Secure Remote Control
of Field-programmable Network Devices
Abstract. A
circuit and an associated lightweight protocol have been
developed to secure communication between a control console
and remote programmable network devices. The circuit
provides encryption, data integrity checking and sequence
number verification to ensure confidentiality, integrity
and authentication of control messages sent over the
public Internet. All of these functions are performed
directly in FPGA hardware to provide high throughput
and near-zero latency. The circuit has been used to control
and configure remote firewalls and intrusion detection
systems. The circuit could also be used to control and
configure other distributed network applications.
Introduction. New
types of distributed firewalls, extensible network routers,
Intrusion Detection and Prevention Systems (IDPS), and Internet-enabled
sensors use reconfigurable hardware devices because they
offer both high performance and flexibility. In order to
distribute devices over a large geographic area, robust security
mechanisms are needed to protect the network devices from
unauthorized access and to ensure the integrity of control
messages sent over the public Internet.
Existing software-based
security frameworks require a large computational effort
to encrypt and decrypt data and can bottleneck system performance.
We have developed a lightweight solution to the secure control
of network devices that uses only hardware mechanisms to
send and receive control messages. It has been applied to
both a firewall and an IDPS. New features can be added into
the system through the secure control channel whenever necessary.
|
