Multilevel early packet filtering technique based on traffic statistics and splay trees for firewall performance improvement

This paper presents a mechanism to improve firewall packet filtering time through optimizing the order of security policy filtering fields for early packet rejection. The proposed mechanism is based on the optimization of the filtering fields order according to traffic statistics. Furthermore, the mechanism uses multilevel packet filtering, and in each level unwanted packets are rejected as early as possible. So, the proposed mechanism can be considered also as a device protection mechanism against denial of service (DoS) attacks targeting the default policy rule. In addition, early packet acceptance is done through using the splay tree data structure which changes dynamically according to traffic flows. So, repeated packets will have less memory accesses and therefore reducing the overall packets matching time. The proposed technique aims to overcome some of the performance limitations of the previous technique, named Self Adjusting Binary Search on Prefix Length (SA-BSPL). The numerical results obtained by simulations demonstrate that the proposed mechanism is able to significantly improve the firewall performance in terms of cumulative packet processing time compared to SA-BSPL technique.