A firewall is a packet filter that is placed at the entrance of a private network. It checks the header fields of each incoming packet into the private network and decides, based on the specified rules in the firewall, whether to accept the packet and allow it to proceed, or to discard the packet. A property of a firewall is a set of packets that the firewall is required to accept or discard. Associated with each firewall is a very large set of properties that the firewall needs to satisfy. The space and time complexity of the best known deterministic algorithm, for verifying that a given firewall satisfies a given property, is $O(n^d)$, where $n$ is the number of rules in the given firewall and $d$ is the number of fields checked by the firewall. Usually, $n$ is around $2000$ and $d$ is $5$. In this paper, we propose the first deterministic firewall verification algorithm whose space complexity is $O(nd)$, linear in both $n$ and $d$. This algorithm consists of three components: a projection pass, a division pass, and a probe algorithm. We applied our verification algorithm to over two million firewall-property pairs, varying $n$ from $100$ to $10000$ and fixing $d$ at $5$. From this experiment, we observed that the algorithm requires 900 + 0.5n Kilobytes of storage and in the order of 10 seconds execution time.
展开▼
机译:防火墙是放在专用网络入口的数据包过滤器。它检查进入专用网络的每个传入数据包的标头字段,并根据防火墙中指定的规则来决定是否接受该数据包并允许其继续进行,还是丢弃该数据包。防火墙的属性是要求防火墙接受或丢弃的一组数据包。与每个防火墙相关联的是防火墙需要满足的大量属性。用于验证给定防火墙满足给定属性的最著名确定性算法的时空复杂度为$ O(n ^ d)$,其中$ n $是给定防火墙中的规则数,$ d $是防火墙检查的字段数。通常,$ n $约为$ 2000 $,$ d $为$ 5 $。在本文中,我们提出了第一种确定性防火墙验证算法,其空间复杂度为$ O(nd)$,在$ n $和$ d $中都是线性的。该算法由三部分组成:投影遍,分割遍和探测算法。我们将验证算法应用于超过200万对防火墙属性,将$ n $从$ 100更改为$ 10000 $,并将$ d $固定为$ 5 $。从这个实验中,我们观察到该算法需要900 + 0.5n千字节的存储空间,执行时间约为10秒。
展开▼
