Optimization of Network Firewall Policies using Directed Acyclical Graphs

This paper introduces a new method to improve the performance of list oriented firewall systems. Specifically, the paper addresses reordering a firewall rule set to minimize the average number of comparisons to determine the action, while maintaining the integrity of the original policy. Integrity is preserved if the reordered and original rules always arrive at the same result given a packet. To maintain integrity, this paper will model the rule set as a Directed Acyclical Graph (DAG), where vertices are firewall rules and edges indicate precedence relationships. Given this representation, any linear arrangement of the policy DAG (which is a list of rules) is shown to maintain the original policy integrity. Unfortunately, determining the optimal rule order from all the possible linear arrangements is shown to be -hard, since it is equivalent to sequencing jobs with precedence constraints for a single machine. Although determining the optimal order is -hard, this paper will introduce a simple heuristic to order firewall rules that reduces the average number of comparisons while maintaining integrity. Simulation results show the proposed reordering method yields rule orders that are comparable to optimal (11% difference); thus, provides a simple means to significantly improve firewall performance and lower packet delay.