+1 Recommend
1 collections
      • Record: found
      • Abstract: found
      • Article: found

      FPC: A New Approach to Firewall Policies Compression

      Read this article at

          There is no author summary for this article yet. Authors can add summaries to their articles on ScienceOpen to make them more accessible to a non-specialist audience.


          Firewalls are crucial elements that enhance network security by examining the field values of every packet and deciding whether to accept or discard a packet according to the firewall policies. With the development of networks, the number of rules in firewalls has rapidly increased, consequently degrading network performance. In addition, because most real-life firewalls have been plagued with policy conflicts, malicious traffics can be allowed or legitimate traffics can be blocked. Moreover, because of the complexity of the firewall policies, it is very important to reduce the number of rules in a firewall while keeping the rule semantics unchanged and the target firewall rules conflict-free. In this study, we make three major contributions. First, we present a new approach in which a geometric model, multidimensional rectilinear polygon, is constructed for the firewall rules compression problem. Second, we propose a new scheme, Firewall Policies Compression (FPC), to compress the multidimensional firewall rules based on this geometric model. Third, we conducted extensive experiments to evaluate the performance of the proposed method. The experimental results demonstrate that the FPC method outperforms the existing approaches, in terms of compression ratio and efficiency while maintaining conflict-free firewall rules.

          Related collections

          Author and article information

          Tsinghua Science and Technology
          Tsinghua University Press (Xueyan Building, Tsinghua University, Beijing 100084, China )
          05 February 2019
          : 24
          : 1
          : 65-76
          ∙ Yuzhu Cheng is with the School of Information Science and Engineering, Central South University, Changsha 410083, and the School of Software, Changsha Social work College, Changsha 410004, China. E-mail: peter_cheng@ 123456csu.edu.cn .
          ∙ Weiping Wang and Jianxin Wang are with the School of Information Science and Engineering, Central South University, Changsha 410083, China. E-mail: jxwang@ 123456mail.csu.edu.cn .
          ∙ Haodong Wang is with the Department of Electrical Engineering and Computer Science, Cleveland State University, Cleveland, OH 44115, USA. E-mail: hwang@ 123456eecs.csuohio.edu .
          Author notes
          * To whom correspondence should be addressed. E-mail: wpwang@ 123456mail.csu.edu.cn .

          Weiping Wang received the BS degree from Southeast University in 1991, and MS and PhD degrees from Central South University in 1994 and 2004, respectively. She joined Central South University in 1994. Currently, she is a full professor and PhD adviser at Central South University. Her research interests include cyber security and privacy, network coding, and anonymous communication. She has published more than 70 papers in referred journals and conference proceedings. She has presided over four National Natural Science Foundation Projects and participated in more than ten other major scientific research projects. Her teaching courses include computer network, network security, and security of network and system.

          Yuzhu Cheng received the BS degree from Hunan University of Science and Technology in 2002 and the MS degree from Hunan University in 2005. He is a faculty of Changsha Social Work College and currently working toward the PhD degree with Central South University, Changsha, China. His research interests include network security, privacy protection, and related areas.

          Jianxin Wang received the BS and MS degrees from Central South University in 1992 and 1996, respectively, and received the PhD degree from Central South University in 2001. He is a vice dean and a professor in School of Information Science and Engineering at Central South University, China. His current research interests include algorithm analysis and optimization, parameterized algorithm, bioinformatics, and computer network. He has published more than 150 papers in various international journals and refereed conferences. He is a senior member of IEEE.

          Haodong Wang is an associate professor in the Department of Electrical Engineering and Computer Science at Cleveland State University. He received the PhD degree in computer science from College of William and Mary. His research interests focus on information assurance in cyber-physical systems, privacy preserving and user access control in sensor networks, efficient information storage, search and retrieval in pervasive computing, and mobile system security and computing.



          Comment on this article