An Independent Function-Parallel Firewall Architecture for High-Speed Networks (Short Paper)

  • Errin W. Fulp
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4307)


A function-parallel network firewall is a scalable architecture that consists of multiple firewalls. Rules are distributed across the array such that each firewall implements a portion of the original policy. This resutls in significantly lower delays than other parallel designs; however, the design requires firewall intercommunication to coordinate the array which is difficult to implement and introduces additional delay.

This paper describes how the performance of a function-parallel firewall array can be increased if the individual firewalls can operate independently, without firewall intercommunication. By distributing rules using accept sets, the independent firewall array and a traditional single firewall will always arrive at the same decision (integrity is maintained). Simulation results will show the system is significantly faster than other designs and has the unique ability to provide service differentiation.


Arrival Rate Security Policy Average Delay Packet Delay Local Policy 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Benecke, C.: A parallel packet screen for high speed networks. In: Proceedings of the 15th Annual Computer Security Applications Conference (1999)Google Scholar
  2. 2.
    Goddard, S., Kieckhafer, R., Zhang, Y.: An unavailability analysis of firewall sandwich configurations. In: Proceedings of the 6th IEEE Symposium on High Assurance Systems Engineering (2001)Google Scholar
  3. 3.
    Paul, O., Laurent, M.: A full bandwidth ATM firewall. In: Cuppens, F., Deswarte, Y., Gollmann, D., Waidner, M. (eds.) ESORICS 2000. LNCS, vol. 1895. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  4. 4.
    Fulp, E.W., Farley, R.J.: A function-parallel architecture for high-speed firewalls. In: Proceedings of the IEEE International Conference on Communications (2006)Google Scholar
  5. 5.
    Ziegler, R.L.: Linux Firewalls, 2nd edn. New Riders (2002)Google Scholar
  6. 6.
    Ranganath, V.P., Andresen, D.: A set-based approach to packet classification. In: Proceedings of the IASTED International Conference on Parallel and Distributed Computing and Systems, pp. 889–894 (2003)Google Scholar
  7. 7.
    Culler, D.E., Singh, J.P.: Parallel Computer Architecture: A Hardware/Software Approach. Morgan Kaufmann, San Francisco (1999)Google Scholar
  8. 8.
    Wool, A.: A quantitative study of firewall configuration errors. IEEE Computer 37(6), 62–67 (2004)Google Scholar
  9. 9.
    Leland, W.E., Taqqu, M.S., Willinger, W., Wilson, D.V.: On the self-similar nature of ethernet traffic. IEEE Transactions on Networking 2, 1–15 (1994)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Errin W. Fulp
    • 1
  1. 1.Department of Computer ScienceWake Forest UniversityWinston-SalemUSA

Personalised recommendations