As filtering policies are getting larger and more complex, packet filtering at firewalls needs to keep low delays. New firewall architectures are needed to enforce security and meet the increasing demand for high-speed networks. Two main architectures exist for parallelization, data-parallel and function-parallel firewalls. In the first, packets are distributed across a set of identical firewalls that implement the entire policy. In the second, each firewall implements a subset of the policy with a fewer number of rules, but the packets have to be duplicated and processed by all the firewalls. This paper proposes a new architecture function-parallel with pre-processing that combines the advantages of both architectures. The proposed architecture has the advantage of not duplicating the data, so that the processing time can be significantly reduced. Moreover, our architecture enables stateful inspection of packets, which is necessary to prevent multiple types of attacks. The performances of this architecture have been proven to be scalable for large security policies.

随着过滤策略变得越来越大和越来越复杂，防火墙的数据包过滤需要保持低延迟。需要新的防火墙架构来加强安全性并满足对高速网络日益增长的需求。并行化存在两种主要架构，数据并行防火墙和功能并行防火墙。首先，数据包分布在一组实施整个策略的相同防火墙上。在第二种情况下，每个防火墙使用较少数量的规则实现策略的一个子集，但数据包必须由所有防火墙复制和处理。本文提出了一种新的架构功能并行与预处理，结合了两种架构的优点。所提出的架构具有不重复数据的优点，因此可以显着减少处理时间。此外，我们的架构支持对数据包进行状态检查，这是防止多种类型攻击所必需的。该架构的性能已被证明可以针对大型安全策略进行扩展。