Modelling and analysis of rule-based network security middleboxes

This study presents an analytical model for rule-based network security middleboxes as those of network firewalls, intrusion detection systems and email spam filters. In these systems, incoming packets carrying requests arrive at the middlebox and obtain queued for processing in multiple stages. The stages consist of first a main stage for packet processing and then subsequent stages of rulebase interrogation in which rules or conditions are checked sequentially until a match is triggered. The service at these stages is characterised to be mutually exclusive; that is, only one stage is active at any time. The authors derive useful formulas that can predict the middlebox performance, taking into account its incoming request rate, the queue size and the processing capacity of the middlebox, and thereby proper engineering capacity of the middlebox can be achieved.