CTFPi: A New Method for Packet Filtering of Firewall
The firewall is often seen as the first line of defence in ensuring network security of an organization. However, with the rapid expansion of network, the species and numbers of network attacks continue to increase. And network traffic is also growing markedly. Traditional network can no longer meet the requirements of preventing attacks in high-speed network. Therefore, in order to improve the performance, this paper proposes a new packet filtering method. It is CTFPi, the combination of traditional firewall and Pi (Path identifier) for Packet Filtering. The principle of this scheme is to map the source IP addresses and destination IP addresses to Pi and then use Pi to replace them. Experiments show that our method not only can adapt to the high-speed network requirements, but also be better to prevent attacks, especially with forged packets.
KeywordsFirewall Pi Rule optimization Packet filtering
This research was supported in part by Major Projects of National Science and Technology (2011ZX03002-004-02), Zhejiang Provincial Technology Innovation Team (2010R50009), Natural Science Foundation of Zhejiang Province (LY12F02013), Ningbo Natural Science Foundation (2012A610014), Ningbo Municipal Technology Innovation Team (2011B81002), The Graduate Teaching Innovation on Ningbo University (2011004).
- 1.(2010) CERT. http://www.cert.org/stats/
- 2.(2009) Arbor networks worldwide infrastructure security report http://www. Arbornetworks. co-m/en/research.html
- 3.Distributed Denial of Service (DDoS), Attacks/tools http://staff.washington.edu/dittrich/misc/ddos/
- 4.Arshad M, Nessa S, Khan L, Al-Shaer E et al (2010) Analysis of firewall policy rules using traffic mining techniques. Protoc Technol IJIPT 5:3–22Google Scholar
- 5.Hamed H, Al-Shaer E (2006) On autonomic optimization of firewall policy configuration. J High Speed Netw Spec Issue Secur Policy Manag 13:209–227Google Scholar
- 6.Mckeown N (2001) Algorithms for packet classification. IEEE Network 15:24–32Google Scholar
- 8.Kim K, Shni S (2003) IP lookup by binary search on length. In: IEEE international symposium on computer and communicationGoogle Scholar
- 10.Srinivasan V, Varghese G, Suri S (1998) Fast and scalable layer for switching. In: Proceedings of ACM SIGCOMMGoogle Scholar
- 11.Yaar A, Perrig A, Song D (2003) Pi: a path identification mechanism to defend against DDoS attacks. In: Proceedings of IEEE symposium on security and privacy, pp 93–97Google Scholar
- 13.Guang J, Jianggang Y, Yuan L et al (2008) Optimal path identification to defend against DDoS attacks. J Commun 29(9):46–53 (in Chinese with English abstract)Google Scholar