A General Framework for Benchmarking Firewall Optimization Techniques

Firewalls are among the most pervasive network security mechanisms, deployed extensively from the borders of networks to end systems. The complexity of modern firewall policies has raised the computational requirements for firewall implementations, potentially limiting the throughput of networks. Administrators currently rely on ad hoc solutions to firewall optimization. To address this problem, a few automatic firewall optimization techniques have been proposed, but there has been no general approach to evaluate the optimality of these techniques. In this paper the authors present a general framework for rule-based firewall optimization. They give a precise formulation of firewall optimization as an integer programming problem and show that the framework produces optimal reordered rule sets that are semantically equivalent to the original rule set.