A Classification for Access Control List To Speed Up Packet-Filtering Firewall CHEN FAN, LONG TAN, RAWAD FELIMBAN and ABDELSHAKOUR ABUZNEID Department of Computer Science &Engineering, University of Bridgeport, CT. AbstractBackground Conclusion Introduction SOFTWARE SIMULATION A. ACL ACL (Access Control List, ACL) is a list of routers command interface to control the port and out of the packet. ACL is applied to all routing protocols, such as IP, IPX, AppleTalk and so on. It is an essential business need that information point communication between all internal and external communications, in order to guarantee the security of the network, it is necessary to protect the security policy from non-authorized users. In a word, ACL can filter network traffic, and it is a good technology to control access flow. ACL can limit network traffic and improve network performance. For example, according to the protocol, ACL can specify the packet priority. ACL provides traffic control measures. For example, ACL can limit or simplify the length of updated message. ACL provides access authentication method. ACL allows host A to access a network of human resources, and refuses host B to access it. A. Introduction As we know, there are many rules in ACLs(access control lists), these rules will help us to control the IP (pass or deny) which will connect to us. The filter rules established is based on IP packet, which contains five basic elements: the protocol source address destination address source port and destination port and so on. But if we match the IP address one by one with the ACLs, it will cause a lot of delay, so now we want to use the NPF(new packet filtering). Packet filtering firewall is to view the data flows through packet header, which determines the fate of the entire package. It may decide to discard (DROP) this package, or may accept (ACCEPT) package (let the packet through), may also perform other more complex actions. The traditional packet filtering firewall will match the new client request with the rules in ACL(Access Control List) one by one, it will cause the response delay and slow down the data access speed. In recent years, the number of network users continue to increase, the user wants to access the network data faster and faster, therefore, how to improve the filtering speed of packet-filtering firewall is especially important. In this paper, according to the traditional packet filtering firewall technology basis, based on the nature and requirements of computer network security, we change the architecture of packet-filtering firewall and improve the response speed. As keeping the traditional packet-filtering firewall, we classify the existing similar rules as a set, then, use a header to represent that set of rules. So, when a new client request coming, it doesn't need to compare with the rules one by one like the TPF(Traditional Packet-Filtering Firewall), it only needs to compare with a few headers. We call it NPF(New Packet-Filtering Firewall) and we can say it will improve the speed of packet-filtering firewall. Firewall products using this technology, to filter the packet in appropriate location in the network, according to check data flow source address, destination address of each packet, all TCP and TCP port numbers link status and other factors, and then according to a predefined set of rules to allow logical data packets through the firewall into the internal network, and delete the illogical data packet. Because routers are usually distributed in different network security requirements and security policies of the junction, so you can achieve by using packet filtering, where possible, and allow only authorized network to enter the router. It is a more economical use of packet filtering firewall functions to increase the existing routing infrastructure mechanisms on these routers. As the name suggests, packet filtering in the routing process for the specified packet filtering (discard). The judgment is usually based on the filtered contents of a single packet headers included (such as source address, destination address, protocol, port, etc.). As computer networking and globalization, people in their daily lives, many activities will be gradually transferred to use network. Internet technology has penetrated into every aspect of human social life. With the continuous development of information technology networks become more widely used with computer technology and communication technology in various fields, network security issues have gradually revealed, attracting more and more attention. According to the survey, the annual economic losses due to the global computer network security around tens of billions of dollars, so the research on network and information security have emerged, increasingly wide range of research. New industries, cooperation and business models emerging, the world's rapidly into the Internet age, the existing enterprise network, including a wide variety of systems and platforms, and network security are also facing challenges. The arrival of the digital age, making the network applications to penetrate into all areas of society, and to provide people with a great convenience, the continuous development of Internet technology and its applications, so that the computer, communications and information processing to form a large and complex network information system, this time in the network systems, communications security, computer security, operational security, information security has become a problem that people are most concerned about. Proposed Method First of all, the rules are already exist in the ACLs (which set up by the Administrator ), what we will do is to let the ACLs works more efficiently. We could classify some of the rules in a header. Assume we have a rule about the ip ( pass ) and another IP * ( pass ), obviously these two IP are repeated, we could make the two in one IP *( pass ). Also, there have some other rules could be classified like equivalent rules, part of irrespective and cross-related rules. It will help administrator configure security policy. and provide great convenience, when the administrator insert, delete or modify rules. Enhance the intelligence of the firewall. After we classify the rules we will have a header which keep all the rules classified. Then we make a counter to count the number of the headers been match during the working time like Fig.6. Every time the header been matched the counter will be added by 1, so we will get a sequence of the headers depend on the counter. The most used headers will have a larger number and the others will have a smaller number. When a new IP comes in the ACLs, we could match the IP to the headers which have a larger number first, since that one been used more frequently. It will save our time instead of match the rules one by one. The whole simulation will only access few website like baidu.com, youtube.com, facebook.com. This simulation will show how many IP addresses will pass by using TPF(Traditional Packet-Filtering firewall) and NPF(New Packet-filtering firewall) in 10 seconds. If NPF can pass more IP addresses than TPF, then, it can prove NPF is more efficient. After that, we will compare the difference of speed between TPF and NPF. TPF NPF According to the picture. it shows NPF is more efficient than TPF at the same time. We can draw a map like Fig.11 and see the difference clearly. In this paper the problem of large amount of time required to match the rule for the request in the ACL has been solved. We have introduced a new approach for faster packet filtering. In this approach a header will instead a set of rules for matching any given packet and employed in the real network. It is observed that the proposed method results into significant improvement in packet matching time in packet filters. This results in at least two times more speed in packet filtering compared to a traditional packet-filtering firewall that browses through the set of rules to find the matching rule for a packet. But at the same time, there is also a problem, when we first use this system, it takes time to classify the rules. It will use some of our router's memory to run and will need some space to store the data. It may cause hardware resources limited problem. But we thought the router will have more memory and space in the future. We will continue to find other solution to fix hardware resources limited problem.