Dimension-independent Table-based Firewalls

A firewall matches network packets to applicable policy rules based on packet dimensions (i.e., packet fields such as source and destination IP addresses). The efficiency with which firewalls match packets to rules plays a major role in determining a firewall’s overall efficiency and resistance to flooding-based denial-of-service (DoS) attacks. However, publicly available firewalls perform rule matching with an inefficient, though simple, linear algorithm. The linearsearch algorithm traverses through the firewall’s rule base, one rule at a time, until finding an applicable rule for the given network packet or until exhausting the rule base. The linear-search algorithm is inefficient for mediumand large-sized rule bases. This paper proposes a more efficient, but only slightly more complicated, firewall rule-search algorithm based on statically prepared tables and bit arrays. Each statically prepared table maps a number of packet bits (which do not necessarily correspond to a packet dimension) to a bit array that indicates which rules apply for those packet bits. The firewall determines which rules apply for an entire packet by intersecting the sets of rules that apply for each piece of packet data. We analyze and evaluate our dimension-independent table-based algorithm. We provide techniques that firewalls can use to automatically calculate the optimal number and sizes of lookup tables within given space constraints. Our analysis and experiments confirm that dimensionindependent table-based firewalls are more efficient, and significantly more robust during DoS attacks, than either linear-search firewalls or dimension-dependent table-based firewalls.