TY - GEN
T1 - Enhanced session table architecture for stateful firewalls
AU - Trabelsi, Z.
AU - Zeidan, S.
N1 - Publisher Copyright:
© 2018 IEEE.
PY - 2018/7/27
Y1 - 2018/7/27
N2 - Stateful firewall keeps track of the state of network connections. The performance of stateful firewall determines by both the performance of its session table and the mechanism used for packet filtering. This paper presents a stateful session table architecture then integrates it with Splay tree firewall. Splay tree firewall organizes policy rules in a designated prefix length splay tree data structure, and a collection of hash tables grouped by prefix length. Packet filtering time using Splay tree firewall is essentially reduced through multilevel filtering paths, where unwanted packets are rejected as early as possible. The proposed session table architecture reduces memory space consumption and session operations time, as it uses one hash slot per connection. Keeping all connection related information in one session entry produces additional processing time, particularly for session timeout attribute processing. Our proposed session architecture separates session state and timeout attributes information into different data structures to enhance the overall system performance.
AB - Stateful firewall keeps track of the state of network connections. The performance of stateful firewall determines by both the performance of its session table and the mechanism used for packet filtering. This paper presents a stateful session table architecture then integrates it with Splay tree firewall. Splay tree firewall organizes policy rules in a designated prefix length splay tree data structure, and a collection of hash tables grouped by prefix length. Packet filtering time using Splay tree firewall is essentially reduced through multilevel filtering paths, where unwanted packets are rejected as early as possible. The proposed session table architecture reduces memory space consumption and session operations time, as it uses one hash slot per connection. Keeping all connection related information in one session entry produces additional processing time, particularly for session timeout attribute processing. Our proposed session architecture separates session state and timeout attributes information into different data structures to enhance the overall system performance.
KW - Early packet rejection
KW - Hash table
KW - Packet classification
KW - Session table
KW - Splay tree
KW - Stateful firewall
UR - http://www.scopus.com/inward/record.url?scp=85051436158&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85051436158&partnerID=8YFLogxK
U2 - 10.1109/ICC.2018.8422079
DO - 10.1109/ICC.2018.8422079
M3 - Conference contribution
AN - SCOPUS:85051436158
SN - 9781538631805
T3 - IEEE International Conference on Communications
BT - 2018 IEEE International Conference on Communications, ICC 2018 - Proceedings
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 2018 IEEE International Conference on Communications, ICC 2018
Y2 - 20 May 2018 through 24 May 2018
ER -