Towards Safe and Optimal Filtering Rule Reordering for Complex Packet Filters Nizar Ben Neji and Adel Bouhoula Higher School of Communications of Tunis (SupCom) University of Carthage - Tunisia Email: {nizar.benneji,adel.bouhoula}@supcom.rnu.tn Abstract—The growth of the Internet coupled with the complexity of the security needs increases the demands on filtering performance, so much so that it is crucial to maintain high classification throughput in a high speed environment. As a result, today’s security devices require innovative designs and algorithms to optimize the efficiency of packet filtering systems. In this paper, we propose a safe and an optimal reordering method aimed at reducing the operational cost of network packet filters. In addition, an evaluation performance study is also given using a set of special matrices: Dependency Matrix, Reordering Matrix and Grouping Matrix. Besides, each matrix has an associated factor in [0,1] and the new defined factors are introduced to measure the efficiency of the proposed technique and to show its high potential to make optimization easy, optimal and safe. Keywords—Packet filtering; security policy; optimization; reordering.

I. I NTRODUCTION Packet filtering is a technique by which network packets are controlled based on an ordered set of rules which is called filtering policy. Systems administrators are required to frequently add, update and remove the filtering rules from the policy because of the network topology continuously evolves and the users always request new services. Hence, the filtering policy becomes increasingly complex and the order of rules is susceptible to be non-optimal after each modification performed by the user. This has motivated the research community to focus on various approaches to provide reliable optimization methods. In many packet filtering solutions, the rule set is order-sensitive and reordering rules can make them interacting with each other, and this interaction is not clearly visible to administrators. Hence, the behavior of the filtering system may become inappropriate with the intention of the system administrator. Mainly for this reason, rule reordering should not be done manually because it is an error prone operation and it is hard for a human to check by hand all possible errors. Hence, optimizing packet filters remains a challenge for network designers and system administrators. Most of the times, optimization needs rule reordering to: • Merge or factorize the rules that have adjacent domains or common conditions by moving them close to each other, • Rebuild the filtering list according to the matching probabilities by moving the frequently matched rules closer to the top of the filtering list, • Group the related rules and divide equitably the filtering policy between multiple parallel packet filters.

In our contribution, we make easy to implement such kind of optimization under adverse conditions. The proposed reordering solution can give to the rule specifier the ability to reduce the size of the filtering list, to cut down the number of comparisons done in each entry, to move automatically the frequently matched rules to the top of the filtering list and to equitably distribute the workload of packet inspection between multiple packet filtering systems. The rest of this paper is organized as follows. Section II recalls our motivation problem and survey the related solutions proposed in the literature. Section III then describes the proposed reordering technique and Section IV shows the advantages of safe reordering of the filtering rules. Section V gives an evaluation performance of the proposed work, and, finally, Section VI closes the paper. II. S TATE OF A RT Although packet filters such as Firewalls has been given strong attention in the research community, the emphasis was mostly on optimizing the filtering performance by adding codesaving techniques and new filtering capabilities without any consideration of their impact on the increase of the complexity of the filtering policies. Generally, packet filters are difficult to manage because a slight difference in their lists of rules can cause dramatic changes in their behavior as discussed in [1] and [2]. In [3], the author defines a new metric to measure the firewall complexity (RC) quantified in terms of number of rules, network objects and interfaces forgetting the importance of the priorities of rules in making filtering lists complicated: interf aces × (interf aces − 1) 2 In general, order optimization is done by placing dynamically or periodically the most frequently matched rules around the beginning of the rule set as proposed in [4] and [5]. In many packet filtering solutions, the rule set is order-sensitive. Reordering rules can make entries interacting with each other, and this interaction is not clearly visible to administrators. Hence, the behavior of the packet filter becomes inappropriate with the intention of the system administrator. In a distributed environment, packet filter rules have to be ordered and distributed carefully in order to avoid having filtering anomalies. A parallel packet filter or a load-balancing packet filter is a scalable approach used to increase the filtering speed of the RC = Rules + Objects +

network traffic as discussed in [6], [7] and [8]. Conversely, rule dependency is one of the most important handicap for implementing such parallel filtering systems. In [9] and [10], the authors only describe the possible anomalies that may happen in centralized or distributed filtering systems. In [11], Gouda and Liu proposed a method called structured Firewall design to reduce redundancy in the Firewall policies. In [12], the author focus on improving the performance of the traditional firewalls by reducing the number of rule comparisons required per packet. In general, directed acyclical graphs (DAG) are used to express rules efficiently. A DAG policy for a rule list R is G = (R , E) where vertices are rules and edges denoted E are the precedence relationships between rules. A linear arrangement of a policy DAG represents a rule order and it is proved as an NP-complete problem to find an optimal graph maintaining the policy integrity. In this context, an heuristic sorting technique called sub graph merging (SGM) algorithm is proposed by Tapdiya and Fulp in [13], their algorithm reorder the rule set to improve the firewall performance by minimizing in average the number of comparisons done per incoming packet. Therefore, determining the optimal rule list permutation can be viewed as job scheduling problem for a single machine with precedence constraints. Lawer [14] proved such problems to be NP-complete therefore determining the optimal firewall rule order is as well [15]. In [16], authors propose OPTWALL, an adaptive firewall optimization framework used to reduce the operational cost of firewall. For the general case, Zhao et al [17] formulated an order optimization problem and showed that if there is no precedence constraints within rules, the sorting process in the descending order of matching frequency gives an optimal solution. III. P ROPOSED T ECHNIQUE In general, processing a large and a complex sequence of logically related rules is certainly beyond the human capability. In this work, the main objective of rule reordering is to increase the performance of the packet filters. Nevertheless, the main challenge in the construction of optimal lists of filtering rules stems from the need to maintain the semantic integrity of the policy set at each level of the reordering process. A. Formal Specification of the Filtering List Generally, the set of a packet filtering rules can be expressed as follows: n o {Ri }1≤i≤n = {Cij }1≤j≤d → Di 1≤i≤n

We denote by i the relative position of the rule within the set of the filtering rules, by n the size of the filtering list and by d the number of header fields to be inspected in Ri . Generally, the decision Di is a Boolean expression in {Accept, Deny}. When the header fields on an incoming packet satisfy a filter’s conditions, this filter’s action will be carried out on the incoming packet. The conditions Cij describe the predefined filtering classes and they are usually written as a set of prefixes, ranges or more complex conditions. The Cij conditions may

overlap. So a packet might match multiple rules, each with a different associated action. In case of conflicting rules the action is determined by the first matching rule thus ignoring any further rules pertaining to the same targets. In our study, the default deny rule is not considered because its position cannot be changed: the default rule is used to make the filtering policy comprehensive, it means that for every incoming packet a match must be found. Dom(R) denotes the domain of the rule R and it represents the set of packets that satisfy the rule R. We have three types of relationships between two rules Rx and Ry : • •

•

Inclusive rules in case of Dom (Rx ) ⊂ Dom (Ry ) or Dom (Ry ) ⊂ Dom (Rx ); Overlapping rules in case of Dom (Rx ) * Dom (Ry ), Dom (Ry ) * Dom (Rx ) and Dom (Rx ) ∩ Dom (Ry ) 6= ∅; Disjoint rules in case of Dom (Rx ) ∩ Dom (Ry ) = ∅.

Table I illustrates a simple example of 5 dependent rules (default rule not considered). In this case, it is difficult neither to reorder nor to subdivide the filtering rules. B. Representative Matrices In this section, we define new representative matrices to better model the pairwise relations between rules, the hidden interactions and the available reordering possibilities. 1) Dependency Matrix: The dependency matrix is used to represent the dependency relationships among rules in a filtering set. More precisely, it is a strictly upper triangular {0, 1}-matrix denoted D = (dij )1≤i,j≤n such that:   ∀i < j

( 1 dij = 0

 

dij = 0

∀i > j

if Ri and Rj are dependent rules if Ri and Rj are independent rules

Moreover, to construct a dependency matrix, the matching domains of rules are pair-wisely compared. Hence, lines and columns individually addresses all the rules of the filtering list. dij is equal to 1 means that the order of Ri and Rj (i < j) must be preserved and dij = 0 otherwise. On one hand, two rules Ri and Rj are totally independents if they have same actions or they have distinct actions and they don’t match any packet in common i.e Dom (Ri ) ∩ Dom (Rj ) = Ø. On the other hand, two rules having distinct actions and intersecting domains are considered as dependent rules. In case of conflict, the rule earlier in the sequence has precedence over the other conflicting rules. For example, the dependency matrix of the example of rules of Table I is given as follows:   0 1 0 0 0  0 0 0 0 0     D=  0 0 0 1 0   0 0 0 0 1  0 0 0 0 0

Table I: A sample of filtering list. Rule R1 R2 R3 R4 R5 R6

Destination Address [192.168.100.20 , 192.168.100.40] 192.168.100.16/28 192.168.100.50 192.168.100.48/30 [192.168.100.41 , 192.168.100.60] 0.0.0.0/0

Source Address 192.168.200.0/28 192.168.200.0/24 192.168.200.0/28 Any 192.168.200.0/28 0.0.0.0/0

2) Reordering Matrix: The priority of a rule is based upon its position within the list. The reordering matrix R is defined in this work to better illustrate all ordering possibilities of the filtering rules. The reordering matrix is a strictly upper triangular {0, 1}-matrix denoted R = (rij )1≤i,j≤n such that:

Port Destination 80 80 Any 80 80 Any

•

•

Port Source Any Any Any Any Any Any

Protocol T CP T CP T CP T CP T CP Any

Action Accept Deny Accept Deny Accept Deny

M1 = D means that ∀ i, j with 1 6 i, j 6 n, if M1 [i, j] = dij = 0 then the rules Ri and Rj are conflictfree; M2 = D2 means that ∀ i, j with 1 6 i, j 6 n, if n P M2 [i, j] = dip dpj = 0 then we can say that it doesn’t p=1

(

  ∀i < j

rij =

  ∀i > j

rij = 0

1 0

if Ri and Rj cannot be reordered otherwise •

rij is equal to 1 means that the rules Ri and Rj cannot be reordered without changing the semantic of the filtering list and rij = 0 otherwise. Theorem 1. Let M = (mij )16i,j6n the matrix of the form n−1 P k M = D , the reordering matrix R = (rij )16i,j6n can be k=1

derived from powers of D as follows: rij = min (mij , 1) , 1 6 i, j 6 n

(1)

Proof: First, we have to prove that if mij 6= 0 then rij = 1. Second, we have to prove that if mij = 0 then rij = 0. Let Mk denotes the matrix Dk . It means that ∀ i, j with 1 6 i, j 6 n P n we have mij = Mk [i, j]. If mij 6= 0 then it means that k=1

it exits at least k with 1 6 k 6 n such that Mk [i, j] 6= 0: • M1 = D means that ∀ i, j with 1 6 i, j 6 n, if M1 [i, j] = dij = 1 then the rules Ri and Rj cannot be reordered because they are dependent. As a result, rij = 1; 2 • M2 = D means that ∀ i, j with 1 6 i, j 6 n, if n P M2 [i, j] = dip dpj 6= 0 then we can say that it exits at p=1

•

least m with i < m < j such that dim = dmj = 1. As a result, the rules Ri and Rj cannot be reordered because they are dependent with a common rule Rm . As a result, rij = 1; Mk = Dk means that ∀ i, j with 1 6 i, j 6 n, if n P Mk [i, j] = Mk−1 [i, p] dpj 6= 0 then we can say that p=1

it exits m1 , m2 , . . . , mk−1 with i < m1 < m2 < . . . < mk−1 < j such that dim1 = dm1 m2 = . . . = dmk−1 j = 1. As a result, rij = 1; Second, we have to prove that if mij = 0 then rij = 0. If mij = 0 then it means that ∀k with 1 6 k 6 n we have Mk [i, j] = 0:

exit m with i < m < j such that dim = dmj = 1. As a result, the rules Ri and Rj are not dependent with a common rule; Mk = Dk means that ∀ i, j with 1 6 i, j 6 n, if n P Mk [i, j] = Mk−1 [i, p] dpj = 0 then we can say p=1

that it doesn’t exit m1 , m2 , . . . , mk−1 with i < m1 < m2 < . . . < mk−1 < j such that we simultaneously have dim1 = dm1 m2 = . . . = dmk−1 j = 1. The rules Ri and Rj can be reordered, so we have rij = 0. As a result, each element rij can be expressed as the minimum between mij and 1. 3) Grouping Matrix: Similarly, the grouping matrix denoted G = (gij )1≤i,j≤n is a strictly upper triangular matrix of order n. It also has n(n−1) pieces of useful information. We could 2 also say that a grouping matrix is like a higher-level reordering matrix: instead of only providing information about whether or not two rules can be reordered, the grouping matrix also tells the minimum possible distances between them. On one hand, the standard definition assumes the distance between two consecutive rules is 1. On the other hand, a variation of this matrix defines the distance between two rules Ri and Rj with i < j as the total processing time needed to reach the rule Rj starting from Ri . In this work, we assume that the time taken by a packet to traverse a rule is constant and equal to 1. Initially, the distance between two rules Ri and Rj is j − i and each element gij of the grouping matrix G represents the minimum possible distance between the rules Ri and Rj . In this case, our main intention is to effectively determine all grouping possibilities for an optimization purpose. Grouping two related rules Ri and Rj means making Ri close to Rj as much as possible without changing the semantic of the filtering list. If the rules Ri and Rj can be reordered (rij = 0) then the minimum possible distance between the rules Ri and Rj is zero. As a result, the elements of the grouping matrix satisfy the following condition:

0 6 gij 6 j − i

(2)

Theorem 2. The grouping matrix G = (gij )16i,j6n is deduced from the dependency matrix D as follows: gij = max ({k | Mk [i, j] 6= 0, 1 6 k 6 j − i}) Proof: Let n P n n P P ... p1 =1p2 =1

(3)

Dk . Mk [i, j] =
dip1 dp1 p2 . . . dpk−1 j . If Mk [i, j] 6= 0

Mk

the

matrix

pk−1 =1

then it means that it exits k − 1 elements m1 , m2 , . . . , mk−1 with i < m1 < m2 < . . . < mk−1 < j such that we simultaneously have dim1 = dm1 m2 = . . . = dmk−1 j = 1. As a result, the minimum distance that can be reached between the rules Ri and Rj is the greatest value taken by k such that Mk [i, j] 6= 0. In this context, we should mention that if it exits l with 0 6 l < j − i, such that Ml and Ml+1 are zero matrices then it is unnecessary to continue to calculate the Mk matrices until the matrix Mj−i .

2) Flexible Reordering: In this context, the proposed flexible reordering technique denoted Rf outperforms the standard one especially when dealing with complex filtering situations. Flexible reordering needs exchanging if necessary the order of rules placed between Ri and Rj as shown in Figure 1. Therefore, flexible grouping, denoted Gf , has a better optimization capability than the standard technique. As observed in Table I, to reorder R1 and R5 is not possible to use the strict reversing way because Dom (R1 ) ∩ Dom (R2 )6= ∅, Dom (R4 ) ∩ Dom (R5 )6= ∅, R1 .action6=R2 .action and R4 .action6=R5 .action. So, the proposed solution is to reverse also the order of the conflicting rules R2 and R4 as shown in Figure 1. The safeReordering algorithm try to exchange the priorities of the requested rules and it returns True in case of success reordering and False otherwise. Using either the expression (1) or the safeReordering function, we can easily determine the entries of the flexible reordering matrix Rf .

C. Safe Rules Reordering The dependencies between the filtering rules have to be taken into account so that the packet filters’s behavior is not adversely impacted. Moving a rule will change the behavior if any of the rules passed over by the moved rule and had a rule order dependency with it, i.e. the two rules overlap and have different actions. For example, moving an allow rule over an overlapping deny rule would cause some previously denied packets to now be allowed. So, safe reordering means to take the filter’s actions into account to ensure that the policy decisions are preserved. 1) Strict Reordering: The strict reordering technique is safe but not well suited for complex filtering situations. The strict reordering of two rules Ri and Rj with i < j, denoted Rs , consists of placing the rule Rj before the rule Ri in the filtering list without exchanging the order of the other rules. The strict exchange of the priorities of the two rules Ri and Rj needs performing of successive swapping operations between them. However, moving the rule Ri toward the j th position or the rule Rj toward the ith position or moving both rules is not all the time possible without changing the order of the other filtering rules. The strict reordering allow only the move of the requested rules. Unfortunately, this naive reordering approach is not well suited for sorting since the intermediate rules have to be also reordered in order to achieve an optimal reordering result.

Figure 1: Flexible safe reordering of the rules R1 and R5 without the change of the semantic of the original filtering list of Table I

Algorithm 1 The Safe Reordering Function function safeReordering(Ri , Rj ): Boolean if (list.indexOf (Ri ) > list.indexOf (Rj )) then return False; else if (D [i, j] == 1) then return False; end if listi ← {Rk , i < k 6 j, D [i, k] = 1}; listj ← {Rk , i 6 k < j, D [k, j] = 1}; if (listi ∩ listj 6= ∅) then return False; end if if (listi == ∅) then move (Ri , list.indexOf (Rj )); return True; end if if (listj == ∅) then move (Rj , list.indexOf (Ri )); return True; end if listi .reverseOrder(); for (ri in listi ) do for (rj in listj ) do if (list.indexOf (ri ) < list.indexOf (rj )) then if (!saf eReordering (ri , rj )) then return False; end if end if end for end for move (Ri , list.indexOf (listj .last)); move (Rj , list.indexOf (Ri )); return True; end if end function

Table II: A compressed list of rules. Rule R3 R4 R1.5 R2.6

Destination Address 192.168.100.50 192.168.100.48/30 [192.168.100.20 , 192.168.100.60] 0.0.0.0/0

Source Address 192.168.200.0/28 Any 192.168.200.0/28 0.0.0.0/0

IV. B ENEFITS OF RULE ’ S R EORDERING A. Grouping Rules 1) Aggregating Rules: Most of the case, rule summarization needs the reordering of rules without affecting the overall integrity. As the case of R1 and R5 , consecutive rules can be easily grouped if they satisfy the needed conditions. However, if we want to aggregate non consecutive rules we must change their priorities to make them closer to each other. Changing priorities between rules is not all the time possible and it is difficult to manage manually because a slight difference in the order of rules can cause a dramatic change in the packet filter’s behavior. Hence, rule summarization is automatically possible when two rules Rx and Ry can be consecutive and it exits i with 1 ≤ i ≤ d such that the corresponding conditions Cxi and Cyi can be grouped into a single entry using code-saving techniques and ∀j j 6= i Cxj = Cyj . For the case of IP address matching capabilities, the packet filtering syntax offer to the policy specifier the ability to express more complex situations in a single rule through the use of diverse code-saving features such as CIDR technique, arbitrary mask and arbitrary range. a) CIDR Blocks of Addresses: The notation of the form A.B.C.D/n is called CIDR notation (Classless Inter-Domain Routing) [18], where /n is called the network mask. The network mask represents the set of significant bits used to distinguish a network. In this context, CIDR allows multiple subnets to be grouped together for efficient traffic matching. CIDR aggregation requires the network segments involved to be contiguous (numerically adjacent) in the address space. Consequently, it becomes possible to group two CIDR blocks into a single ones as follows: ( 192.168.12.0/24 → 192.168.12.0/23 192.168.13.0/24 On one hand, two disjoint CIDR blocks B1 = (IP addr1 /mask1 )CIDR and B2 = (IP addr2 /mask2 )CIDR are aggregatable if and only if they satisfy the following conditions: • mask1 = mask2 ; w−mask1 +1 • IP addr1 /2 = IP addr2 /2w−mask2 +1 ; • IP addr1 [w − mask1 + 1] 6= IP addr2 [w − mask2 + 1]. And the resulting CIDR block B3 = B1 ∪ B2 is expressed as follows: B3 = (min (IP addr1 , IP addr2 ) /mask1 − 1)CIDR On the other hand, two inclusive CIDR blocks B1 = (IP addr1 /mask1 )CIDR and B2 = (IP addr2 /mask2 )CIDR are aggregatable and they satisfy the following conditions:

Port Destination Any 80 80 Any

Port Source Any Any Any Any

Protocol T CP T CP T CP Any

Action Accept Deny Accept Deny

B2 ⊂ B1 – mask1 < mask2 ; – IP addr1 /2w−mask1 +1 = IP addr2 /2w−mask1 +1 . • B1 ⊂ B2 – mask1 > mask2 ; – IP addr1 /2w−mask2 +1 = IP addr2 /2w−mask2 +1 . And the resulting CIDR block B3 = B1 ∪ B2 is expressed as follows: •

B3 = (min (IP addr1 , IP addr2 ) /min (mask1 , mask2 ))CIDR b) Arbitrary Mask Technique: The arbitrary mask technique is one of the hidden features offered by several packet filters. The arbitrary mask consists of an arbitrary combination of 0’s and 1’s. Unlike CIDR technique, the use of arbitrary masks allows grouping not only contiguous blocks of addresses but also disjoint ones as follows:  192.168.1.0/24    192.168.3.0/24 → 192.168.1.0/255.255.249.0  192.168.5.0/24    192.168.7.0/24 c) Arbitrary Range of IP Addresses: Most of the times, we want to express blocks of addresses that do not fall precisely on CIDR boundaries. This kind of specification is only possible if the packet filtering syntax offer the ability of specifying arbitrary range of addresses. For example, it is much more better for the system administrators to specify the arbitrary range [192.168.1.64 − 192.168.2.20] in one entry than expressing this kind of match with 5 entries using the standard CIDR technique as follows:   192.168.1.64/26      192.168.1.128/25 192.168.2.0/28   192.168.2.16/30    192.168.2.20/32

→ [192.168.1.64 − 192.168.2.20]

2) Factorizing the filtering rules: Most of the times, packet filters incorporate the option of using sublists. Rules having common conditions can be grouped together into one compound rule. The option of factorization needs a partial reordering of the filtering rules because only the rules that can be consecutive are susceptible to be grouped into one compound rule. Factorizing common conditions reduces efficiently the number of comparisons done per incoming packet for the all set

Table III: A factorized list of rules. Rule R3 R1.4.5 R2.6

Destination Address 192.168.100.50 Any 0.0.0.0/0

Source Address 192.168.200.0/28 Any 0.0.0.0/0

Port Destination Any 80 Any

Port Source Any Any Any

Protocol T CP T CP Any

Action Accept Jump to subList1.4.5 Deny

(a) Main list of rules subList1.4.5 :

Destination Address 192.168.100.48/30 [192.168.100.20 , 192.168.100.60]

Source Address Any 192.168.200.0/28

Action Deny Accept

(b) subList of rules

of rules. In software packet filters, the option of factorization is generally implemented using a Jump instruction to another list of rules. For example, in Table II, the consecutive rules R4 and R1.5 can be joined together in one compound rule as shown in Table III. For example, let’s say a packet enters the main filtering list and then hits a rule that it matches and that tells it to jump to a sublist X. The packet will then start traversing the sublist X until it matches a rule. If it reaches the end of the sublist then the packet will jump back to the main list and continues to parse sequentially the rules. Some packet filters incorporate the option of using a Return target into a list or a sublist. If the Return target is placed in the main list then it causes the current packet to be sent to the default policy. If the Return target is placed in the sublist of an other chain of rules then the current packet will stop traveling through the sublist of rules where it hits this entry and it continues to parse the superior rules until a match is found. B. Statistical filtering model Adjusting the rule order according to the matching statistics can improve efficiently the performance of a packet filter since rules are compared orderly. Tuple-comparison is an important indicator for filtering efficiency performance. With an optimal rule order, we have less number of tuple-comparisons done per packet. Finding the optimal sequence for a large list of rules has been proved to be an NP-hard problem because most of the cases, moving the frequently matched rules to the top of the filtering list may change the packet filter behavior. As argued before, the precedence relationship is the most important handicap that prevents any optimization specially implementing statistical filtering strategies. Therefore, simply exchange placement of rules is not feasible. As shown before, there are three forms of relationships between rules: inclusive, correlated and disjoint. If rules have distinct actions then the order can be changed only if rules are totally disjoints. Rebuilding the filtering list to make the rules totally independent was considered by the research community a difficult problem to be efficiently resolved. The deprioritazation process may also increase exponentially the size of the filtering list. The use of the proposed safe-reordering technique is the most efficient way to make rule ordering concrete and easy to implement without affecting the metrics of the filtering system.

C. Distributed filtering model An optimized distributed filtering strategy consists on the subdivision of the set of filtering rules to multiple packet filters such that each filter implements a portion of the original policy. To maintain the policy’s integrity, the precedence relationships must be preserved within the portions of the policy. The safe reordering technique let us subdividing the filtering policy freely and equitably across packet filters therefore the workload is equitably dispatched amongst several packet filters. When a packet arrives to such filtering system it is processed by every packet filter in parallel, thus the processing time required per packet is reduced. Packets have to be duplicated and sent to each packet filter to be compared in parallel. Once processing is complete for a packet, results from the individual packet filters are sent to an additional component that stores the packet and determines the final action (accept or deny) according to the given priorities. V. P ERFORMANCE E VALUATION As shown before, the proposed matrices are well suited for the visualization of the packet filtering policy. In this part, we develop a set of new evaluation metrics to better measure the complexity of the filtering policies, to illustrate the performance of the proposed reordering method and to show its efficiency and its usefulness by comparison to the naive way. A. Dependency Factor (DF) Since the precedence relationship is one of the most important handicap remaining in the context of packet filtering, the DF factor is defined to measure the degree of interdependency between rules. DF is defined as follows:

DF =

n−1 n X X 2 dij n (n − 1) i=1 j=i+1

(4)

The dependency factor is a dimensionless number that ranges between 0 and 1, the closer to 0 it is, the more easy rule reordering is. For example, the DF of the list of Table I is 0.3.

1

1

Minimum Maximum Average

0.8 GROUPING FACTOR (GF)

REORDERING FACTOR (RF)

0.8

0.6

0.4

0.2

0

Minimum Maximum Average

0.6

0.4

0.2

0

0.2

0.4 0.6 DEPENDENCY FACTOR (DF)

0.8

0

1

(a) The variation of the reordering factor with the increase of the dependencies between rules.

0

0.2

0.4 0.6 DEPENDENCY FACTOR (DF)

0.8

1

(b) The variation of the grouping factor with the increase of the dependencies between rules.

Figure 2: Variation of the RF and GF factors according to the DF values for the case of 10 filtering rules.

B. Reordering Factor (RF)

C. Grouping Factor (GF)

The dependency matrix stores the relations between rules, but does not provide enough information about the possibility of rule reordering. A useful evaluation metric is the amount of exchangeable entries in a filtering list per the number of all pairs of rules. In this work, the reordering factor RF is introduced to efficiently measure the possibility of changing priorities in a filtering list. The normalization of RF is expressed as follows:

The grouping matrix contains the distances, taken pairwise, of a set of rules, such that rows and columns refer to the filtering rules and each element of the matrix indicates the minimum possible distance between two rules. Similarly, the grouping factor is a new metric between 0 and 1 and it is defined as follows:

n−1 n X X 2 rij n (n − 1) i=1 j=i+1

RF =

(5)

By definition, the RF factor is a number between 0 and 1 and more precisely, it satisfies the inequality: DF 6 RF 6 1

(6)

GF =

n−1 n X X 6 gij n (n − 1) (n + 1) i=1 j=i+1

We denote by distanceij the distance between two rules Ri and Rj . Initially, the distance is expressed as follows distanceij = |i − j|. Expressing GF needs calculating the sum of all possible distances as follows: n X n X distanceij

=

i=1 j=1

Figure 2a illustrates the lower and the upper bound of the RF values and shows the relation in average between the reordering factor and the dependencies between rules. Figure 3a compares the standard and the proposed reordering approach and shows how the safe rule reordering technique can effectively improve the redistribution of priorities between the filtering rules. Example 3. The strict and the flexible reordering matrices and factors of the example of Table I are as follows:

   Rs =   

0 0 0 0 0

1 0 1 0 0 0 0 0 1 0 0 0 0 0 0 RFs = 0.6

1 0 1 1 0





    

  Rf =   

0 1 0 0 0 0 0 0 0 0 RFf

0 0 0 0 0 1 0 0 0 0 = 0.4

0 0 1 1 0

     

(7)

n X n X |i − j|

= 2

i=1 j=1

=

2

n X n−i X

n X n X

j−i

i=1 j=i+1

j

=

i=1 j=1

n (n − 1) (n + 1) 3

Example 4. The strict and the flexible grouping matrices and factors of the example of Table I are as follows:    Gs =   

0 0 0 0 0

1 0 3 0 0 0 0 0 1 0 0 0 0 0 0 GFs = 0.6

4 0 2 1 0





    

  Gf =   

0 1 0 0 0 0 0 0 0 0 GFf

0 0 0 0 0 1 0 0 0 0 = 0.2

0 0 1 1 0

     

In case of a totally dependent list of rules, we have DF = RF = GF = 1: it means that the current list prevents any optimization. In case of a conflict-free list of rules, D, R and G are a zero matrices and DF = RF = GF = 0

1

1

Flexible Reordering Strict Reordering

0.8 GROUPING FACTORS (GF)

REORDERING FACTOR (RF)

0.8

0.6

0.4

0.2

0

Flexible Grouping Strict Grouping

0.6

0.4

0.2

0

0.2

0.4 0.6 DEPENDENCY FACTOR (DF)

0.8

1

(a) Flexible reordering vs Strict reordering.

0

0

0.2

0.4 0.6 DEPENDENCY FACTOR (DF)

0.8

1

(b) Flexible grouping vs Strict grouping.

Figure 3: Comparing the proposed flexible reordering technique with the naive approach for the case of 10 filtering rules.

since all rules can be freely reordered. Figure 2b illustrates the lower and the upper bound of the GF values and shows the increase of grouping factor (GF ) with the increase of dependency factor (DF ). Similarly, Figure 3b compares the strict grouping technique with the flexible grouping and shows the high efficiency of the proposed reordering approach to make the related rules close to each other. VI. C ONCLUSION As packet classification has been widely deployed on the Internet, demand for efficient packet classification grows especially in a high-speed environment or if traffic requires specific network Quality of Service (QoS). Unfortunately, a packet filter can quickly become a bottleneck given network speeds and the increasing traffic loads. Mainly, the existence of mutual exclusive rules within the filtering list is one of the most important handicap-related problem which motivates the study of inter-rules dependency. The reordering of rules is difficult to be done manually since there are many interactions within the filtering list and these interactions are most of the cases unclear to the user. In this work, we have shown that the use of matrices as for visualization is better suited to illustrate the hidden interactions and to provide the available reordering possibilities. Our objective was to face the challenge of dependencies among rules and to ensure that any reordering shall only results in a ruleset that is equivalent to the original one. In this work, a novel optimization technique with new matrixbased evaluation metrics were introduced to make optimization easy, optimal and safe. In our future contributions, we intend to focus on rule deprioritization to achieve further performance improvements. R EFERENCES [1] V. Grout, J. McGinn, J. Davies, R. Picking and S. Cunningham. “Rule dependencies in access control lists,” In Proceedings of the IADIS International Conference WWW/Internet (ICWI 2006), 2006. [2] R. Marmorstein and P. Kearnc, “Firewall analysis with policy-based host classification,” In proceedings of the 20th Large Installation System Administration Conference (LISA 2006), 2006.

[3] A. Wool, “A quantitative study of firewall configuration errors,” IEEE Computer, vol. 37, no. 6, pp. 62-67, 2004. [4] N. Ben Neji and A. Bouhoula, ”Dynamic scheme for packet classification using splay trees,” In Journal of Information Assurance and security (JIAS), vol. 4, pp.133-141, 2009. [5] H. Hamed, A. El-Atawy and E. Al-Shaer, ”On dynamic optimization of packet matching in high-speed firewalls,” In the IEEE Journal on selected areas in communications, vol. 24, no. 10, pp. 1817-1830, 2006. [6] C. Benecke, “A parallel packet screen for high speed networks,” In Proceedings of the 15th Annual Computer Security Applications Conference (ACSAC ’99), pp. 67-74, 1999. [7] S. Goddard, R. Kieckhafer and Y. Zhang, “An unavailability analysis of firewall sandwich configurations,” In Proceedings of the 6th IEEE Symposium on High Assurance Systems Engineering (HASE), pp. 139148, 2001. [8] O. Paul and M. Laurent, “A full bandwidth ATM Firewall,” In Proceedings of the 6th European Symposium on Research in Computer Security (ESORICS’2000), pp. 206-221, 2000. [9] E. Al-Shaer and H. Hamed, “Discovery of policy anomalies in distributed firewalls,” In Proceedings of IEEE INFOCOM 2004, pp. 26052616, 2004. [10] J. Garcia-Alfaro, N. Cuppens and F. Cuppens, "Complete analysis of configuration rules to guarantee reliable network security policies". In International Journal of Information Security (IJIS), vol. 7, no. 2, pp. 103-122, 2008. [11] M.G. Gouda and A.X. Liu, “Structured firewall design,” In the International Journal of Computer and Telecommunications Networking 2007, vol. 51, no. 4, pp. 1106-1120, 2007. [12] E. W. Fulp, “Optimization of network firewall policies using ordered sets and directed acyclical graphs,” In Proceedings of the IEEE Internet management conference, 2005. [13] A. Tapdiya and W. Fulp Errin, “Toward optimal firewall rule ordering utilizing directed acyclical graphs,” In Proceedings of 18th international Conference on Computer Communications and Networks, pp. 1-6, 2009. [14] E. L. Lawler, “Sequencing jobs to minimize total weighted completion time subject to precedence constraints,” In Annals of Discrete Mathematics, vol. 2, pp. 75-90, 1978. [15] E. W. Fulp, “Firewall policy models using ordered-sets and directed acyclical graphs,” Technical Report, Wake Forest University Computer Science Departement, 2004. [16] S. Acharya, M. Abliz, B.Mills, T. Znati, “Optwall: a hierarchical traffic-aware firewall,” In Proceedings of the 14th Annual Network & Distributed System Security Symposium (NDSS), 2007. [17] L. Zhao, Y. Inoue and H. Yamamoto, “Delay reduction for linear-search based packet filters,” In Proceedings of the International Technical Conference on Circuits/Systems, Computers and Communication (ITCCSCC2004), 2004. [18] V. Fuller and T. Li, ”Classless Inter-domain Routing (CIDR): The Internet Address Assignment and Aggregation Plan,” RFC 4632, 2006.