As filtering policies are getting larger and more complex, packet filtering at firewalls needs to keep low delays. New firewall architectures are needed to enforce security and meet the increasing demand for high-speed networks. Two main architectures exist for parallelization, data-parallel and function-parallel firewalls. In the first, packets are distributed across a set of identical firewalls that implement the entire policy. In the second, each firewall implements a subset of the policy with a fewer number of rules, but the packets have to be duplicated and processed by all the firewalls. This paper proposes a new architecture function-parallel with pre-processing that combines the advantages of both architectures. The proposed architecture has the advantage of not duplicating the data, so that the processing time can be significantly reduced. Moreover, our architecture enables stateful inspection of packets, which is necessary to prevent multiple types of attacks. The performances of this architecture have been proven to be scalable for large security policies.
展开▼
