Balancing Trie-Based Policy Representations for Network Firewalls

	This Article
	Subscribers, please Login Purchase article: $19 PDF IEEE Xplore Subscribers RSS feed
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by Stephen J. Tarsa Articles by Errin W. Fulp

11th IEEE Symposium on Computers and Communications (ISCC'06)

Cagliari, Sardinia, Italy

June 26-June 29

ISBN: 0-7695-2588-1

	ASCII Text	x
	Stephen J. Tarsa, Errin W. Fulp, "Balancing Trie-Based Policy Representations for Network Firewalls," Computers and Communications, IEEE Symposium on, pp. 755-760, 11th IEEE Symposium on Computers and Communications (ISCC'06), 2006.

	BibTex	x
	@article{ 10.1109/ISCC.2006.44, author = {Stephen J. Tarsa and Errin W. Fulp}, title = {Balancing Trie-Based Policy Representations for Network Firewalls}, journal ={Computers and Communications, IEEE Symposium on}, volume = {0}, year = {2006}, issn = {1530-1346}, pages = {755-760}, doi = {http://doi.ieeecomputersociety.org/10.1109/ISCC.2006.44}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - CONF JO - Computers and Communications, IEEE Symposium on TI - Balancing Trie-Based Policy Representations for Network Firewalls SN - 1530-1346 SP755 EP760 A1 - Stephen J. Tarsa, A1 - Errin W. Fulp, PY - 2006 KW - null VL - 0 JA - Computers and Communications, IEEE Symposium on ER -

Stephen J. Tarsa, Wake Forest University, USA

Errin W. Fulp, Wake Forest University, USA

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/ISCC.2006.44

Firewalls inspect arriving packets according to a security policy. The complexity of these policies can cause significant delays in the processing of packets, resulting in degraded performance, traffic bottlenecks, and ultimately violating Quality of Service (QoS) constraints. As network capacities continue to increase, the improvement of firewall performance is a main concern.

One technique that dramatically reduces required processing is the representation of security policies in software with n-ary tries. This paper describes trie balancing methods that further improve performance by placing more frequently used rules in high precedence positions which require fewer tuple comparisons. A proof of sorted trie integrity is presented along with experimental results showing that on average, sorting reduces the number of comparisons by 27% as compared to the original trie and by 83% as compared to a list representation. Sorting methods are described in detail and their benefits are demonstrated empirically.

Citation:

Stephen J. Tarsa, Errin W. Fulp, "Balancing Trie-Based Policy Representations for Network Firewalls," iscc, pp.755-760, 11th IEEE Symposium on Computers and Communications (ISCC'06), 2006

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.