Item Details

abstract

Firewalls enforce a security policy between two networks by comparing arriving packets against the policy rules to determine if they should be accepted or denied. Unfortunately, security processing imposes significant delays on routing activity in relation to the complexity and size of the policy. These delays become more apparent as network speeds increase and performance requirements heighten. Thus, the need to improve firewall performance will only increase over time. This thesis introduces a novel parallel firewall design, where firewall nodes collectively enforce a security policy. The proposed model can perform inspections under increased traffic loads and higher traffic speeds in a scalable manner. To accomplish this, each parallel firewall node implements a portion of the policy, a form of function parallelism, and packets are processed by all firewall nodes simultaneously, ensuring a packet's exposure to the entire policy. Since each firewall node has fewer rules to process per packet, the proposed function parallel system can achieve significantly lower delays and higher throughput than both non-parallel and data parallel (load-balancing) firewalls. Furthermore, unlike data parallel systems, the new function parallel design allows stateful inspection of packets, a critical component in preventing certain types of network attacks. These advantages will be demonstrated theoretically and empirically through experiments and simulations.

subject

data parallel

firewall

firewalls

function parallel

high speed

high-speed networks

network security

networks

parallel

security

contributor

Farley, Ryan Joseph (author)

Dr. V. Paul Pauca (committee chair)

Dr. Errin W. Fulp (committee member)

Dr. William H. Turkett (committee member)

creator

Farley, Ryan Joseph

date

2008-09-28T10:50:40Z (accessioned)

2010-06-18T18:59:57Z (accessioned)

2007-08-11 (available)

2008-09-28T10:50:40Z (available)

2010-06-18T18:59:57Z (available)

2005-12-08 (issued)

degree

null (defenseDate)

Computer Science (discipline)

Wake Forest University (grantor)

MA (level)

identifier

farleyryanj_12_2005.pdf

http://hdl.handle.net/10339/14906 (uri)

migration

etd-12142005-194043 (oldETDId)

rights

Release the entire work immediately for access worldwide. (accessRights)

I hereby certify that, if appropriate, I have obtained and attached hereto a written permission statement from the owner(s) of each third party copyrighted matter to be included in my thesis, dissertation, or project report, allowing distribution as specified below. I certify that the version I submitted is the same as that approved by my advisory committee. I hereby grant to Wake Forest University or its agents the non-exclusive license to archive and make accessible, under the conditions specified below, my thesis, dissertation, or project report in whole or in part in all forms of media, now or hereafter known. I retain all other ownership rights to the copyright of the thesis, dissertation or project report. I also retain the right to use in future works (such as articles or books) all or part of this thesis, dissertation, or project report. (license)

title

Parallel Firewall Designs For High-Speed Networks