Tree-Based Diagnosis Mechanisms for Rule Anomalies among Internet Firewalls

Author(s) : CHI-SHIH CHAO


While configuring firewalls, firewall rule ordering and distribution must be done cautiously on each of cooperative firewalls. However, network operators are prone to incorrectly configuring firewalls because there are commonly hundreds of thousands of filtering rules (i.e., rules in the Access Control List file; or ACL for short) which could be set up in a firewall, not mention these rules among firewalls could affect mutually. To speed up the crucial but laboring inspection of rule configuration on firewalls, this paper describes our developed diagnosis mechanisms which can speedily figure out rule anomalies within/among firewalls with two innovative data structure – Adaptive Rule Anomaly Relationship tree (or ARAR tree) and Fixed-Stride Trie (FST), respectively. With the aid of these data structures and associated algorithms, significant improvements in this field have been made

