Policy Distribution Methods for Function Parallel Firewalls

Parallel firewalls offer a scalable low latency design for inspecting packets at high speeds. Typically consisting of an array of m firewalls, these systems filter arriving packets according to a security policy. Given the firewall array, the rules can be distributed in two fashions. Data parallel copies the entire policy to each firewall and distributes packets. In contrast, function parallel distributes the rules and duplicates packets. The function parallel design can provide significantly lower delays than an equivalent data parallel design, however performance is dependent on how the rules are distributed. Therefore, policy management is vital to the performance of the function parallel firewall system. This paper describes the guidelines necessary to maintain policy integrity, which guarantees that a function parallel and a traditional firewall provide the same action for a packet. Based on these requirements, a policy can be divided into autonomous chains (sub-policies) that can be distributed across the firewall array. Although determining the optimal distribution was shown to be NP-hard, an effective algorithm was described. Simulation results indicate the distribution algorithm can provide an 86% reduction in the average processing delay as compared to previous distribution methods.