Parallel firewall designs for high-speed networks /

by Farley, Ryan Joseph.

PARALLEL FIREWALL DESIGNS FOR HIGH-SPEED NETWORKS Ryan Joseph Farley Firewalls enforce a security policy between two networks by comparing arriving packets against the policy rules to determine if they should be accepted or denied. Unfortunately, security processing imposes significant delays on routing activity in relation to the complexity and size of the policy. These delays become more apparent as network speeds increase and performance requirements heighten. Thus, the need to improve firewall performance will only increase over time. This thesis introduces a novel parallel firewall design, where firewall nodes collectively enforce a security policy. The proposed model can perform inspections under increased traffic loads and higher traffic speeds in a scalable manner. To accomplish this, each parallel firewall node implements a portion of the policy, a form of function parallelism, and packets are processed by all firewall nodes simultaneously, ensuring a packet’s exposure to the entire policy. Since each firewall node has fewer rules to process per packet, the proposed function parallel system can achieve significantly lower delays and higher throughput than both non-parallel and data parallel (load-balancing) firewalls. Furthermore, unlike data parallel systems, the new function parallel design allows stateful inspection of packets, a critical component in preventing certain types of network attacks. These advantages will be demonstrated theoretically and empirically through experiments and simulations. viii