Positive and Negative Caching Mechanisms for Firewall Acceleration

• Main Authors: Chih-Ching Chang, 張智晴
• Other Authors: Ying-Dar Lin
• Format: Others
• Language: en_US
• Published: 2002
• Online Access: http://ndltd.ncl.edu.tw/handle/41774314982508394241

碩士 === 國立交通大學 === 資訊科學系 === 90 === Firewall is one of the best solutions for protecting their networks and hosts against external attacks and intrusions. Setting up a firewall is turned into a basic protection if you connect Internet. But it has scalability issue on the number of firewall rules. As the number of rules increases, per-packet processing time increases and the performance drops. We proposed new positive and negative caching mechanisms instead of modifying existing packet matching algorithm to accelerate firewall and resolve the scalability problem. Positive flow cache is for normal traffic and negative is for abnormal one. We implement our algorithm on the open source firewall IP Filter. Benchmarking results are also provided to further illustrate our acceleration. Compared to original firewall under 500 rules, the result shows that UDP throughput is increased by 13.5 times with packet size 64 bytes and TCP throughput is increased by 1.78 times with windows size 16 Kbytes when using our mechanism.