以正面與反面快取機制來加速防火牆的效能

Abstract

防火牆是幾個可以保護內部網路不被外部網路攻擊或入侵的最佳方法之一。如果你的內部網路有連接上網際網路，設定防火牆巳經變成一種基本的保護措施。但是防火牆有規則數目的擴充性問題，當規則數目增加時，防火牆處理每個封包的時間也會增加而導致效能下降。我們提出一種新穎的正面與反面快取機制來加速防火牆以解決這個問題但卻不更改原有防火牆的封包比對演算法。其中，正面快取用來加速正常的連線而反面快取則用來加速不正常連線。我們將我們的演算法實做在一套開放原始碼防火牆IP Filter上，並且做了評比來說明我們的加速效果，結果顯示在五百條規則下，我們的技術提升封包大小64位元組的UDP傳輸效能(吞吐量)為原有的13.5倍，窗戶大小16千位元組的TCP傳輸效能(吞吐量)為原有的1.78倍。

Firewall is one of the best solutions for protecting their networks and hosts against external attacks and intrusions. Setting up a firewall is turned into a basic protection if you connect Internet. But it has scalability issue on the number of firewall rules. As the number of rules increases, per-packet processing time increases and the performance drops. We proposed new positive and negative caching mechanisms instead of modifying existing packet matching algorithm to accelerate firewall and resolve the scalability problem. Positive flow cache is for normal traffic and negative is for abnormal one. We implement our algorithm on the open source firewall IP Filter. Benchmarking results are also provided to further illustrate our acceleration. Compared to original firewall under 500 rules, the result shows that UDP throughput is increased by 13.5 times with packet size 64 bytes and TCP throughput is increased by 1.78 times with windows size 16 Kbytes when using our mechanism.