Dynamic Balancing of Packet Filtering Workloads on Distributed Firewalls

Firewalls are widely deployed nowadays to enforce security policies of enterprise networks. While having played crucial roles in securing these networks, firewalls themselves are subject to performance limitations. An overloaded firewall can cause severe damage to the protected enterprise network, because any legitimate communication through it is either degraded or even completely severed. In this paper, we address how to dynamically balance packet filtering workloads on distributed firewalls efficiently in large enterprise networks. We model dynamic load balancing on distributed firewalls as a minimax optimization problem, and show that it is strongly NP-complete even if we eliminate all precedence relationships among policy rules by rule rewriting. Accordingly, we propose a light-weight rule distribution scheme that quickly balances workloads among all firewalls. Our scheme is adaptive to incoming traffic. Moreover, dynamically placing and ordering policy rules on distributed firewalls reduces the probability that attackers successfully infer the rule distribution. Experimental results show that using a commodity PC, our approach can reduce the peak firewall workload in distributed firewall systems by 40% within less than five minutes, compared against alternative solutions that only optimize rule ordering on individual firewalls.