15th Annual Computer Security Applications Conference
December 6-10, 1999
Phoenix, Arizona

A Parallel Packet Screen for High Speed Networks

Carsten Benecke, benecke@fwl.dfn.de

Firewall Lab for High Speed Networks (DFN-FWL)
German Research Network

University of Hamburg
Fachbereich Informatik, FWL
Vogt-Koelln-Strasse 30
22527 Hamburg

Phone : +49-40-42883-2010
Fax : +49-40-42883-2241

This paper demonstrates why security issues related to the continually increasing bandwidth of High Speed Networks (HSN) cannot be addressed with conventional firewall mechanisms. A single packet screen running on a fast computer is not capable of filtering all packets traversing a Fast/Gigabit Ethernet. This problem can be addressed by using parallel processing methods to implement a fast, scalable packet screen for Ethernets. The paper shows how hardware may be utilized to distribute the network load among such parallel packet screens. Empirical results using `off-the-shelf' equipment indicate that this approach is usable.