A Stateful Mechanism for the Tree-Rule Firewall

Thawatchai Chomsiri, Xiangjian He, Priyadarsi Nanda, Zhiyuan Tan
2014 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications  
In this paper, we propose a novel connection tracking mechanism for Tree-rule firewall which essentially organizes firewall rules in a designated Tree structure. A new firewall model based on the proposed connection tracking mechanism is then developed and extended from the basic model of Netfilter's ConnTrack module, which has been used by many early generation commercial and open source firewalls including IPTABLES, the most popular firewall. To reduce the consumption of memory space and
more » ... ssing time, our proposed model uses one node per connection instead of using two nodes as appeared in Netfilter model. This can reduce memory space and processing time. In addition, we introduce an extended hash table with more hashing bits in our firewall model in order to accommodate more concurrent connections. Moreover, our model also applies sophisticated techniques (such as using static information nodes, and avoiding timer objects and memory management tasks) to improve its processing speed. Finally, we implement this model on Linux Cent OS 6.3 and evaluate its speed. The experimental results show that our model performs more efficiently in comparison with the Netfilter/IPTABLES.
doi:10.1109/trustcom.2014.20 dblp:conf/trustcom/ChomsiriHNT14 fatcat:tm57b522ovd67luvuusakamrre