International Journal of Computational Intelligence and Information Security, January 2012 Vol 3, No.

An Optimized Firewall Access Control Policy for Packet Filtering

Himanshu Yadav, Nikhil Singh and Satyendra Singh Thakur
M-Tech Scholar, Department of Computer Science & Engg. Patel College of Science & Technology, Bhopal Assistant Professor, Department of Computer Science & Engg., Patel College of Science & Technology, Bhopal Head, Department of Computer Science & Engineering Patel College of Science & Technology, Bhopal himanshuyadav86@gmail.com

Abstract Firewall is an essential component of network security. Access Control List (ACL) is used by firewall for filtering traffic in the network. ACL contains the pre-defined rules for packets filtering. A firewall accesses the list of pre-defined rules sequentially. Due to sequential access of ACL, it takes a lot of time for rules matching. In this paper we have proposed a mechanism for reducing access time of ACL. In this paper we have also discussed and presented clustering index method for reducing ACL access time.
Key Words: Firewall, ACL, Accept, Deny, Proxy Server, Clustering.

1. INTRODUCTION Rapid growth of internet made security issues more challengeable, here authorization is most important task. All sorts of organizations, including the energy, media, telecommunications, financial, automotive, healthcare market segments as well as the research labs, academic institutions, and network security consulting firms use a firewall as the basic device or software to protect network. Every firewall has its own access control list. The paper proposed a solution to optimize the ACL packet matching time which is very high due to sequential search. 1.1 FIREWALL Firewall is a mechanism between two networks, meeting the following criteria:[9] The firewall is at the boundary between the two networks. All traffic between the two networks must pass through the firewall The firewall has a mechanism to allow some traffic to pass while blocking other traffic. The rules describing what traffic is allowed enforce the firewall's policy. Firewall can allow legitimate traffic and blocks malicious traffic to sneak into a private network. It can implement in the form of software or hardware.

23

International Journal of Computational Intelligence and Information Security, January 2012 Vol 3, No. 1

Fig. 1 Firewall works on basis of some rules. These rules are written in list format.

1.2 ACCESS CONTROL LIST (ACL) Access control list is a sequential list of instructions that talls a router or firewall which packets permit or deny [3][8]. In term of firewall these instructions call policies. ACL is an index of permission attached to an object. ACL is specified that which user will grant to access the object. ACL supports three types of filtering Standard, Extended and named. Standard IP ACLs can filter only on the source IP address inside a packet. Whereas an extended IP ACLs can filter on the source and destination IP addresses in the packet and named define rules according to name. There are two actions an ACL can take: permit or deny. Statements are processed top-down. Once a match is found, no further statements are processedtherefore, order is important. If no match is found, the imaginary implicit deny statement at the end of the ACL drops the packet. Standard Access Control List Configuration Syntax access-list access-list-number {permit|deny} source {source-mask} ip access-group accesslist-number {in|out}
Example: http_access 101 permits ip 192.168.1.5 0.255.255.255 http_access 101 permits ip 192.168.1.5 0.255.255.255 any

1.3 PROXY SERVER

A computer system or an application that acts as a intermediate machine. The machine gives the illusion to clients that they access reply directly. Proxy server full fill the demands using predefine rules. These rules are written in access control list. When client request to proxy every time proxy check its ACL and match the rule. If rule matches then generate reply for client

24

International Journal of Computational Intelligence and Information Security, January 2012 Vol 3, No. 1

2. PROBLEM STATMENT Develop a method to shrink the time to take decision for the suitable access control rule from the ACL in order to enhance the performance of the proxy server. As the diagram shows ACL is a part of Firewall. Every packet will match with the ACL policies. Here it will take some time in order to match that packet due to sequential search property of ACL. Here it will take some time in order to match that packet due to sequential search property of ACL. The work is based on application level firewall with standard type ACL rule.

Fig. 2 Client server Architecture

3. PROPOSED ARCHITECTURE In the proposed solution we suggested approach of Clustering index method in order to create different ACL clusters according to Source address. 3.1 CLUSTRING INDUX METHOD
Performance of a database can be greatly impacted by the manner in which data is loaded. The task of passing on a set of objects into groups Known as clusters so that the objects in the same cluster are more similar (in some sense or another) to each other than to those in other clusters.

25

International Journal of Computational Intelligence and Information Security, January 2012 Vol 3, No. 1

Fig. 3 Example of clustering index

Fig. 4 flow chart

The given architecture has three major parts. First one is request from client. This request has the IP address, port address protocol etc. IP- address is important for us. Second part is clustering of IP addresses according to their subnet address. The whole approach works as follows 1. Request send by client 2. Request catch by proxy server. 3. Proxy fetches IP address from the request. According to subnet select ACL. 4. Match packet from ACL.
26

International Journal of Computational Intelligence and Information Security, January 2012 Vol 3, No. 1

5. Access/Deny 6. Provide service on the bases of rule.

4. RESULTS
After applying clustering method maximum access time required for each cluster is 3T(1/N)+C Here N = total no of cluster T = Time required to access ACL before clustering. C = Constant.

5. CONCLUSION In this paper we have focused on clustering technique for ACL and also thrown some light on structure of ACL rules and its behavior. We made clusters based on subnet address, and successfully reduced the rule matching time of access control list. 6. ACKNOWLEDGEMENT This paper would not have been possible without our Patel College of Science and Technology, Bhopal. We wish to express our thanks to all the people who helped turn the World-Wide Web into the useful and popular distributed hypertext. We also wish to express thanks the anonymous reviewers for their valuable suggestions REFERENCES [1] E. Al-Shaer and H. Hamed. Firewall Policy Advisor for Anomaly Detection and Rule Editing IEEE/IFIP Integrated Management Conference (IM2003), March 2003. [2] Ehab Al-Shaer and Hazem Hamed, "Discovery of Policy Anomalies in Distributed Firewalls" in Proc. of IEEE INFOCOMM'04, vol. 23, no. 1, March 2004 pp. 2605-2616. [3] Vic Grout and John N. Davies A Simplified Method for Optimising Sequentially Processed Access Control Lists IEEE 2010 pp 347-352 [4] Korosh Golnabi, Richard K. Min, Latifur Khan and Ehab Al-Shaer Analysis of Firewall Policy Rules Using Data Mining Techniques IEEE 2006 pp 305-315 [5] Access Control List available at accessed on 15/10/2011 http://en.wikipedia.org/wiki/Access_control_list

[6]Firewall available at http://service2.real.com/help/library/guides/helixuniversalproxy/htmfiles/firewall.htm accessed on 15/10/2011 [7] Lect. Shital P. Bora DATA MINING AND WARE HOUSING IEEE 2011 pp 1-5 [8] B.N. Lakshmi,G.H. Raghunandhan.A Conceptual Overview of Data Mining IEEE 2011 pp 27-32 [9] http://espin086.wordpress.com accessed on 15/12/2011
27