OPTWALL: A Hierarchical Traffic-Aware Firewall

The overall efficiency, reliability, and availability of a firewall is crucial in enforcing and administrating security, especially when the network is under attack. The continuous growth of the Internet, coupled with the increasing sophistication of the attacks, is placing stringent demands on firewall performance. These challenges require new designs, architecture and algorithms to optimize firewalls. In this paper, we propose OPTWALL, an adaptive hierarchical firewall optimization framework aimed at reducing operational cost of firewalls. The main features of the proposed approach are the hierarchical design, splitting techniques, an online traffic adaptation mechanism, and a strong reactive scheme to counter malicious attacks (e.g. Denial-of-Service (DoS) attacks). To the best of our knowledge, this work is the first of its kind to use traffic characteristics in the design of an adaptive hierarchical firewall optimization framework. To study the performance of OPTWALL, a set of experiments are conducted on Linux ipchains. The performance evaluation study uses a large set of firewall policies and traffic traces managed by a Tier1 ISP and provides security access for the ISP network from/to its business partners. Results show the high potential of OPTWALL to reduce the operational cost of firewalls. In particular, the results show that a performance improvement of nearly 35% can been achieved in a heavily loaded network environment.