A practical approach for building a parallel firewall for ten gigabit Ethernet backbone

摘要

In a very high-speed network environment such as gigabit Ethernet network, firewalls that have to inspect and filter all flowing packets are reaching their limits. A firewall running on a single machine is potential bottleneck and cannot scale over certain thresholds, even if it has particular hardware built-in. Hence, parallel system appears as an alternative approach under this circumstance. This paper describes a design and implementation of parallel firewall architecture that is able to handle packets for high-speed network. The implementation utilizes arrays of Linux-based firewall under data parallel scheme running incorporate with specific ASIC switch. The load balancing mechanism, using hashing of disjoint subset, distributes the traffic among a configurable number of parallel machines, providing high performance with reliability, flexibility, and scalability. Implementation and measurements in a real network show that the proposed system is scalable to handle a data rate of 10 gigabit per second.