CPFirewall: A Novel Parallel Firewall Scheme for FWaaS in the Cloud Environment

  • Zhenfang WangEmail author
  • ZhiHui Lu
  • Jie Wu
  • Kang Fan
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9464)


In cloud, resources are virtualized and the software delivery way is becoming something like a “service” to provide end user and operator benefits including on-demand self-service, resource pooling, rapid elasticity and service metering capability. As a part of network function virtualization, firewall virtualization can greatly increase the firewall configuration flexibility for the cloud environment. In this paper, we focus on FWaaS (Firewall as a Service) and we design a parallel firewall system called CPFirewall (Cloud Parallel Firewall System). In CPFirewall, the firewall resources are virtualized and multiple tenants can build up their own parallel firewall by renting virtual firewalls. This needs solve some challenges. We adopt a rule-splitting algorithm to build a rule anomaly set (We call it Wrapset.) for detecting rule anomaly. We design the rule-allocation algorithm to achieve the cloud-native features, including load balance and dynamic scale. And we also improve the system performance using Exponential Smoothing (ES) forecasting method. Experiment results have verified that CPFirewall has a higher efficiency than other firewall schemes and is much more suitable for the Cloud network environment.


Cloud computing FWaaS Parallel firewall NFV 



This paper work is based on the Fudan-Hitachi Innovative Software Technology Joint Laboratory project-cloud virtualized resource management system. This work is also supported by 2014–2016 PuJiang Program of Shanghai under Grant No. 14PJ1431100 and 2015–2017 Shanghai Science and Technology Innovation Action Plan Project under Grant No. 15511107000. We would like to give our sincere thanks to them for all the support and advice.


  1. 1.
    Acharya, H.B., Gouda, M.G.: Firewall verification and redundancy checking are equivalent. In: INFOCOM, 2011 Proceedings IEEE, pp. 2123–2128. IEEE (2011)Google Scholar
  2. 2.
    Liu, C., Mao, Y., Van der Merwe, J., et al.: Cloud resource orchestration: s data-centric approach. In: Proceedings of the Biennial Conference on Innovative Data Systems Research (CIDR), pp. 1–8 (2011)Google Scholar
  3. 3.
    Lam, H.Y., Wang, D., Chao, H.J.: A traffic-aware top-n firewall approximation algorithm. In: 2011 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), pp. 1036–1041. IEEE (2011)Google Scholar
  4. 4.
    Al-Shaer, E., Hamed, H.: Design and implementation of firewall policy advisor tools. DePaul University, CTI, Technical Report (2002)Google Scholar
  5. 5.
    Al-Shaer, E.S., Hamed, H.H.: Discovery of policy anomalies in distributed firewalls. In: INFOCOM 2004, Twenty-third Annual Joint Conference of the IEEE Computer and Communications Societies, vol. 4, pp. 2605–2616. IEEE (2004)Google Scholar
  6. 6.
    Fulp, E.W.: Parallel firewall designs for high-speed networks. In: INFOCOM 2006, 25th IEEE International Conference on Computer Communications, Proceedings, pp. 1–4. IEEE (2006)Google Scholar
  7. 7.
    Hamed, H.H., El-Atawy, A., Al-Shaer, E.: Adaptive statistical optimization techniques for firewall packet filtering. In: INFOCOM 2006, vol. 6, pp. 1–12 (2006)Google Scholar
  8. 8.
    Chaure, R., Shandilya, S.K.: Firewall anamolies detection and removal techniques – a survey. Int. J. Emerg. Technol. 1(1), 71–74 (2010)Google Scholar
  9. 9.
    Hajjat, M., Sun, X., Sung, Y.W.E., et al.: Cloudward bound: planning for beneficial migration of enterprise applications to the cloud. ACM SIGCOMM Comput. Commun. Rev. 40(4), 243–254 (2010)CrossRefGoogle Scholar
  10. 10.
    Khakpour, A.R., Liu, A.X.: First step toward cloud-based firewalling. In: 2012 IEEE 31st Symposium on Reliable Distributed Systems (SRDS), pp. 41–50. IEEE (2012)Google Scholar
  11. 11.
    Lee, S., Purohit, M., Saha, B.: Firewall placement in cloud data centers. In: Proceedings of the 4th annual Symposium on Cloud Computing, p. 52. ACM (2013)Google Scholar
  12. 12.
    Yu, S., Doss, R., Zhou, W., et al.: A general cloud firewall framework with dynamic resource allocation. In: 2013 IEEE International Conference on Communications (ICC), pp. 1941–1945. IEEE (2013)Google Scholar
  13. 13.
    Gardner, E.S.: Exponential smoothing: the state of the art. J. Forecast. 4(1), 1–28 (1985)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.School of Computer ScienceFudan UniversityShanghaiChina

Personalised recommendations