Dimension-Independent Table-Based Firewalls

Download Now Free registration required

Executive Summary

A firewall matches network packets to applicable policy rules based on packet dimensions (i.e., packet fields such as source and destination IP addresses). The efficiency with which firewalls match packets to rules plays a major role in determining a firewall's overall efficiency and resistance to flooding-based Denial-of-Service (DoS) attacks. However, publicly available firewalls perform rule matching with an inefficient, though simple, linear algorithm. The linearsearch algorithm traverses through the firewall's rule base, one rule at a time, until finding an applicable rule for the given network packet or until exhausting the rule base. The linear-search algorithm is inefficient for medium- and large-sized rule bases.

  • Format: PDF
  • Size: 210.8 KB