Firewall Policy Optimization and Management
Electronic Theses and Dissertations
Item Files
Item Details
- abstract
- Firewalls enforce a security policy by inspecting packets arriving or departing a network. This is accomplished by sequentially comparing the policy rules with the header of an arriving packet until the first match is found. This process becomes time consuming as policies become larger and more complex. For example, a firewall connecting two high speed networks is responsible for processing heavy network load and can easily become a bottleneck. Therefore determining the appropriate action for arriving packets must be done as quickly as possible. The process of packet header matching can be improved if more popular rules appear earlier in the policy. Unfortunately, a simple sorting algorithm is not possible, since the relative order of certain rules must be maintained in order to preserve the original policy intent. Using directed acyclical graphs to represent the firewall policy, this thesis shows that determining the best order of firewall rules is equivalent to job-shop scheduling, a known NP-Hard problem. The sorting techniques are novel in that they consider sub-graphs of rules (inter-related by precedence constraints) and compare the advantage of placing and merging the nodes that comprise them. For policy management, a shadow detection algorithm is presented to detect anomalies.
- subject
- Computer Science
- Network Security
- Network Firewalls
- Policy Optimization
- Policy Management
- contributor
- Dr. David J. John (committee chair)
- Dr. Errin W. Fulp (committee member)
- Dr. Todd C. Torgersen (committee member)
- date
- 2008-12-19T17:52:46Z (accessioned)
- 2010-06-18T19:00:03Z (accessioned)
- 2008-12-19T17:52:46Z (available)
- 2010-06-18T19:00:03Z (available)
- 2008-12-19T17:52:46Z (issued)
- degree
- Computer Science (discipline)
- identifier
- http://hdl.handle.net/10339/14917 (uri)
- language
- en_US (iso)
- publisher
- Wake Forest University
- rights
- Release the entire work for access only to the Wake Forest University system for one year from the date below. After one year, release the entire work for access worldwide. (accessRights)
- title
- Firewall Policy Optimization and Management
- type
- Thesis