{"title":"功能并行防火墙的策略分发方法","authors":"Michael R. Horvath, E. Fulp, Patrick S. Wheeler","doi":"10.1109/ICCCN.2008.ECP.121","DOIUrl":null,"url":null,"abstract":"Parallel firewalls offer a scalable low latency design for inspecting packets at high speeds. Typically consisting of an array of m firewalls, these systems filter arriving packets according to a security policy. Given the firewall array, the rules can be distributed in two fashions. Data parallel copies the entire policy to each firewall and distributes packets. In contrast, function parallel distributes the rules and duplicates packets. The function parallel design can provide significantly lower delays than an equivalent data parallel design, however performance is dependent on how the rules are distributed. Therefore, policy management is vital to the performance of the function parallel firewall system. This paper describes the guidelines necessary to maintain policy integrity, which guarantees that a function parallel and a traditional firewall provide the same action for a packet. Based on these requirements, a policy can be divided into autonomous chains (sub-policies) that can be distributed across the firewall array. Although determining the optimal distribution was shown to be NP-hard, an effective algorithm was described. Simulation results indicate the distribution algorithm can provide an 86% reduction in the average processing delay as compared to previous distribution methods.","PeriodicalId":314071,"journal":{"name":"2008 Proceedings of 17th International Conference on Computer Communications and Networks","volume":"49 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2008-11-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"6","resultStr":"{\"title\":\"Policy Distribution Methods for Function Parallel Firewalls\",\"authors\":\"Michael R. Horvath, E. Fulp, Patrick S. Wheeler\",\"doi\":\"10.1109/ICCCN.2008.ECP.121\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Parallel firewalls offer a scalable low latency design for inspecting packets at high speeds. Typically consisting of an array of m firewalls, these systems filter arriving packets according to a security policy. Given the firewall array, the rules can be distributed in two fashions. Data parallel copies the entire policy to each firewall and distributes packets. In contrast, function parallel distributes the rules and duplicates packets. The function parallel design can provide significantly lower delays than an equivalent data parallel design, however performance is dependent on how the rules are distributed. Therefore, policy management is vital to the performance of the function parallel firewall system. This paper describes the guidelines necessary to maintain policy integrity, which guarantees that a function parallel and a traditional firewall provide the same action for a packet. Based on these requirements, a policy can be divided into autonomous chains (sub-policies) that can be distributed across the firewall array. Although determining the optimal distribution was shown to be NP-hard, an effective algorithm was described. Simulation results indicate the distribution algorithm can provide an 86% reduction in the average processing delay as compared to previous distribution methods.\",\"PeriodicalId\":314071,\"journal\":{\"name\":\"2008 Proceedings of 17th International Conference on Computer Communications and Networks\",\"volume\":\"49 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2008-11-17\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"6\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2008 Proceedings of 17th International Conference on Computer Communications and Networks\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ICCCN.2008.ECP.121\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2008 Proceedings of 17th International Conference on Computer Communications and Networks","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICCCN.2008.ECP.121","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Policy Distribution Methods for Function Parallel Firewalls
Parallel firewalls offer a scalable low latency design for inspecting packets at high speeds. Typically consisting of an array of m firewalls, these systems filter arriving packets according to a security policy. Given the firewall array, the rules can be distributed in two fashions. Data parallel copies the entire policy to each firewall and distributes packets. In contrast, function parallel distributes the rules and duplicates packets. The function parallel design can provide significantly lower delays than an equivalent data parallel design, however performance is dependent on how the rules are distributed. Therefore, policy management is vital to the performance of the function parallel firewall system. This paper describes the guidelines necessary to maintain policy integrity, which guarantees that a function parallel and a traditional firewall provide the same action for a packet. Based on these requirements, a policy can be divided into autonomous chains (sub-policies) that can be distributed across the firewall array. Although determining the optimal distribution was shown to be NP-hard, an effective algorithm was described. Simulation results indicate the distribution algorithm can provide an 86% reduction in the average processing delay as compared to previous distribution methods.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
