Evaluation of firewall performance when ranging a filtration rule set

Cover Page


This article is a continuation of a number of works devoted to evaluation of probabilistic-temporal characteristics of firewalls when ranging a filtration rule set. This work considers a problem of the decrease in the information flow filtering efficiency. The problem emerged due to the use of a sequential scheme for checking the compliance of packets with the rules, as well as due to heterogeneity and variability of network traffic. The order of rules is non-optimal, and this, in the high-dimensional list, significantly influences the firewall performance and also may cause a considerable time delay and variation in values of packet service time, which is essentially important for the stable functioning of multimedia protocols. One of the ways to prevent decrease in the performance is to range a rule set according to the characteristics of the incoming information flows. In this work, the problems to be solved are: determination and analysis of an average filtering time for the traffic of main transmitting networks; and assessing the effectiveness of ranging the rules. A method for ranging a filtration rule set is proposed, and a queuing system with a complex request service discipline is built. A certain order is used to describe how requests are processed in the system. This order includes the execution of operations with incoming packets and the logical structure of filtration rule set. These are the elements of information flow processing in the firewall. Such level of detailing is not complete, but it is sufficient for creating a model. The QS characteristics are obtained with the help of simulation modelling methods in the Simulink environment of the matrix computing system MATLAB. Based on the analysis of the results obtained, we made conclusions about the possibility of increasing the firewall performance by ranging the filtration rules for those traffic scripts that are close to real ones.

Full Text

1. Introduction In order to ensure information security of automated systems (AS) that have connections to external untrusted resources, we have to pay attention © Botvinko A.Y., Samouylov K.E., 2021 This work is licensed under a Creative Commons Attribution 4.0 International License http://creativecommons.org/licenses/by/4.0/ to the possibility of threats such as violation of confidentiality, integrity and availability of information. A required condition to prevent the threats aimed on violating AS’s normal operation is using the firewall technologies [1]-[3]. The main firewall technology is network traffic filtration according to a certain rule set. It is executed at the points of the connection of the AS under protection to external uncontrolled systems and is implemented by using special hardware or software complexes, i.e., firewalls. The firewall filtration rule set is a list of conditions according to which the further transmission of network traffic packets is allowed or denied. The parameters, attributes and characteristics of network traffic flows are usually used to set filtering conditions [4]. The important fact is that the network traffic filtration brings additional time delays during data transmission. High values of the delays during packet filtration can cause packet losses, denials for session initiation and failures in AS’s normal work [5], [6]. In works [7]-[13], a great influence of the rule set size and the order of filtration rules in the set on the firewall performance is noted. The influence can be explained by the sequential scheme used to check the packet compliance with the set rules. The maximum decrease in the performance happens while checking the compliance of attributes of packets under filtration with the conditions at the end of the high-dimensional rule set. Defining a rule set that correctly realizes the security policy, but is ineffective in terms of performance, can be considered an error in firewall configuring. We should also consider that real network traffic has heterogeneity caused by various non-parameterizable factors. This can lead to a decrease in the effectiveness of the static filtration rule set configured initially. One of the ways to prevent the decrease in the performance caused by traffic heterogeneity is to range the rule set according to the incoming traffic characteristics. Therefore, the task of ranging a rule set in accordance with the characteristics of information flows is not only actual and in demand. This is especially important for the firewalls that ensure information security for the AS with a complex network architecture and large volumes of network traffic. The main goal of this work is to develop a model for evaluating the firewall performance when ranging the filtration rule set. This paper has the following structure. A method for ranging the filtration rule set is proposed in section 2. In section 3, a model for ranging the rules in the form of a queuing system (QS) with a phase-type service discipline is developed [14]. The results of simulation modelling and firewall performance evaluation for the network traffic script that is close to real are presented in section 4. The Conclusion contains the main aspects of our study. 2. Ranging a filtration rule set for a firewall By ranging the filtration rule set we mean putting the rules in descending order by their weights in accordance with the evaluation of the characteristics of information flows. We consider that traffic filtration is executed at the network and transmission levels of the standard model for the open system interaction (OSI). According to the generally accepted classification [1]-[3], such firewalls relate to the type of packet filters. Ranging is executed at discrete moments of time

About the authors

Anatoly Y. Botvinko

Peoples’ Friendship University of Russia (RUDN University)

Author for correspondence.
Email: botviay@sci.pfu.edu.ru
ORCID iD: 0000-0003-1412-981X
6, Miklukho-Maklaya St., Moscow, 117198, Russian Federation

postgraduate of Department of Applied Probability and Informatics

Konstantin E. Samouylov

Peoples’ Friendship University of Russia (RUDN University); Research Center “Computer Science and Control” of the Russian Academy of Sciences

Email: samuylov-ke@rudn.ru
ORCID iD: 0000-0002-6368-9680
6, Miklukho-Maklaya St., Moscow, 117198, Russian Federation; 44-2, Vavilov St., Moscow, 119333, Russian Federation

Doctor of Technical Sciences, Professor, Head of Department of Applied Probability and Informatics


  1. S. V. Lebed, Firewall protection. Theory and practice of external perimeter protection [Mezhsetevoye ekranirovaniye. Teoriya i praktika zashchity vneshnego perimetra]. Moscow: BMSTU, Bauman Moscow State Technical University Publ., 2002, p. 304, in Russian.
  2. O. R. Laponina, The foundation of network security [Osnovy setevoy bezopasnosti]. Moscow: Publishing house of the national Open University «INTUIT», 2014, p. 377, in Russian.
  3. K. V. Ivanov and P. I. Tutubalin, Markov models of protection of automated control systems for special purposes [Markovskie modeli zashhity’ avtomatizirovanny’x sistem upravleniya special’nogo naznacheniya]. Kazan: Publishing house of GBU Republican center for monitoring the quality of education Publ., 2012, p. 216, in Russian.
  4. “Governing document. Computer aids. Firewall. Protection against unauthorized access to information. Indicators of security against unauthorized access to information [Rukovodyashhij dokument. Sredstva vy’chislitel’noj texniki. Mezhsetevy’e e’krany’. Zashhita ot nesankcionirovannogo dostupa k informacii. Pokazateli zashhishhennosti ot nesankcionirovannogo dostupa k informacii] approved by the decision of the Chairman of the State Technical Commission under the President of the Russian Federation dated July 25, 1997,” in Russian.
  5. H. Hamed, A. El-Atawy, and E. Al-Shaer, “On dynamic optimization of packet matching in high-speed firewalls,” IEEE Journal on Selected Areas in Communications, vol. 24, no. 10, pp. 1817-1830, 2006. doi: 10.1109/JSAC.2006.877140.
  6. R. Mohan, A. Yazidi, B. Feng, and J. Oommen, “On optimizing firewall performance in dynamic networks by invoking a novel swapping windowbased paradigm,” International Journal of Communication Systems, vol. 31, no. 15, e3773, 2018. doi: 10.1002/dac.3773.
  7. E. Al Shaer, Automated firewall analytics: Design, configuration and optimization. Springer International Publishing, 2014, p. 132. doi: 10.1007/978-3-319-10371-6.
  8. R. Mohan, A. Yazidi, B. Feng, and B. J. Oommen, “Dynamic ordering of firewall rules using a novel swapping window-based paradigm,” in Proceedings 6th International Conference on Communication and Network, ICCNS 2016, Singapore: ACM Proceedings, 2016, pp. 11-20. doi: 10.1145/3017971.3017975.
  9. Z. Trabelsi, S. Zeidan, M. M. Masud, and K. Ghoudi, “Statistical dynamic splay tree filters towards multilevel firewall packet filtering enhancement,” Computers & Security, vol. 53, pp. 109-131, 2015. doi: 10.1016/j.cose.2015.05.010.
  10. K. Salah, K. Elbadawi, and R. Boutaba, “Performance modeling and analysis of network firewalls,” IEEE Transactions on Network and Service Management, vol. 9, no. 1, pp. 12-21, 2012. doi: 10.1109/TNSM.2011. 122011.110151.
  11. C. Diekmann, L. Hupel, J. Michaelis, M. Haslbeck, and G. Carle, “Verified iptables firewall analysis and verification,” Journal of Automated Reasoning, vol. 61, no. 1-4, pp. 191-242, 2018. doi: 10.1007/s10817017-9445-1.
  12. S. Khummanee, “The semantics loss tracker of firewall rules,” Advances in Intelligent Systems and Computing, vol. 769, pp. 220-231, 2018. doi: 10.1007/978-3-319-93692-5_22.
  13. V. Clincy and H. Shahriar, “Detection of anomaly in firewall rule-sets,” Advances in Intelligent Systems and Computing, vol. 842, pp. 422-431, 2018. doi: 10.1007/978-3-319-98776-7_46.
  14. P. P. Bocharov and A. V. Pechenkin, Queuing theory [Teoriya massovogo obsluzhivaniya]. Moscow: Publishing RUDN, 1995, p. 529, in Russian.
  15. V. Y. Katkovnik, Non-parametric data identification and smoothing: local approximation method [Neparametricheskaya identifikatsiya i sglazhivaniye dannykh: metod lokal’noy approksimatsii]. Moscow: The science. Main editorial office of physical and mathematical literature Publ., 1985, in Russian.
  16. J. M. Bravo, T. Alamo, M. Vasallo, and M. E. Gegúndez, “A general framework for predictors based on bounding techniques and local approximation,” IEEE Transactions on Automatic Control, vol. 62, no. 7, pp. 3430-3435, 2017. doi: 10.1109/TAC.2016.2612538.
  17. H. Al-Shuka, “On local approximation-based adaptive control with applications to robotic manipulators and biped robots,” International Journal of Dynamics and Control, vol. 6, no. 1, pp. 339-353, 2018. doi: 10.1007/s40435-016-0302-6.
  18. D. E. Plotnikov, T. S. Miklashevich, and S. A. Bartalev, “Using local polynomial approximation within moving window for remote sensing data time-series smoothing and data gaps recovery [Vosstanovleniye vremennykh ryadov dannykh distantsionnykh izmereniy metodom polinomialnoy approksimatsii v skolzyashchem okne peremennogo razmera],” Modern problems of remote sensing of the Earth from space of the Russian Academy of Sciences, vol. 11, no. 2, pp. 103-110, 2014, in Russian.
  19. D. R. Cox, “A use of complex probabilities in the theory of stochastic processes,” Mathematical Proceedings of the Cambridge Philosophical Society, vol. 51, no. 2, pp. 313-319, 1955. doi: 10.1017/S0305004100030231.
  20. A. Y. Botvinko and K. E. Samouylov, “Adaptive ranking of the firewall rule set using local approximation [Adaptivnoye ranzhirovaniye nabora pravil mezhsetevogo ekrana metodom lokal’noy approksimatsii],” in Distributed Computer and Communication Networks: Control, Computation, Communications, in Russian, 2018, pp. 334-341.



Abstract - 77

PDF (English) - 43




Copyright (c) 2021 Botvinko A.Y., Samouylov K.E.

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.

This website uses cookies

You consent to our cookies if you continue to use our website.

About Cookies