Multi-dimension rule update in a TCAM-based high-performance network security system

Network security systems such as firewall and intrusion prevention system (IPS) have packet classification rule to allow or protect the network traffic. In addition, they are forced to provide multi-gigabit speed in order to deploy the current Internet backbone which requires gigabit Ethernet (GbE), 10 GbE, OC-192, etc. in order to support high-performance packet classification in the network security system, a Ternary Content Addressable Memory, i.e., TCAM accelerates flow identification with classification rules. The TCAM, however, matches the first rule among multiple matched rules, so the ordering of TCAM entries is strictly kept while rules are added or deleted. To keep the ordering in a TCAM, some existing TCAM entries should move to other empty space which impacts the data path processing in the network security system. In this paper, we have proposed a rule update algorithm which reduces the number of TCAM entry movement by the partial ordering of TCAM entry groups instead of the sequential ordering. Our simulation results justify the significant decrement of movement operations where we have applied both generated random rules and real IPS rules, i.e., Snort rules.