TY - GEN
T1 - Multilevel early packet filtering technique based on traffic statistics and splay trees for firewall performance improvement
AU - Trabelsi, Zouheir
AU - Zeidan, Safaa
PY - 2012/12/1
Y1 - 2012/12/1
N2 - This paper presents a mechanism to improve firewall packet filtering time through optimizing the order of security policy filtering fields for early packet rejection. The proposed mechanism is based on the optimization of the filtering fields order according to traffic statistics. Furthermore, the mechanism uses multilevel packet filtering, and in each level unwanted packets are rejected as early as possible. So, the proposed mechanism can be considered also as a device protection mechanism against denial of service (DoS) attacks targeting the default policy rule. In addition, early packet acceptance is done through using the splay tree data structure which changes dynamically according to traffic flows. So, repeated packets will have less memory accesses and therefore reducing the overall packets matching time. The proposed technique aims to overcome some of the performance limitations of the previous technique, named Self Adjusting Binary Search on Prefix Length [1] (SA-BSPL). The numerical results obtained by simulations demonstrate that the proposed mechanism is able to significantly improve the firewall performance in terms of cumulative packet processing time compared to SA-BSPL technique.
AB - This paper presents a mechanism to improve firewall packet filtering time through optimizing the order of security policy filtering fields for early packet rejection. The proposed mechanism is based on the optimization of the filtering fields order according to traffic statistics. Furthermore, the mechanism uses multilevel packet filtering, and in each level unwanted packets are rejected as early as possible. So, the proposed mechanism can be considered also as a device protection mechanism against denial of service (DoS) attacks targeting the default policy rule. In addition, early packet acceptance is done through using the splay tree data structure which changes dynamically according to traffic flows. So, repeated packets will have less memory accesses and therefore reducing the overall packets matching time. The proposed technique aims to overcome some of the performance limitations of the previous technique, named Self Adjusting Binary Search on Prefix Length [1] (SA-BSPL). The numerical results obtained by simulations demonstrate that the proposed mechanism is able to significantly improve the firewall performance in terms of cumulative packet processing time compared to SA-BSPL technique.
KW - Binary Search on Prefix Length
KW - Early packet Rejection
KW - Hash Table
KW - Packet Classification
KW - Splay Tree
UR - http://www.scopus.com/inward/record.url?scp=84871949465&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84871949465&partnerID=8YFLogxK
U2 - 10.1109/ICC.2012.6364218
DO - 10.1109/ICC.2012.6364218
M3 - Conference contribution
AN - SCOPUS:84871949465
SN - 9781457720529
T3 - IEEE International Conference on Communications
SP - 1074
EP - 1078
BT - 2012 IEEE International Conference on Communications, ICC 2012
T2 - 2012 IEEE International Conference on Communications, ICC 2012
Y2 - 10 June 2012 through 15 June 2012
ER -