Parallel Firewall Designs for High-Speed Networks

In a high-speed environment (e.g. Gigabit Ethernet), a single network firewall is a potential bottleneck and increasingly susceptible to denial of service (DoS) attacks. Although creating a faster single firewall is possible, the performance benefits are only temporary as network speeds continue to increase. Therefore new firewall architectures are needed to meet the demands of high-speed networks. This paper reviews different parallel firewall architectures that have the ability to process packets at high speeds. Each design uses an array of firewalls to enforce a security policy, but will differ on how the array is used. Data-parallel distributes arriving packets across the array allowing greater throughput, while function-parallel distributes the rules which reduces processing delay. In general, the parallel designs are more scalable and significantly faster than a traditional single firewall. Simulation will demonstrate the performance benefits of the parallel designs under realistic conditions.