By Topic

A Multi-dimension Rule Update in a TCAM-based High-Performance Network Security System

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$31 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

4 Author(s)
Hae-Jin Jeong ; Dept. of Comput. Sci. & Eng., Chungnam Nat. Univ., Daejon ; Il-Seop Song ; Yoo-Kyoung Lee ; Taeck-Geun Kwon

Network security systems such as firewall and intrusion prevention system (IPS) have packet classification rule to allow or protect the network traffic. In addition, they are forced to provide multi-gigabit speed in order to deploy the current Internet backbone which requires gigabit Ethernet (GbE), 10 GbE, OC-192, etc. In order to support high-performance packet classification in the network security system, a ternary content addressable memory, i.e., TCAM accelerates flow identification with classification rules. The TCAM, however, matches the first rule among multiple matched rules, so the ordering of TCAM entries is strictly kept while rules are added or deleted. To keep the ordering in a TCAM, some existing TCAM entries should move to other empty space which impacts the data path processing in the network security system. In this paper, we have proposed a rule update algorithm which reduces the number of TCAM entry movement by the partial ordering of TCAM entry groups instead of the sequential ordering. Our simulation results justify the significant decrement of movement operations where we have applied both generated random rules and real IPS rules, i.e., Snort rules

Published in:

Advanced Information Networking and Applications, 2006. AINA 2006. 20th International Conference on  (Volume:2 )

Date of Conference:

18-20 April 2006