How long does it take to offload traffic from firewall?

Date

2013-12

Journal Title

Journal ISSN

Volume Title

Publisher

Abstract

Demonstration of how intelligent steering of classified application traffic with flows in OpenFlow protocol can alleviate firewall bottleneck issues. Irrespective of the available higher bandwidth capabilities of the network, traffic passing through a firewall, where every packet is statefully inspected and/or deep packet inespected (DPI), causes bottlenecks. Isolation of the classified application traffic from all other traffic by means of VLANs and MPLS has been proposed, and is being implemented. Our demonstration leverages the SDN paradigm and flow isolation is achieved by programming the forwarding plane in conjunction with a dynamic utilization of a firewall’s application-aware DPI capabilities and other analytics. In this respect, as soon as classified application traffic session has been positively identified by the firewall, a flow rule can be written to offload the remainder of the data transfer from the firewall to a fast path on the switch. All sessions are inspected by the firewall, but not all packets of every session need to pass through the firewall. Thus the security is preserved and the throughput constraint is removed.

The demonstration utilizes a virtual distributed firewall product from vARMOUR Networks, Inc. to deliver software defined security, SDSec. Once an application is identified for a new session (occurs within a small number of packets, usually less than 10), and the session is to be permitted, the remainder of the session’s packets are steered to a fast path on an OpenFlow switch using as a flow definition that exists for the duration of the session. We present the research investigations on the trade-offs for such a fast path mechanism through the network, considering processing delays introduced by the mechanism. Namely, an optimal session length should be determined for such a fast path mechanism to be worthwhile in a campus network. The main delay components to be measured and presented include: a flow setup requires a controller to push flows respective to programmable, the flow redirection takes time as such a flow should be activated at the programmable switch, and the network delay associated with the setup process.

‘What Is The Ideal Length Of Session To Benefit From The Intelligent Application Steering Based Dpi Offload Solution?’

For the application traffic to benefit from this intelligent offload of deep packet inspection solution, determining the ideal length of the session on the firewall is the objective of this work. In other words, we determine ‘How Long Does It Take to Offload Traffic from the Firewall?’ which is the ideal length of the session on the firewall for this intelligent offload solution.

Description

Keywords

Firewall bottlenecks, Deep Packet Inspection, Application Steering, Flow Setup Time

Citation