Security policy rules optimization and its application to the Iptables firewall
RADOMSKIY, STANISLAV (2011)
RADOMSKIY, STANISLAV
2011
Tietojenkäsittelyoppi - Computer Science
Informaatiotieteiden yksikkö - School of Information Sciences
This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Hyväksymispäivämäärä
2011-05-10
Julkaisun pysyvä osoite on
https://urn.fi/urn:nbn:fi:uta-1-21336
https://urn.fi/urn:nbn:fi:uta-1-21336
Tiivistelmä
Abstract
The security of a network which is being connected to the Internet is of the highest importance especially if this network belongs to a private company or a bank. Many different methods have been invented and are currently used in order to prevent harm that can be caused by perpetrators to the local network. One of the most commonly used methods is a firewall.
The important feature of the firewall is the efficiency of its filtering. Since each packet is compared against filtering rules in the firewall, the firewall introduces a delay. The less the delay, the more efficient is the filtering.
In order to make network more secure, we have to make sure that firewall implements a given security policy and makes it efficiently. The ruleset should be examined for the presence of errors such as duplicated, shadowed and conflicting rules and those errors should be eliminated if found. Rules should be also rearranged to make filtering optimally efficient. Rule rearrangement could accidentally cause a change in the security policy and we have to make sure that it will not happen.
We study two different optimization approaches that can be applied to the ruleset of the firewall. The optimization approach that examines the ruleset and eliminates the errors is called static optimization since it uses a given ruleset and does not need any additional data. Another optimization approach that rearranges the rules' order in the ruleset is called dynamic optimization since it uses dynamic statistical information of the traffic which flows through the firewall.
In this work we consider different existing optimization approaches, both static as well as dynamic, and suggest a combination of their best features and improvements. We make sure that the suggested optimizations will not change the security policy of the initial ruleset at any time. We also consider peculiarities of the Iptables firewall and show how the suggested method can be applied to its ruleset.
The security of a network which is being connected to the Internet is of the highest importance especially if this network belongs to a private company or a bank. Many different methods have been invented and are currently used in order to prevent harm that can be caused by perpetrators to the local network. One of the most commonly used methods is a firewall.
The important feature of the firewall is the efficiency of its filtering. Since each packet is compared against filtering rules in the firewall, the firewall introduces a delay. The less the delay, the more efficient is the filtering.
In order to make network more secure, we have to make sure that firewall implements a given security policy and makes it efficiently. The ruleset should be examined for the presence of errors such as duplicated, shadowed and conflicting rules and those errors should be eliminated if found. Rules should be also rearranged to make filtering optimally efficient. Rule rearrangement could accidentally cause a change in the security policy and we have to make sure that it will not happen.
We study two different optimization approaches that can be applied to the ruleset of the firewall. The optimization approach that examines the ruleset and eliminates the errors is called static optimization since it uses a given ruleset and does not need any additional data. Another optimization approach that rearranges the rules' order in the ruleset is called dynamic optimization since it uses dynamic statistical information of the traffic which flows through the firewall.
In this work we consider different existing optimization approaches, both static as well as dynamic, and suggest a combination of their best features and improvements. We make sure that the suggested optimizations will not change the security policy of the initial ruleset at any time. We also consider peculiarities of the Iptables firewall and show how the suggested method can be applied to its ruleset.