A Streaming Content
Search-and-Replace Module for an Internet Firewall
Abstract. A
module has been implemented in Field Programmable Gate
Array (FPGA) hardware that is able to perform regular
expression search-and-replace operations on the content
of Internet packets at Gigabit/second rates. A set of
layered protocol wrappers is used to parse the headers
and payloads of packets for Internet protocol data. A
content matching server automatically generates, compiles,
synthesizes, and programs the module into the Field-programmable
Port Extender (FPX) platform.
Introduction. As
the speed of networks continues to increase, it becomes increasingly
difficult to monitor content sent over the Internet with
software-based processing techniques. Hardware-based processing
is needed to keep pace with modern high-performance networks.
To achieve high network performance, hardware devices known
as Field Programmable Gate Arrays (FPGAs) have been used.
FPGAs offer a method for implementing functions in hardware
in a way that allows the circuit to be modified. Hardware-based
search and hardware-based search-and-replace systems have
been developed that can scan and modify packets as they stream
through the network.
FPgrep and FPsed utilize
regular expressions (REs) to specify a set of string patterns
that may be searched for within the payload of a packet as
it passes through
a network. The RE patterns can range in complexity from a
simple single character string to a string consisting of
multiple wildcards.
By combining the power of
REs and the flexibility of FPGAs on the Field Programmable
Port Extender (FPX) [2, 3], the FPgrep and FPsed packet payload
processors may be used to process packet contents on high-speed
networks.
|
