A Formal Model and Technique to Redistribute the Packet Filtering Load in Multiple Firewall Networks

The dynamic redistribution of filtering rules between firewalls, which are located in the same network, is a technical solution that can cope with temporary changes in the traffic load processed by the firewalls themselves. This paper presents a novel formal model for networks including multiple cascaded firewalls, that can be leveraged to enable the transfer of a set of rules from a firewall to its downstream neighbors when the changes in the input traffic profile suggest to do so. With respect to other solutions appeared in the literature a formal approach, besides providing unambiguous specifications and mathematical proofs of correctness, also enables the computation of theoretical bounds for the expected performance before the proposed scheme is actually deployed in the target network. The underlying mechanism, on which our approach is based, is the reduction of the average number of rules checked per packet in order to increase the packet processing rate. Our network model takes into account both the system topology and firewall characteristics. A suitable transformation algorithm is then introduced, which is able to preserve the security integrity of the network while moving rules between cascaded firewalls and allowing tangible performance improvements in terms of packets processing rate for a given traffic profile. Correctness of the proposed solution has been formally proven and validated by means of simulation. Performance figures have also been obtained by running the proposed algorithm in a laboratory experimental test-bed.