minimizing the number of comparisons done per packet. Determining the optimal rule list permutation can be viewed as job scheduling problem for a single machine with precedence constraints. Lawer [9] proved such problems to be NP-complete therefore determining the optimal firewall rule order is as well [10]. Other works are motivated by the Internet Traffic properties and try to exploit the skewness in the traffic distribution by conceiving dynamic data structures allowing an efficient auto-adjustment after each treated packet [11]. In [12], authors propose the use of the statistical search trees and they present an algorithm to optimize the firewall performance by ordering rules according to their weights and consider two factors to determine the weight: rule frequency and rule recency which reflect the number and time of rule matching.

In [13] and [14] the authors use four schemes to optimize the operational cost according to the traffic characteristics: hot caching, total reordering, default proxy and online adaptation. In [15], authors propose OPTWALL, an adaptive firewall optimization framework used to reduce the operational cost of firewall. For the general case, Zhao et al [16] formulated an order optimization problem and showed that if there is no precedence constraints within rules, the sorting process in the descending order of matching frequency gives an optimal solution. To the best of our knowledge, we did not find in the literature other works that analyze the problem of removing priorities in an efficient way. III. P ROPOSED T ECHNIQUE Due to the precedence relationships among packet filtering rules, the reordering process may lead to unintended behavior and equitably dividing of the filtering policy among parallel classification systems is not an easy task. In our contribution, we solve this problem from scratch to make easy to implement such kind of optimization strategies by removing totally the existence relationships between rules. A. Definitions and Terminology 1) Positive and negative conditions: In this work, we treat all packet header fields as w-bit ranges or a negation of w-bit ranges with w denotes the size of the packet header field to be inspected. A w-bit range rw = [l , u] satisfies 0 ≤ l ≤ 2w − 1 (lower bound) and 0 ≤ u ≤ 2w − 1 (upper bound) where l ≤ u. For example, port number ranges are considered as 16bit ranges, IPv4 blocks of addresses are considered as 32-bit ranges and IPv6 blocks of addresses are considered as 128bit ranges. In practice, the notation of the form A.B.C.D/n is used to represent a special case of power of two block of IP addresses and it is called CIDR notation (Classless Inter-Domain Routing) [17], where A.B.C.D is the starting address /n is the number of significant bits used to identify a network. For example, 192.168.0.16/28 represents the set of 16 addresses from 192.168.0.16 to 192.168.0.31. The use of the negation means matching all packets except those designed by the negated range [l , u] resulting generally in two extremal ranges of the form [0 , l − 1] and [u + 1 , 2w − 1]. The possibility to have negation of ranges within conditions may increase the dependency between rules (unclear interactions between rules). 2) Dependency between rules: Dom (R) denotes the domain of the rule R and it defines the set of packets that satisfy the rule R. By definition, two dependent rules have distinct actions and intersecting domains and two rules Rx and Ry are totally independents if they have same actions or they have distinct actions and they don’t match any packet in common i.e Dom (Rx ) ∩ Dom (Ry ) = Ø. In this context, we should mention that conditions expressed in CIDR notation are either inclusive or disjoint and the overlapping case is impossible and cannot happen. So, the fact of using arbitrary ranges that do not fall on the CIDR boundaries may also increase the dependency factor between rules.

Table I: Possible List of Filtering Rules. Rule R1 R2 R3 R4 R5

Source Address [192.168.0.5 , 192.168.0.20] 192.168.0.16/28 Any 192.168.0.0/24 0.0.0.0/0

Destination Address 192.168.1.10 192.168.1.0/24 192.168.1.0/28 192.168.1.0/24 0.0.0.0/0

Port Source Any Any Any Any Any

Port Destination Any 80 80 80 Any

Protocol Any Any TCP TCP Any

Action Deny Accept Deny Accept Deny

3) Default policy: The default rule is applied when the incoming packet reaches the end of the filtering list without matching any rule. The default rule can have an ACCEPT or a DENY action. Hence, a default DENY filtering policy means that we have to explicitly accept all allowed accesses in terms of packets arriving, leaving, and passing through the filtering system. The default accept scenario needs inverting all rules: allowing any packet not explicitly denied. In this work, the proposed priority elimination technique is applied for the default DENY policy and the default ACCEPT case can be automatically deduced by reversing tests.

Dom (Ry ) * Dom (Rx ) and Dom (Rx ) ∩ Dom (Ry ) 6= ∅. If Dx = Dy then Rx and Ry are considered as partial redundant rules. If two correlated rules have distinct actions then they are considered as totally dependent and their order must be preserved. 3) Disjoint rules: If two rules don’t match any packet in common then they are considered as conflict-free and they can be reordered without changing the underlying logic of the firewall. This feature can give to the rule specifier the ability to move the frequently matched rules to the top of the filtering list.

B. Relationships Between Rules

C. Motivation Example

In this subsection, we define the three possible types of relationships between two rules Rx and Ry : • Inclusive rules in case of Dom (Rx ) ⊂ Dom (Ry ) or Dom (Ry ) ⊂ Dom (Rx ); • Overlapping rules in case of Dom (Rx ) * Dom (Ry ), Dom (Ry ) * Dom (Rx ) and Dom (Rx ) ∩ Dom (Ry ) 6= ∅; • Disjoint rules in case of Dom (Rx ) ∩ Dom (Ry ) = ∅. 1) Inclusive rules: a) Generalization: A rule Rx is a generalization of another rule in the filtering list if ∃ y such that y < x, Dom (Ry ) ⊂ Dom (Rx ) and Dx 6= Dy . As shown in section one, conditions of the form A∧¬B→ Accept with B ⊂ A can only be specified using the generalization concept with the two ordered rules B → Deny and A → Accept. Consequently, the case of generalization makes rules totally dependents. b) Shadowing: A rule Rx is shadowed when it exists one or multiple rules prior to it that match all the packets matched by this rule, such that the shadowed rule will never be reached and the conflicting rules have distinct actions. For example, Rx is shadowed by Ry if ∃ y such that y < x, Dom (Rx ) ⊂ Dom (Ry ). The firewall behavior does not change even if we remove the shadowed rule. c) Full redundancy: A rule Rx is said to be full redundant if it exists one or multiple rules that perform the same action as Rx for the portion of packets matched by Rx . The remove of the full redundant rule doesn’t affect the filtering policy. In fact, redundancy doesn’t mean that the Firewall is incorrectly configured but it means that the filtering list can be optimally written. 2) Overlapping rules: a) Correlation: Two rules Rx and Ry are correlated if Rx matches some packets that match Ry and Ry matches some packets that match Rx . It means that Dom (Rx ) * Dom (Ry ),

Table I illustrates a simple example of 5 dependent rules. In general, processing a large and a complex sequence of logically related rules is certainly beyond the human capability. In this case, we use the representative matrices introduced in [3] with their respective [0,1]-factors to better illustrate all hidden interactions and to show all optimization possibilities. The dependency matrix D = (dij )1≤i,j≤n shows whether each pair of rules is dependent or not, the reordering matrix R = (rij )1≤i,j≤n shows whether each pair of rules can be reordered or not and the grouping matrix G = (gij )1≤i,j≤n shows the minimum distance that can be reached between two rules. The matrices D, R and G with their respective [0,1]factors are as follows:    D=  

   R=  

   G=  

0 0 0 0 0

1 0 0 0 0

0 1 0 0 0

1 0 1 0 0

0 1 0 1 0



0 0 0 0 0

1 0 0 0 0

1 1 0 0 0

1 1 1 0 0

1 1 1 1 0



0 0 0 0 0

1 0 0 0 0

2 1 0 0 0

3 2 1 0 0

4 3 2 1 0



   , DF = 0.6  

   , RF = 1  

   , GF = 1  

In this case, it is impossible neither to reorder nor to optimize the filtering rules since we have RF = GF = 1.

D. Dependency Removal The proposed k-map based method is a powerful technique, able to take as entry the original list of access control rules and to give as output an equivalent list of totally independent rules. To achieve this outcome, two approaches can be adopted: the top-down and the bottom-up approach. In this paper, we show that both approaches give the desired result and we focus on the explanation of the top-down technique since it is scalable enough with the increase of the number of rules. In this work, all conditions are expressed as w-bit ranges with w is the size of the packet header field to be inspected. Hence, a rule is defined as a structure containing lower and upper bounds of source and destination IP addresses, port numbers and protocol field. Because of actions are restricted to ACCEPT and DENY, we use a Boolean variable to indicate True for ACCEPT and False for DENY as follows: structure Integer Integer Integer Integer Integer Boolean }

rule { lowerIPsrc, upperIPsrc; lowerIPdst, upperIPdst; lowerPortsrc, upperPortsrc; lowerPortdst, upperPortdst; lowerValueProtocole, upperValueProtocole; action

1) Top-down approach: The main function makingIndependentRules of Algorithm 1 takes as entry the original list and returns as a result an equivalent list of only accept rules. The algorithm starts from the beginning of the original filtering list and compares rules two by two. If we apply this algorithm to the set of rules of Table I, we obtain in acceptList the rule R2 and in the denyList the rule R1 . So, we have to remove the dependency between them by calling removeDependency({R1 }, R2 ) of Algorithm 2. The kmapConversion(R1 , R2 ) of Algorithm 3 is applied to generate from the two dependent rules R1 and R2 the list of independent ones based on the intersection between the rule’s conditions C1i and C2i with 1 ≤ i ≤ 5. At first, it might seem that the Karnaugh Map is just another way of presenting the information but it gives a real opportunity to remake rules in a way that allows easy grouping of terms. Generally, Karnaugh map is a structured way to represent all possible combinations of input variables. First, we have to determine the number of bits needed to represent all combinations of intersecting conditions. Figure 1, Figure 2 and Figure 3 show all possible intersections between positive and negative conditions and show also the number of bits needed to encode each case. In this context, we should mention that we don’t care about the case of equal conditions Cxi = Cyi , no bits are needed to encode such cases. Also, the case of Cxi 6= Cyi is not considered because it means that Rx and Ry are independent rules. So, we assign 0 for the set of values in Cxi ∩ Cyi , 1 to represent the set of values in Cxi \ Cyi and 2 for the set of values in Cyi \ Cxi : 1 refers to the first range and 2 refers to the second range. For the case of R1 and R2 of Table I, we need 2 bits for the IP source

Algorithm 1 Top-down approach for making independent rules 1. list < rule > function makingIndependentRules( list < rule > orginalListRules ) { 2. list acceptList = {}; 3. list denyList = {}; 4. while (orginalListRules 6= NULL) { 5. if (orginalListRules.element(0).action==ACCEPT) 6. acceptList.append(removeDependency(denyList, orginalListRules.element(0))); 7. else if (orginalListRules.element(0).action==DENY) 8. denyList.append(orginalListRules.element(0)); 9. orginalListRules.remove(0); 10. } 11. acceptList.append(DefaultDenyRule); 12. return acceptList; 13.}

Algorithm 2 Remove dependency between an accept rule and a list of high-priority deny rules 1. list < rule > function removeDependency( list denyList, rule acceptRule) { 2. list acceptTempList ={ acceptRule }; 3. list tmp; 4. while (denyList 6= NULL){ 5. list tmp = {}; 6. while (acceptTempList6=NULL){ 7. tmp.append(kmapConversion(denyList.element(0), acceptTempList.element(0))); 8. acceptTempList.remove(0) ; 9. } 10. denyList.remove(0); 11. acceptTempList = tmp; 12. } 13. return acceptTempList; 14.}

address: (00)2 is assigned to represent the range of addresses [192.168.0.16 , 192.168.0.20], (01)2 for the range of addresses [192.168.0.5 , 192.168.0.15], (10)2 for the remaining range of addresses [192.168.0.21 , 192.168.0.31] and (11)2 refers to nothing. Similarly, we use this logic for the other packet header fields. So, there is no need to dedicate bits for the port source and the protocol field since conditions are equals. Because of 192.168.1.10 ∈ 192.168.1.0/24 one bit is needed for the destination IP address and one more bit is necessary for the destination port because we have 80 in Any. In fact, the function calculateIntersection takes as entry two rules and returns an integer indicating the number of needed bits. In the case of R1 and R2 , calculateIntersection returns 4 bits in total to express all possible combinations. As shown in Figure 1, Figure 2 and Figure 3, at most 2 bits are needed for each packet header field. In total, 2d bits are needed in the worst case with d the number of packet header fields to be inspected.

Algorithm 3 K-map conversion algorithm 1. list function kmapConversion(rule denyRule, rule acceptRule) { 2. if ((Dom (acceptRule) ⊆ Dom (denyRule))) return {}; 3. else 4. if((Dom (acceptRule) ∩ Dom (denyRule)) == N U LL) 5. return {acceptRule}; 6. else{ 7. numberBits = calculateIntersection(denyRule, acceptRule); 8. rowVars = (numberBits/2) + (numberBits % 2); 9. columnVars = numberBits/2; 10. int i =0; int j =0; 11. int iGrayCode, jGrayCode; 12. kmapValues karnaughTable[2rowV ars ][2columnV ars ]; 13. while( i < 2rowV ars ){ 14. iGrayCode = grayCode(i); 15. jGrayCode = grayCode(j); 16. karnaughTable[i][j] = checkAction(denyRule, acceptRule, iGrayCode, jGrayCode); 17. j++; ´ ` 18. if j ≥ 2columnV ars { j=0; i++; } 19. } 20. list KarnaughGroups ={}; 21. } 22. KarnaughGroups = makingGroups(karnaughTable); 23. return makeIndependantRules(KarnaughGroups); 24. }

In a Karnaugh map the Boolean variables are defined by all possible intersections between the corresponding conditions. The resulting combinations are ordered according to the principle of Gray code in which only one variable changes between adjacent entries. The karnaugh table is constructed using the number of bits returned by calculateIntersection and then filled with the actions determined for each combination of bits using the checkAction function. Actions are only determined by the current rules Rx and Ry respecting the priority between them. In this case, the values of the Karnaugh table are A, D, X or respectively Accept, Deny, Accept or Deny and Nothing. Indeed, the value X is set when the action of the current combination of bits cannot be determined neither by Rx nor by Ry and the value is set when we have a meaningless case. As shown in Figure 1, Figure 2 and Figure 3, two bits are necessary to represent the values {0, 1, 2}, 00 is 0, 01 is 1, 10 is 2 and 11 refer to nothing, i.e 11 is a meaningless value that can appear in the proposed Karnaugh table. An enumeration type is defined as a list of all possible K-map values as follows: enumerate kmapValues { ACCEPT, DENY, X, NOTHING };

Figure 1: The number of bits needed to encode all possible intersections of positive conditions of the form [l , u]

Figure 2: The number of bits needed to encode all possible intersections of negative conditions of the form ¬ [l , u]

Figure 3: The number of bits needed to encode all possible intersections of positive and negative conditions

Figure 4 shows the Karnaugh table built according to the rules R1 and R2 of Table I. For example, the combination of bits 0000 represents the set of packets with IP destination addresses in [192.168.0.16 , 192.168.0.20], IP source address equal to 192.168.1.10, and the port destination value equal to 80. The set of packets respecting these conditions match both rules R1 and R2 , hence, we must respect the order of the rules, so the action to be performed is the action of the higher priority rule which is R1 . The value X is set for all combinations that don’t match neither R1 nor R2 and the is set in case of a meaningless combination of bits. Once the Karnaugh table is generated and the output possibilities are transcribed, forming new rules is then done by associating ACCEPT actions together into groups without containing any X value: grouping together 2n adjacent cells containing A or

with n ∈ N. In this context, we should mention that groups must respect the standard Karnaugh map rules: 1) Only power of 2 number of cells in each group, 2) Each group of ACCEPT actions should be as large as possible, 3) Groups may overlap, 4) Groups may wrap around the table, 5) The leftmost cell in a row may be grouped with the rightmost cell and the top cell in a column may be grouped with the bottom cell, 6) Groups should be as few as possible, as long as this does not contradict any of the previous rules.

Figure 4: The K-map illustration of all combinations of conditions of the rules R1 and R2 and the optimal grouping of values.

In addition to these rules, we have three more rules to be applied when grouping: 1) It is not possible to group X, 2) It is possible to group with A, 3) It is not allowed to group only circles because there is no meaning for making such grouping. The makingGroups function takes as entry the constructed Karnaugh table and returns the optimal list of grouped values. The structure of a group is defined as follows: structure Integer Integer Integer Integer }

group { rowPosition; columnPosition; height; width;

Once the Karnaugh Map has been constructed and the groups has been derived, the solution can be found by transforming groups to ternary strings. A ternary string t of length n with 1 ≤ n ≤ 2d and of the form b1 b2 · · · bn such that bi ∈ {0, 1, ∗}. Each group is selected with the respect of the standard rules and the proposed K-map rules. The Karnaugh table of Figure 4 shows that we have two groups represented as ternary strings. The first ternary string is ?010 and it represents the set of packets with: IP dst

∈

192.168.0.16/28

IP src

∈

[192.168.1.0 , 192.168.1.9] ∪ [192.168.1.11 , 192.168.1.255]

P ortDst

=

80

The second ternary string is 1 ? ?0 and it represents the set of packets with:

IP dst

∈

[192.168.0.21 , 192.168.0.31]

IP src

∈

192.168.1.0/24

P ortDst

=

80

In Table II, ?010 is traduced to the rules R1 and R2 and the ternary string 1 ? ?0 to the R3 .

2) Bottom-up approach: For the bottom approach, we have to reverse parsing the filtering list, it means that we have to start from the last rule to the first one. Then we have to apply the same rules of making groups. Unlike the topdown approach, the kmapConversion function is now adapted to group separately ACCEPT and DENY actions. In this case, the circle symbol can be grouped with both types and the group structure is redefined as follows: structure Integer Integer Integer Integer Boolean }

group { rowPosition; columnPosition; height; width; action;

E. Optimizing Techniques The process used to remove priorities didn’t always give a reduced set of rules. Usually, we have to proceed to a second phase of optimization: removing redundancy and rule concatenation. The proposed algorithms of concatenation and removing redundancy are used to decrease significantly the number of rules. Rule concatenation is automatically possible between two rules Rx and Ry having same actions and adjacent domains: it exists i in [1 , d] such that the corresponding conditions Cxi and Cyi can be grouped into a single entry and for every j such that j 6= i we have Cxj = Cyj . Removing a redundant rule Rx is possible when it exists at least one rule Ry having the same action as Rx with Dom (Rx ) ⊂ Dom (Ry ). It is possible to have more than one redundant rule with Rx , i.e, the union of their domains covers the domain of Rx . Table II represents the optimal list of independent rules which is equivalent to the original list of Table I. IV. B ENEFITS OF THE C ONFLICT- FREE A SPECT A. Statistical Filtering Model Adjusting the rule order according to the matching statistics can improve efficiently the performance of a firewall since rules are compared orderly. Tuple-comparison is an important indicator for firewall efficiency performance. With an optimal rule order, we have less number of tuple-comparisons done per packet. Finding the optimal sequence for a large list of rules has been proved to be an NP-hard problem because most of the cases, moving the frequently matched rules to the top of the filtering list may change the firewall behavior. As argued before, the precedence relationship is the most important handicap that prevents implementing statistical filtering strategies. Therefore, simply exchange placement of rules is not feasible. As shown before, there are three forms of relationships between rules: inclusive, correlated and disjoint. If rules have distinct actions then the order can be changed only if rules are totally disjoints. Rebuilding the filtering list using the proposed k-map conversion technique is the most efficient way to make rule ordering concrete and easy to implement without affecting the metrics of the firewall.

Table II: The Equivalent Optimized List of Totally Independent Rules. Rule R1 R2 R3 R4 R5 R6

Source Address 192.168.0.16/28 192.168.0.16/28 [192.168.0.21 , 192.168.0.31] 192.168.0.0/24 192.168.0.0/24 0.0.0.0/0

Destination Address [192.168.1.11 , 192.168.1.255] [192.168.1.0 , 192.168.1.9] 192.168.1.0/24 [192.168.1.16 , 192.168.1.255] 192.168.1.0/24 0.0.0.0/0

B. Distributed Filtering Model Parallelization offers a scalable technique for improving the performance of network firewalls. As depicted in figures 5 and 6, the m distributed firewalls differ based on what is distributed, packets or policy rules. Here again removing the existing precedence relationships between rules is extremely important especially when we intend to equitably distribute the workload among parallel filtering systems. 1) Standard distributed filtering model: The standard distributed packet filtering model consists of the subdivision of the incoming packets to multiple identical firewalls: each firewall implements the complete security policy and the arriving packets are distributed across the distributed systems such that only one firewall processes any given packet. The filtering policy is duplicated and the packets are distributed across firewalls. One of the most important drawbacks of this technique is the stateful inspection that requires all traffic belonging to the same connection to traverse the same firewall to maintain state information, which is a hard task at high speeds. In addition, it is not possible to maintain QoS requirements since this filtering design does not differentiate between traffic classes: it assures only load balancing. The original filtering policy is noted P = {Rk }1≤k≤n and it contains all the filtering rules. In the this type of parallel filtering systems, each firewall f in {Fj }1≤j≤m implements a local policy Pj , where Pj = P (identically configured firewalls).

Port Source Any Any Any Any Any Any

Port Destination 80 80 80 Any !80 Any

Protocol Any Any Any TCP TCP Any

Action Accept Accept Accept Accept Accept Deny

2) Optimized distributed filtering models: An optimized distributed filtering strategy consists on the subdivision of the set of filtering rules to multiple firewalls such that each firewall implements a portion of the original policy. To maintain the policy’s integrity, the precedence relationships must be preserved within the portions of the policy. When a packet arrives to such filtering system, it is processed by every firewall in parallel, thus the processing time required per packet is reduced. Due to the precedence relationships, parallel firewalls need to interact with each other to decide whether to accept or to deny a packet. The required additional interactions between firewalls lead to increase the total processing time. Removing the existing dependency between rules let us subdividing the filtering policy freely and equitably among firewalls. In addition, the filtering system can be easily designed such that certain types of packets are only processed by specific firewalls, yielding the ability to provide service differentiation which is a key component for maintaining network QoS. In such parallel filtering systems, each firewall f in {Fj }1≤j≤m implements a local policy Pj such that m

P = ∪ Pj and P doesn’t include the default rule Rn and j=1

∀ j, k with 1 ≤ j ≤ k ≤ m Pj ∩ Pk = Ø (complementary configured firewalls). Because of rules are totally independent, the action to be performed is returned by at least one firewall and if the packet is not matched by any firewall’s rules then it will be automatically rejected. Since the local policies are smaller than the original one, the processing delay per packet is considerably reduced. V. P ERFORMANCE A NALYSIS A. Performance of the Proposed Techniques of Optimization

Figure 5: Multiple filtering based on a packet distribution strategy.

Figure 6: Multiple filtering based on a policy distribution strategy.

Figure 7a gives the average number of output rules. In this context, we can say that removing dependency may slightly increase in average the size of the filtering list. As we can see, removing redundancy and concatenation of adjacent rules reduce efficiently the number of rules. The size of the output list is the most important criteria used to judge the efficiency of the proposed K-map technique because the less number of rules the firewall has the less number of comparisons are done per packet. In addition, Figure 7b illustrates the average processing time needed to create a list of conflict-free rules and it also shows the average cost in time of the additional optimizing operations.

150 100 50 0

0

20

40

60

80

NUMBER OF INPUT RULES

(a) Average number of output rules.

100

7

K-map Deprioritization (KD) KD + Remove Redundancy (RR) KD + RR + Concat Rules (CR) KD Approximation KD + RR Approximation KD + RR + CR Approximation

0.5 0.4

AVERAGE PROCESSING TIME (s)

200

AVERAGE PROCESSING TIME (s)

AVERAGE NUMBER OF OUTPUT RULES

0.6

K-map Deprioritization (KD) KD + Remove Redundancy (RR) KD + RR + Concat Rules (CR) KD Approximation KD + RR Approximation KD + RR + CR Approximation

250

0.3 0.2 0.1 0

0

20

40

60

80

100

NUMBER OF INPUT RULES

(b) Average processing time (Top-down approach).

Top-down Conversion Bottom-up Conversion Top-down Aproximation Bottom-up Aproximation

6 5 4 3 2 1 0

0

20

40

60

80

100

NUMBER OF INPUT RULES

(c) Top-down vs Bottom-up approach.

Figure 7: Evaluation of the performance of the proposed K-map technique in terms of the average number of output rules and in terms of the average processing time needed to create a compacted list of conflict-free rules.

B. Top-down vs Bottom-up Conversion In this part, we respectively compare the time taken by both proposed methods: top-down and bottom-up. As shown before, both proposed techniques are effective ways used to efficiently resolve the problem of dependency without affecting the filtering result. As shown in Figure 7c, in comparing with the bottom-up technique the top-down approach is scalable enough with the increase of the number of input rules. The difference in time is due to the grouping of the deny values in karnaugh tables. In this context, we should mention that some worst cases for the top-down approach are less expensive for the case of bottom up but in average the top-down is best. VI. C ONCLUSION As packet classification has been widely deployed on the Internet, demand for efficient packet classification solutions grows especially in a high-speed environment or if traffic requires specific network Quality of Service (QoS). The existence of mutual exclusive rules within the filtering list makes the classification process hard to improve in a highspeed environment. In this paper, we have introduced a novel technique for eliminating requirement of priority to achieve further performance improvement. In this context, we should mention that our technique is also orthogonal with previous proposed ones since it can be easily used in conjunction with them to achieve a more optimal result. In this work, we have focused on the case a packet filter that have only two types of actions accept and deny and in our future contribution, we intend to cover the general case. ACKNOWLEDGMENT The proposed technique has been implemented by Masato Kimura during his internship at the Digital Security Research Unit of the Higher School of Communications of Tunis (SupCom) in Tunisia. The project is partially supported by JSPS Grant-in-Aid for Scientific Research (B) (20300001). R EFERENCES [1] R. Marmorstein and P. Kearnc, ”Firewall analysis with policy-based host classification,” In Proceedings of the 20th Large Installation System Administration Conference (LISA 2006), 2006.

[2] A. Wool, ”A quantitative study of firewall configuration errors,” In IEEE Computer, vol. 37, no. 6, pp. 62-67, June 2004. [3] N. Ben Neji and A. Bouhoula, “Towards safe and optimal filtering rule reordering for complex packet filters,” In Proceedings of the 5th International Conference on Network and System Security (NSS 2011), Italy, September 2011. [4] E. Al-Shaer and H. Hamed, ”Discovery of policy anomalies in distributed Firewalls,” In Proceedings of IEEE INFOCOM, vol. 4, pp. 26052616, 2004. [5] M.G. Gouda and A.X. Liu, ”Structured firewall design,” In the International Journal of Computer and Telecommunications Networking, vol. 51, no. 4, pp. 1106-1120, 2007. [6] S. Hazelhurst, A. Attar and R. Sinnappan, ”Algorithms for improving the dependability of firewall and filter rule lists,” In Proceedings of the International Conference on Dependable Systems and Networks, 2000. [7] L. Yuan, H. Chen, J. Mai, C. Chuah, Z. Su and P. Mohapatra, ”FIREMAN: A Toolkit for Firewall Modeling and Analysis,” In Proceedings of the IEEE Symposium Security and Privacy, 2006. [8] A. Tapdiya and W. Fulp Errin, ”Toward optimal firewall rule ordering utilizing directed acyclical graphs,” In Poceedings of 18th International Conference on Computer Communications and Networks, 2009. [9] E. L. Lawler, ”Sequencing jobs to minimize total weighted completion time subject to precedence constraints,” In Annals of Discrete Mathematics, vol. 2, pp. 75-90, 1978. [10] E. W. Fulp, ”Firewall policy models using ordered-sets and directed acyclical graphs,” Technical Report, Wake Forest University Computer Science Departement, 2004. [11] N. Ben Neji, A. Bouhoula, ”Dynamic scheme for packet classification using splay Trees,” In Journal of Information Assurance and security (JIAS), vol. 4, pp.133-141, 2009. [12] H. Hamed, A. El-Atawy and E. Al-Shaer, ”On dynamic optimization of packet matching in high-speed Firewalls,” In the IEEE Journal on selected areas in communications, vol. 24, no. 10, october 2006. [13] S. Acharya, J. Wang, Z. Ge, T. Znati and A. Greenberg, ”Simulation study of firewalls to aid improved performance,” In the proceedings of 39th Annual Simulation Symposium (ANSS’06), pp. 18-26, 2006. [14] S. Acharya, J. Wang, Z. Ge, T. Znati and A. Greeberg, ”Trafficaware firewall optimization strategies,” In Proceedings of the IEEE International Conference on Communications (ICC 2006), pp. 22252230, 2006. [15] S. Acharya, M. Abliz, B.Mills, T. Znati, ”Optwall: a hierarchical trafficaware firewall,” In Procedings of the 14th Annual Network & Distributed System Security Symposium, 2007. [16] L. Zhao, Y. Inoue and H. Yamamoto, ”Delay reduction for linear-search based packet filters,” In Proceedings of the ITC-CSCC 2004, 2004. [17] V. Fuller and T. Li, ”Classless inter-domain routing (CIDR): the Internet address assignment and aggregation plan,” RFC 4632, 2006.