A Function-Parallel Architecture for High-Speed Firewalls

Firewalls enforce a security policy by inspecting and filtering traffic arriving or departing from a secure network. This is typically done by comparing an arriving packet to a set of rules and performing the matching rule action, which is accept or deny. Unfortunately packet inspections can impose significant delays on traffic due to the complexity and size of policies. Therefore, improving firewall performance is important given the next generation of high-speed networks. This paper introduces a new firewall architecture that can perform packet inspections under increasing traffic loads, higher traffic speeds, and strict QoS requirements. The architecture consists of multiple firewalls configured in parallel that collectively enforce a security policy. Each firewall implements part of the policy and arriving packets are processed by all the firewalls simultaneously. Since multiple firewalls are used to process every packet, the proposed function-parallel system has significantly lower delays (e.g. 74% lower for a four firewall system) and a higher throughput than other data-parallel (load-balancing) firewalls. These findings will be demonstrated empirically. Furthermore unlike data-parallel systems, the function-parallel design allows the stateful inspection of packets, which is critical to prevent certain types of network attacks.