Design and Implementation of Stateful Packet Filtering Firewall and optimization using Binary Decision Diagram

Abstract

Today internet is the most useful and big source of knowledge. We can find any information on the internet. But at the same time we are exposed to different types of attacks such as spoof Packet filtering, Denial of Service Attack and so on. So we have to secure the network from this type of attack so that we can easily find information without any hiccups. Through Firewall we can secure our network form this type of attack. There are so many types of Firewall currently exist. But we focus specially on Stateful Packet Firewall. Stateful Packet Filtering in improved version of packet filter firewall in which it validates the first packet of the new connection according to the firewall rule. If that packet is satisfied by the firewall rule policy than corresponding entry is created in state table so that for consecutive packet of the same connection will not be validated by firewall rule. It checks only that packet is corresponding to the existing connection or not. If packet is of existing connection then it will immediately passed through firewall, no need to check according to firewall rule and if packet is of the new connection then it is passed through firewall if and only if it validates the rule and accordingly it will create entry in state table. But there exist problem when the rule list is large in number. Today firewall rules contains thousands or lacks of rule. So it will take long time to decide for a packet to be allowed or not. So we can improve this look up time by using Binary Decision Diagram (BDD). BDD is compressed data structure that will decide immediately that if packet should be passed or not. Operation are performed directly on compressed data structure. On testing on millions of packets the look up time is decreases up to 74%.