An Independent Function-Parallel Firewall Architecture for High-Speed Networks (Short Paper)
A function-parallel network firewall is a scalable architecture that consists of multiple firewalls. Rules are distributed across the array such that each firewall implements a portion of the original policy. This resutls in significantly lower delays than other parallel designs; however, the design requires firewall intercommunication to coordinate the array which is difficult to implement and introduces additional delay.
This paper describes how the performance of a function-parallel firewall array can be increased if the individual firewalls can operate independently, without firewall intercommunication. By distributing rules using accept sets, the independent firewall array and a traditional single firewall will always arrive at the same decision (integrity is maintained). Simulation results will show the system is significantly faster than other designs and has the unique ability to provide service differentiation.
KeywordsArrival Rate Security Policy Average Delay Packet Delay Local Policy
Unable to display preview. Download preview PDF.
- 1.Benecke, C.: A parallel packet screen for high speed networks. In: Proceedings of the 15th Annual Computer Security Applications Conference (1999)Google Scholar
- 2.Goddard, S., Kieckhafer, R., Zhang, Y.: An unavailability analysis of firewall sandwich configurations. In: Proceedings of the 6th IEEE Symposium on High Assurance Systems Engineering (2001)Google Scholar
- 4.Fulp, E.W., Farley, R.J.: A function-parallel architecture for high-speed firewalls. In: Proceedings of the IEEE International Conference on Communications (2006)Google Scholar
- 5.Ziegler, R.L.: Linux Firewalls, 2nd edn. New Riders (2002)Google Scholar
- 6.Ranganath, V.P., Andresen, D.: A set-based approach to packet classification. In: Proceedings of the IASTED International Conference on Parallel and Distributed Computing and Systems, pp. 889–894 (2003)Google Scholar
- 7.Culler, D.E., Singh, J.P.: Parallel Computer Architecture: A Hardware/Software Approach. Morgan Kaufmann, San Francisco (1999)Google Scholar
- 8.Wool, A.: A quantitative study of firewall configuration errors. IEEE Computer 37(6), 62–67 (2004)Google Scholar