An Extensible, System-On-Programmable-Chip,
Content-Aware Internet Firewall
Abstract. An
extensible firewall has been implemented that performs
packet filtering, content scanning, and per-flow queuing
of Internet packets at Gigabit/second rates. The firewall
uses layered protocol wrappers to parse the content of
Internet data. Packet payloads are scanned for keywords
using parallel regular expression matching circuits.
Packet headers are compared to rules specified in Ternary
Content Addressable Memories (TCAMs). Per-flow queuing
is performed to mitigate the effect of Denial of Service
attacks. All packet processing operations were implemented
with reconfigurable hardware and fit within a single
Xilinx Virtex XCV2000E Field Programmable Gate Array
(FPGA). The singlechip firewall has been used to filter
Internet SPAM and to guard against several types of network
intrusion. Additional features were implemented in extensible
hardware modules deployed using run-time reconfiguration.
Introduction. Demand
for Internet security has significantly increased. Internet
connected hosts are frequently attacked by malicious machines
located around the world. Hosts can be protected from remote
machines by filtering traffic through a firewall. By actively
dropping harmful packets and rate-limiting unwanted traffic
flows, the harm caused by attacks can be reduced.
While some types of attacks
can be thwarted solely by examination of packet headers,
other types of attacks—such as network intrusion, Internet
worm propagation, and SPAM proliferation—require that
firewalls process entire packet payloads. Few existing firewalls
have the capability to scan entire packet payloads. Of those
that do, most are software-based and cannot process packets
at the high-speed rates used by modern networks. Hardware-accelerated
firewalls are needed to process entire packet payloads at
high speeds.
Application Specific Integrated
Circuits (ASICs) have been used in firewalls to implement
some packet filtering functions. ASICs allow firewalls to
achieve high throughput by processing packets in deep pipelines
and parallel circuits. But ASICs can only protect networks
from threats known to the designer when the chip was fabricated.
Once an ASIC is fabricated, its function is static and cannot
be altered. The ability to protect networks against both
the present and future threats is the real challenge in building
modern firewalls
|
