A high-performance clustering scheme with application in network intrusion prevention system

As network security gains more and more attention, network intrusion prevention systems (NIPS) gradually become one of the most important network systems used in modern Internet environment. The demand for high performance NIPS is driven by the growing bandwidth available in the last mile WAN links as well as the increasing complexity of packet inspection. In this paper, we propose an adaptive clustering scheme to scale the throughput of in-line devices. The proposed scheme aggregates the processing power of multiple in-line devices in a cluster by making incoming traffic self-dispatched in a transparent fashion, and incorporates a traffic redistribution mechanism that keeps the load of each device balanced. The cluster is also able to tolerate device failures so that devices in the cluster can be inserted or removed while the system is running. Based on the designed architecture, we deploy Snort, which is a well-known and popular NIPS, on each device of the cluster and implement all the proposed mechanisms as kernel modules over embedded Linux. According to the results of performance evaluation, we successfully build a high performance, load balancing, and fault tolerant NIPS by means of the proposed mechanisms over the designed in-line device cluster.