CPFirewall: A Novel Parallel Firewall Scheme for FWaaS in the Cloud Environment
In cloud, resources are virtualized and the software delivery way is becoming something like a “service” to provide end user and operator benefits including on-demand self-service, resource pooling, rapid elasticity and service metering capability. As a part of network function virtualization, firewall virtualization can greatly increase the firewall configuration flexibility for the cloud environment. In this paper, we focus on FWaaS (Firewall as a Service) and we design a parallel firewall system called CPFirewall (Cloud Parallel Firewall System). In CPFirewall, the firewall resources are virtualized and multiple tenants can build up their own parallel firewall by renting virtual firewalls. This needs solve some challenges. We adopt a rule-splitting algorithm to build a rule anomaly set (We call it Wrapset.) for detecting rule anomaly. We design the rule-allocation algorithm to achieve the cloud-native features, including load balance and dynamic scale. And we also improve the system performance using Exponential Smoothing (ES) forecasting method. Experiment results have verified that CPFirewall has a higher efficiency than other firewall schemes and is much more suitable for the Cloud network environment.
KeywordsCloud computing FWaaS Parallel firewall NFV
This paper work is based on the Fudan-Hitachi Innovative Software Technology Joint Laboratory project-cloud virtualized resource management system. This work is also supported by 2014–2016 PuJiang Program of Shanghai under Grant No. 14PJ1431100 and 2015–2017 Shanghai Science and Technology Innovation Action Plan Project under Grant No. 15511107000. We would like to give our sincere thanks to them for all the support and advice.
- 1.Acharya, H.B., Gouda, M.G.: Firewall verification and redundancy checking are equivalent. In: INFOCOM, 2011 Proceedings IEEE, pp. 2123–2128. IEEE (2011)Google Scholar
- 2.Liu, C., Mao, Y., Van der Merwe, J., et al.: Cloud resource orchestration: s data-centric approach. In: Proceedings of the Biennial Conference on Innovative Data Systems Research (CIDR), pp. 1–8 (2011)Google Scholar
- 3.Lam, H.Y., Wang, D., Chao, H.J.: A traffic-aware top-n firewall approximation algorithm. In: 2011 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), pp. 1036–1041. IEEE (2011)Google Scholar
- 4.Al-Shaer, E., Hamed, H.: Design and implementation of firewall policy advisor tools. DePaul University, CTI, Technical Report (2002)Google Scholar
- 5.Al-Shaer, E.S., Hamed, H.H.: Discovery of policy anomalies in distributed firewalls. In: INFOCOM 2004, Twenty-third Annual Joint Conference of the IEEE Computer and Communications Societies, vol. 4, pp. 2605–2616. IEEE (2004)Google Scholar
- 6.Fulp, E.W.: Parallel firewall designs for high-speed networks. In: INFOCOM 2006, 25th IEEE International Conference on Computer Communications, Proceedings, pp. 1–4. IEEE (2006)Google Scholar
- 7.Hamed, H.H., El-Atawy, A., Al-Shaer, E.: Adaptive statistical optimization techniques for firewall packet filtering. In: INFOCOM 2006, vol. 6, pp. 1–12 (2006)Google Scholar
- 8.Chaure, R., Shandilya, S.K.: Firewall anamolies detection and removal techniques – a survey. Int. J. Emerg. Technol. 1(1), 71–74 (2010)Google Scholar
- 10.Khakpour, A.R., Liu, A.X.: First step toward cloud-based firewalling. In: 2012 IEEE 31st Symposium on Reliable Distributed Systems (SRDS), pp. 41–50. IEEE (2012)Google Scholar
- 11.Lee, S., Purohit, M., Saha, B.: Firewall placement in cloud data centers. In: Proceedings of the 4th annual Symposium on Cloud Computing, p. 52. ACM (2013)Google Scholar
- 12.Yu, S., Doss, R., Zhou, W., et al.: A general cloud firewall framework with dynamic resource allocation. In: 2013 IEEE International Conference on Communications (ICC), pp. 1941–1945. IEEE (2013)Google Scholar