期刊名称:International Journal of Computer Science & Technology
印刷版ISSN:2229-4333
电子版ISSN:0976-8491
出版年度:2012
卷号:3
期号:4
页码:267-275
语种:English
出版社:Ayushmaan Technologies
摘要:Since firewalls need to filter all the traffic crossing the network perimeter, they should be able to sustain a very high throughput, or risk becoming a bottleneck. Firewall packet matching can be viewed as a point location problem: Each packet (point) has 5 fields (dimensions), which need to be checked against every firewall rule in order to find the first matching rule. Thus, algorithms from computational geometry can be applied. In this paper we consider a classical algorithm that we adapted to the firewall domain. We call the resulting algorithm “Geometric Efficient Matching” (GEM). The GEM algorithm enjoys a logarithmic matching time performance. However, the algorithm’s theoretical worst-case space complexity is O(n4 ) for a rule-base with n rules. Because of this perceived high space complexity, GEM-like algorithms were rejected as impractical by earlier works. Contrary to this conclusion, this paper shows that GEM is actually an excellent choice.Based on statistics from real firewall rule-bases, we created a Perimeter rules model that generates random, but non-uniform, rule- bases. We evaluated GEM via extensive simulation using the Perimeter rules model. Our simulations show that on such rulebases, GEM uses near linear space, and only needs approximately 13MB of space for rule-bases of 5,000 rules. Moreover, with use of additional space improving heuristics, we have been able to reduce the space requirement to 2-3MB for 5,000 rules.But most importantly, we integrated GEM into the code of the Linux iptables open-source firewall, and tested it on real traffic loads. Our GEM-iptables implementation managed to filter over 30,000 packets-per-second on a standard PC, even with 10,000 rules. Therefore, we believe that GEM is an efficient, and practical, algorithm for firewall packet matching.
关键词:Network Communication;Network-level Security and Protection
