Trie-based policy representations for network firewalls

Network firewalls remain the forefront defense for most computer systems. These critical devices filter traffic by comparing arriving packets to a list of rules, or security policy, in a sequential manner. Unfortunately packet filtering in this fashion can result in significant traffic delays, which is problematic for applications that require strict quality of service (QoS) guarantees. Given this demanding environment, new methods are needed to increase network firewall performance. This paper introduces a new technique for representing a security policy that maintains policy integrity and provides more efficient processing. The policy is represented as an n-ary retrieval tree, also referred to as a trie. The worst case processing requirement for the policy trie is a fraction compared a list representation, which only considers rules individually (1/5 the processing for TCP/IP networks). Furthermore unlike other representations, the n-ary trie developed in this paper can be proven to maintain policy integrity. The creation of policy trie structures is discussed in detail and their performance benefits are described theoretically and validated empirically.

[1]  Emmanuel Fleury,et al.  Using IDDs for Packet Filtering , 2002 .

[2]  Ehab Al-Shaer,et al.  Modeling and Management of Firewall Policies , 2004, IEEE Transactions on Network and Service Management.

[3]  George Varghese,et al.  Packet filtering in high speed networks , 1999, SODA '99.

[4]  S.M. Bellovin,et al.  Network firewalls , 1994, IEEE Communications Magazine.

[5]  Svante Carlsson,et al.  Small forwarding tables for fast routing lookups , 1997, SIGCOMM '97.

[6]  Peter W. Zehna Sets with applications , 1966 .

[7]  Stephen J. Tarsa,et al.  Network Firewall Policy Tries , 2005 .

[8]  Venkatesh Prasad Ranganath,et al.  A SET-BASED APPROACH TO PACKET CLASSIFICATION , 2003 .

[9]  George Varghese,et al.  Fast and scalable layer four switching , 1998, SIGCOMM '98.

[10]  George Varghese,et al.  Fast firewall implementations for software-based and hardware-based routers , 2001, SIGMETRICS '01.

[11]  George Varghese,et al.  Fast firewall implementations for software and hardware-based routers , 2001, Proceedings Ninth International Conference on Network Protocols. ICNP 2001.

[12]  Guru M. Parulkar,et al.  Detecting and resolving packet filter conflicts , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[13]  Carsten Benecke,et al.  A parallel packet screen for high speed networks , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[14]  Michael Rash Linux firewalls , 2007 .

[15]  Alfred V. Aho,et al.  Data Structures and Algorithms , 1983 .

[16]  Errin W. Fulp Firewall Architectures for High-Speed Networks: Final Report , 2007 .

[17]  Sylvain Gombault,et al.  A Full Bandwidth ATM Firewall , 2000, ESORICS.

[18]  Errin W. Fulp An Independent Function-Parallel Firewall Architecture for High-Speed Networks (Short Paper) , 2006, ICICS.

[19]  Carsten Benecke,et al.  Firewalls for ATM Networks , 1998 .

[20]  Bernhard Plattner,et al.  Router plugins: a software architecture for next-generation routers , 2000, TNET.

[21]  Steve Goddard,et al.  An unavailability analysis of firewall sandwich configurations , 2001, Proceedings Sixth IEEE International Symposium on High Assurance Systems Engineering. Special Topic: Impact of Networking.

[22]  Hans-Ulrich Heiß,et al.  PERFORMANCE EVALUATION OF FIREWALLS IN GIGABIT-NETWORKS , 2000 .

[23]  Anja Feldmann,et al.  Tradeoffs for packet classification , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[24]  Edward W. Spitznagel High Performance Packet Classification , 2004 .