A Mapping Mechanism for Periodic Filters in a Conflict Detection System for Time-Based Firewall Policies

摘要

Recently, time-based filters are introduced in several practical firewalls like CISCO ACLs and LINUX Iptables to control network traffic in time. It is very handy when a service is required to be available at certain times of a day or at certain days. However, network administrators struggle to maintain time-based firewall policies due to their high-complexity. Conflict is a misconfiguration that occurs when a packet matches two or more filters. It makes the filters either redundant or shadowed, and as a result the network does not reflect the actual configurations of the time-based firewall policies. Even though, conflict detection techniques for time-based filters have been proposed, it takes huge computation time and memory when the conflict detection period is too long due to the enormous repetition of periodic time-based filters. To solve this problem, we have proposed a mapping mechanism to treat the periodic filters and remove the unnecessary repetitions of the periodic filters which reduces the huge computation time and memory. Furthermore, we have evaluated the feasibility and the usefulness of the proposed system by carrying out experiments with the available conflict detection systems with various time-based firewall policies, and have proved the effectiveness of the mapping mechanism.