Issue No. 02 - February (2010 vol. 59)
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/TC.2009.172
Shigang Chen , University of Florida, Gainesville
Zhan Zhang , Cisco Systems, San Jose
MyungKeun Yoon , University of Florida, Gainesville
A firewall's complexity is known to increase with the size of its rule set. Empirical studies show that as the rule set grows larger, the number of configuration errors on a firewall increases sharply, while the performance of the firewall degrades. When designing a security-sensitive network, it is critical to construct the network topology and its routing structure carefully in order to reduce the firewall rule sets, which helps lower the chance of security loopholes and prevent performance bottleneck. This paper studies the problems of how to place the firewalls in a topology during network design and how to construct the routing tables during operation such that the maximum firewall rule set can be minimized. These problems have not been studied adequately despite their importance. We have two major contributions. First, we prove that the problems are NP-complete. Second, we propose a heuristic solution and demonstrate the effectiveness of the algorithm by simulations. The results show that the proposed algorithm reduces the maximum firewall rule set by 2-5 times when comparing with other algorithms.
Firewall configuration, access control rules, network security.
Shigang Chen, Zhan Zhang, MyungKeun Yoon, "Minimizing the Maximum Firewall Rule Set in a Network with Multiple Firewalls", IEEE Transactions on Computers, vol. 59, no. , pp. 218-230, February 2010, doi:10.1109/TC.2009.172