Achieving Optimal Firewall Filtering Through Dynamic Rule Reordering

(*) Corresponding author

Authors' affiliations

DOI's assignment:
the author of the article can submit here a request for assignment of a DOI number to this resource!
Cost of the service: euros 10,00 (for a DOI)


Latest cutting edge technologies like cloud computing, web services, web architecture have enhanced the business experience. The technologies have increased the demand for bandwidth which in turn has heightened the necessity for routers that can handle large traffic volumes up to thousands of packets per second.  However, the greatest challenge is to protect the network from unintended information leakage through unauthorized traffic. Firewall act as a defense against this unauthorized traffic by establishing secure communication in networks. Nevertheless, firewalls are controlled by security policies which are complex and fraught with thousands of conflicting rules written by administrators over a period of time while resolving issues. Therefore, an effective firewall conflict management is required to act as a barrier between the trusted and untrusted network traffic opposing unauthorized access to Internet-based enterprises. In this study, we have proposed a framework to handle the policy conflict in firewalls based on risk assessment of conflicts. We have identified the risk level of the policy conflict on the basis of vulnerability assessment on the secured network. We have utilized Dynamic Rule Reordering to reorder the conflicting rules and achieve optimal solutions for conflict resolution. The proposed method was found to detect and anomalies much faster than the existing methods.
Copyright © 2013 Praise Worthy Prize - All rights reserved.


Anomaly Management; Firewall Policy; Policy Conflicts; Rule Reordering

Full Text:



A. Whitten and J. D. Tygar, “Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0,” in Proceedings of the 9th USENIX Security Symposium, August, 1999.

H. Hamed and E. Al-Saher, Dynamic rule-reordering optimization for high-speed firewall filtering, in Proceedings of the 2006 ACM Symposium on Information, Computer and Communications Security, 2006, ACM Press, pp. 332-342.

R. Marmorstein, A tool for automated iptables firewall analysis, in Freenix Tracck, USENIX Annual Technical Conference, 2005, pp.71-82.

FreeBSD, “Firewalls,” in FreeBSD Document Project, 2010, ch. 30, pp.777.

E. S. Al-Shaer and H. H. Hamed, "Modeling and management of firewall policies," Network and Service Management, IEEE Transactions on, vol. 1, pp. 2-10, 2004.

A. Wool. (2008) “How to use Firewall Management Solutions to improve Firewall Performance and Security,” [Online] Available:

Y. Bartal, A. Mayer, K. Nissim, and A. Wool, "Firmato: A novel firewall management toolkit," in Security and Privacy, 1999. Proceedings of the 1999 IEEE Symposium on, 1999, pp. 17-31.

A. Mayer, A. Wool, and E. Ziskind, "Fang: A firewall analysis engine," in Security and Privacy, 2000. S&P 2000. Proceedings. 2000 IEEE Symposium on, 2000, pp. 177-187.

Wool, "Architecting the lumeta firewall analyzer," in Proceedings of the 10th USENIX Security Symposium, 2001, pp. 85-97.

E. S. Al-Shaer and H. H. Hamed, "Firewall policy advisor for anomaly discovery and rule editing," in Integrated Network Management, 2003. IFIP/IEEE Eighth International Symposium on, 2003, pp. 17-30.

E. Lupu and M. Sloman, “Conflict analysis for management policies,” in Proceedings of IFIP/IEEE International Symposium on Integrated Network Management (IM’1997), 1997.

P. Eronen and J. Zitting, "An expert system for analyzing firewall rules," in Proceedings of the 6th Nordic Workshop on Secure IT Systems (NordSec 2001), 2001, pp. 100-107.

E. S. Al-Shaer and H. H. Hamed, "Discovery of policy anomalies in distributed firewalls," in INFOCOM 2004. Twenty-third AnnualJoint Conference of the IEEE Computer and Communications Societies, 2004, pp. 2605-2616.

E. Al-Shaer, H. Hamed, R. Boutaba, and M. Hasan, “Conflict Classification and Analysis of Distributed Firewall Policies,” IEEE Journal on Selected Areas in Communications, vol. 23, no. 10, pp. 2069-2084, 2005.

T. Chomsiri, C. Pornavalai, “Firewall Rules Analysis,” pp. 213-219, 2006.

D. Eppstein and S. Muthukrishnan, "Internet packet filter management and rectangle geometry," in Proceedings of the twelfth annual ACM-SIAM symposium on Discrete algorithms, 2001, pp. 827-835.

A. Hari, S. Suri, and G. Parulkar, "Detecting and resolving packet filter conflicts," in INFOCOM 2000. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings. IEEE, 2000, pp. 1203-1212.

N. Mukkapati and C. V. Bhargavi, "Detecting Policy Anomalies in Firewalls by Relational Algebra and Raining 2D-Box Model," International Journal of Soft Computing, vol. 2, 2012.

A. Farouk, H. N. Agiza, and E. Radwan, "Enhancement Misconfiguration Management of Network Security Components Using Range Algorithm," IJCSNS, vol. 9, p. 280, 2009.

J. Alfaro, N. Boulahia-Cuppens, and F. Cuppens, “Complete Analysis of Configuration Rules to Guarantee Reliable Network Security Policies,” Int. J. Information Security, vol. 7, no. 2, pp. 103-122, 2008.

M.Janani, V.Subramaniyaswamy and R.B.Lakshmi," Measuring the Effectiveness and Efficiency of Rule Reordering Algorithm for Policy Conflict," International Journal of Engineering and Technology, vol. 5, no. 2, pp. 795-805, 2013.

A. K. Mattas, I. K. Mavridis, I. G. Pagkalos, An Implementation of Dynamically Administered Role-based Access Control on the Web, (2007) International Review on Computers and Software (IRECOS), 2 (3), pp. 217-226.

M. Singh, S. Bawa, S. C. Saxe, A Proactive network Surveillance framework for Improving Network Security across Information value chain, (2006) International Review on Computers and Software (IRECOS), 1 (1), pp. 43-51.

S. Kondakci, Dependency Analysis of Risks in Information Security, (2008) International Review on Computers and Software (IRECOS), 3 (1), pp. 11-19.

Run Chen, Jiliu Zhou, Caiming Liu, Yan Zhang, A Novel Detection Model for Network Attack inspired by Immunology, (2012) International Review on Computers and Software (IRECOS), 7 (6), pp. 2927-2932.

Qiang Fan, Jianhua Zhou, Min Tan, Design and Implementation of Full Integration of a Large Network, (2012) International Review on Computers and Software (IRECOS), 7 (6), pp. 2856-2860.


  • There are currently no refbacks.

Please send any question about this web site to
Copyright © 2005-2024 Praise Worthy Prize