中文摘要：

当防火墙的规则集规模增加的时候,防火墙的复杂性被认为是增加的。实证研究表明,随着规则集的增大,防火墙配置错误的数量在急剧增加,而防火墙的性能会降低。当设计一个安全敏感的网络时,为了减少防火墙规则集的规模,关键是仔细构建网络拓扑及其路由结构,它有助于降低安全漏洞的机会,避免性能瓶颈。针对如何在网络的拓扑设计和构建路由表操作期间的最小化最大多防火墙规则集,提出一个启发式的解决方案。运用仿真对算法的实效性进行证明。仿真试验结果显示,该算法相比于别类算法降低了多防火墙规则集的规模。

英文摘要：

The complexity of firewall is known to increase along with the increase of its rule set size. Empirical studies show that as the rule set growing larger,the number of configuration errors on a firewall increases sharply,while the performance of the firewall degrades.When designing a security-sensitive network,it is critical to construct the network topology and its routing structure carefully in order to reduce the size of firewall rule sets,which helps lower the chance of security loopholes and prevent performance bottleneck. This paper presents a heuristic solution for the problem of how the maximum multi-firewall rule set can be minimised during the topology design of network and during the operation of routing tables＇ construction. By simulations we prove the effectiveness of the algorithm. Simulation testing results show that the proposed algorithm reduces the size of multi-firewall rule set comparing with other algorithms.