A Study of Network Firewall Policy Rules

• Main Authors: Ming-Min Ho, 何明昊
• Other Authors: Wu-Lin Chen
• Format: Others
• Language: zh-TW
• Published: 2008
• Online Access: http://ndltd.ncl.edu.tw/handle/84363252116580931708

碩士 === 靜宜大學 === 資訊碩士在職專班 === 96 === Today, network firewall is the most important network gateway that controls internet traffic to access the network resource for enterprises. The function of the firewall is to filter the traverse packet based on a security policy rule list. The greater demand the network bandwith increases, the strictly requirement of the new network application services needs in the network quality of service (QoS). Therefore, the performance characteristic of a network firewall is the time taken by filtering based on examining the sequence rule table. The firewall becomes a network performance bottleneck of the enterprise''s network. Based on the algorithm of Push-down policy trie proposed by Fulp and Tarsa which optimizes the layout of policy rules structure and reduces the time of packet filtering, in this study, we develop a new method of inserting port group deny rule(iPGDR) to deny packet early. iPGDR group the same and the continuous destination port number of the rules into a cluster, than insert a deny rule after this cluster. The real data will be used to test and validate our method. The result shows our iPGDR metod is better than Push-down policy trie in the number of tuple space 58%, and in the real number of the policy rules 82%.