FROG: A Firewall Rule Order Generator for faster packet filtering

Abstract

The security of computer networks can be achieved using properly configured devices and applications; otherwise, protection technologies may be prone to potential threats. In next-generation firewalls, a common misconfiguration is the inefficient order of rules defining security policies. First-match scanners sequentially compare each incoming packet with the rule list until it is intercepted. Therefore, the most frequent rules should be placed in the top positions to avoid significant service issues due to slow search processes. In addition, rules cannot be placed randomly because the precedence relationships between them must be maintained to ensure the integrity of the policies implemented. Several constrained sorting techniques that take advantage of the rule activation frequencies have been proposed over the years. However, previous studies have not considered certain firewalls, such as PF, which skip rule blocks during scanning to minimize packet-rule comparisons. To address this gap, this paper proposes the Firewall Rule Order Generator (FROG), which produces constraint-compliant rule orders and arranges them in jumpable blocks based on their similarity. Furthermore, FROG is resistant to traffic profile variations, as it does not require prior knowledge of packet distributions for optimal sorting. The experimental results demonstrate that FROG can effectively maximize skipped rules and minimize jumps, thus reducing the computational overhead of the scanner. Moreover, FROG sorted large rule sets faster than state-of-the-art competitors and produced orders that minimized packet-rule comparisons using ClassBench test data.