Balancing Trie-Based Policy Representations for Network Firewalls

Firewalls inspect arriving packets according to a security policy. The complexity of these policies can cause significant delays in the processing of packets, resulting in degraded performance, traffic bottlenecks, and ultimately violating Quality of Service (QoS) constraints. As network capacities continue to increase, the improvement of firewall performance is a main concern. One technique that dramatically reduces required processing is the representation of security policies in software with n-ary tries. This paper describes trie balancing methods that further improve performance by placing more frequently used rules in high precedence positions which require fewer tuple comparisons. A proof of sorted trie integrity is presented along with experimental results showing that on average, sorting reduces the number of comparisons by 27% as compared to the original trie and by 83% as compared to a list representation. Sorting methods are described in detail and their benefits are demonstrated empirically.