Title :
Performance Improvement over Linux Layer-7 Content Filtering
Author :
Peng, Bing-Heng ; Liu, Huai-Jen ; Wei, Huan-Yun
Author_Institution :
Dept. of Comput. Sci. & Inf. Eng., Chung Hua Univ., Hsinchu, Taiwan
Abstract :
Due to security reasons, many companies need firewalls to filter some mistrusted applications, like FTP or P2P software. However, some applications may hide themselves with some well-known application ports like HTTP port 80 such that some firewalls cannot distinguish mistrusted applications from well-known applications. As a result, firewalls require high performance classification engines that can efficiently inspect layer-7 contents to recognize mistrusted applications. This paper analyzes the layer-7 classification module in Linux Netfilter, the L7filter package, and proposes an alternative implementation to improve the performance of L7filter. The throughput of the proposed method can remain high even in heavily-loaded network environments. The performance of the proposed method is justified by the Spirent SmartBits 6000 testing equipment whose traffic generation speed can achieve gigabit wire-speed.
Keywords :
Internet; Linux; authorisation; computer network security; HTTP port 80; Internet; Linux Netfilter; Linux layer-7 content filtering; Spirent SmartBits 6000 testing equipment; firewalls; gigabit wire-speed; security; Application software; Engines; Filtering; Filters; Linux; Packaging machines; Performance analysis; Security; Testing; Throughput; L7filter; Netfilter; content filter; firewall;
Conference_Titel :
Mobile Ad-hoc and Sensor Networks, 2009. MSN '09. 5th International Conference on
Conference_Location :
Fujian
Print_ISBN :
978-1-4244-5468-6
DOI :
10.1109/MSN.2009.56