Field
Embodiments of the present invention generally relate to network traffic control. In particular, embodiments of the present invention relate to systems and methods for firewall and/or access control policy management and optimization of policy rules to enhance performance of policy rule processing.
Description of the Related Art
A firewall generally represents an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system. A firewall may assume the form of a flow control device or set of devices configured to permit, deny, encrypt, decrypt and/or proxy computer traffic between different security domains based upon a set of rules and other criteria. Organizations that use Internet Protocol (IP) based communication networks have firewalls or access control devices/mechanisms to control the traffic that crosses into and out of their networks, or between different network segments. Each firewall is basically a special-purpose computer that enforces the organization's traffic filtering policy. Typically, the filtering policy is implemented in a rule base, which is an ordered list of rules, wherein each rule consists of a set of field value-ranges, and an associated action that is generally either “PASS” or “DROP”.
Most firewalls enforce the policy according to “first-match” semantics, wherein for each new IP connection, the firewall checks the rules one by one, according to their order in the rule-base, until it finds a rule that matches the new connection. The first rule that matches the connection determines the firewall's action, wherein if the first matching rule has an action of “PASS” then the firewall will allow the connection to continue, and if the rule's action is “DROP” then the firewall will discard all the packets belonging to the connection. If no rule matches the connection then the firewall uses a default action, which is usually DROP.
As firewall or access control policies can have numerous rules, searching for a matching rule in sequence can require considerable CPU time. In such an implementation, the computational effort to match a connection to the rule-base is proportional (linearly) to the number of rules the firewall needs to try in sequence until it reaches the first matching rule. If checking a match against one rule typically requires M computer instructions, then checking K rules in sequence requires K times M instructions. If the first-matching rule happens to be one of the first in the rule-base, the firewall will identify the corresponding action quickly and with a low computational effort. Conversely, if the first-matching rule is near the end of the rule-base, the firewall will take longer to identify the corresponding action.
Firewall rule-based policy is typically static. As such, once it is configured, it will stay the same, in the same order and not be changed unless explicitly changed by a user/administrator. In practice, large enterprises end up with a substantial set of firewall rule-based policies that are more oriented to user/operator visibility than rule processing efficiency. Furthermore, addition of each new policy rule or modification of an existing rule typically has ripple effects on other existing/stored rules and policies. For instance, a new policy rule may be configured to allow packets of a specific traffic type to a given destination, which otherwise may have been denied by an already existing policy rule in the rule database. Existing security policy management techniques require manual detection of issues, such as duplication of rules, conflicts between rules, dependency between rules, or shadowing of one rule by another and therefore are error prone. These issues are exacerbated in the context of large policy rule databases.
There is therefore a need for systems and methods that allow efficient addition or modification of one or more policy rules by enabling enhanced system performance, manageability and reduced human error. There is also a need for systems and methods that allow dynamic and automatic optimization of policy rules by efficiently grouping/merging, deleting, reordering and otherwise managing policy rules based on defined and configurable optimization criteria so as to enable improved overall performance and significant reduction in session establishment/rule access/rule processing delay.