Network Firewall Policy Tries ∗

Network firewalls remain the forefront defense for most computer systems. These critical devices filter traffic by comparing arriving packets to a list of rules, or security policy, in a sequential manner. Unfortunately packet filtering in this fashion can result in significant traffic delays, which is problematic for applications that require strict Quality of Service (QoS) guarantees. Furthermore, as network speeds and capacities continue to increase, the processing time associated with filtering only compounds these delays. Given this demanding environment, new methods are needed to increase network firewall performance. This paper introduces a new technique for representing a security policy in software that maintains policy integrity and provides more efficient processing. The policy is represented as an n-ary retrieval tree, also referred to as a trie. This structure is able to quickly reach decisions based on the security policy by simultaneously eliminating multiple rules with few comparisons. As a result, the worst case processing requirement for the policy trie is a fraction compared a list representation, which only consider rules individually (1/5 the processing for TCP/IP networks). Furthermore unlike other representations, the n-ary trie developed in this paper is proven to maintain policy integrity. The creation of policy trie structures is discussed in detail and their performance benefits are proven theoretically and validated empirically.