The Journal of Supercomputing

, Volume 57, Issue 1, pp 99–108 | Cite as

Improving IPS by network processors

  • Pablo Cascón
  • Julio Ortega
  • Yan Luo
  • Eric Murray
  • Antonio Díaz
  • Ignacio Rojas


Many present applications usually require high communication throughputs. Multiprocessor nodes and multicore architectures, as well as programmable NICs (Network Interface Cards) provide new opportunities to take advantage of the available multigigabits per second link bandwidths. Nevertheless, to achieve adequate communication performance levels efficient parallel processing of network tasks and interfaces should be considered. In this paper, we leverage network processors as heterogeneous microarchitectures with several cores that implement multithreading and are suited for packet processing, to investigate on the use of parallel processing to accelerate the network interface, and thus the network applications developed above it. More specifically, we have implemented an intrusion prevention system (IPS) with such a network processor. We describe the IPS we have developed that after its offloaded implementation allows faster packet processing of both normal and corrupted traffic. The benefits from placing the IPS close to the network, by using specialized network processors, give many times lower latency and higher bandwidth available to the legitimate traffic.


Network processors Offloading IPS Parallel network interface Multithreading 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Intel i/o acceleration technology.
  2. 2.
  3. 3.
    Bos H, Xu L, van Reeuwijk K., Cristea M., Huang K. (2005) Network intrusion prevention on the network card. In: IXA Education Summit, Hudson, MA, USA, September 2005. Google Scholar
  4. 4.
    Byrne J, Gwennap L (2005) A guide to network processors. The Linley Group, Mountain View Google Scholar
  5. 5.
    Cascón P, Ortega J, Haider WM, Díaz AF, Rojas I (2009) A multi-threaded network interface using network processors. In: Proc. of the 17th euromicro international conference on parallel, distributed, and network-based processing, February 2009 Google Scholar
  6. 6.
    de Bruijn W, Bos H (2008) Model-T: rethinking the OS for terabit speeds. In: Computer communications workshops, 2008. INFOCOM. IEEE Conference on, pp 1–6 Google Scholar
  7. 7.
    Luo Y, Xiang K, Fan J, Zhang C (2009) Distributed intrusion detection with intelligent network interfaces for future networks. In: IEEE international conference on communications, Dresden, Germany, June 2009 Google Scholar
  8. 8.
    Mackenzie K, Shi W, Mcdonald A, Ganev I (2003) An intel IXP1200-based network interface. In: Proceedings of the workshop on novel uses of system area networks at HPCA (SAN-2 2003) Google Scholar
  9. 9.
    Willmann M, Brogioli P, Rixner S (2006) Parallelization strategies for network interface firmware. In: Proceedings of the workshop on optimizations for DSP and embedded systems Google Scholar
  10. 10.
    Narayanaswamy G, Balaji P, Feng W (2007) An analysis of 10-Gigabit ethernet protocol stacks in multicore environments. In: Proceedings of the 15th annual IEEE symposium on high-performance interconnects. IEEE Comp Soc, Los Alamitos, pp 109–116 CrossRefGoogle Scholar
  11. 11.
    Ortiz A, Ortega J, Díaz AF, Prieto A (2010) Network interfaces for programmable nics and multicore platforms. Comput Netw 54(3):357–376 zbMATHCrossRefGoogle Scholar
  12. 12.
    Regnier G, Makineni S, Illikkal I, Iyer R, Minturn D, Huggahalli R, Newell D, Cline L, Foong A (2004) TCP onloading for data center servers. Computer 37(11):48–58 CrossRefGoogle Scholar
  13. 13.
    Shalev L, Makhervaks V, Machulsky Z, Biran G, Satran J, Ben-Yehuda M, Shimony I (2006) Loosely coupled TCP acceleration architecture. In: Proceedings of the 14th IEEE symposium on high-performance interconnects. IEEE Comput Soc, Los Alamitos, pp 3–8 CrossRefGoogle Scholar
  14. 14.
    Snell Q, Mikler A, Gustafson J, Helmer G (2007) A network protocol independent performance evaluator.
  15. 15.
    Snort (2009) Snort open source network intrusion prevention and detection system (ids/ips).
  16. 16.
    Willmann P, Rixner S, Cox AL (2006) An evaluation of network stack parallelization strategies in modern operating systems. In: Proceedings of the annual conference on USENIX ’06 annual technical conference, Boston, MA, pp 8–8. USENIX Association Google Scholar
  17. 17.
    Xinidis K, Anagnostakis K, Markatos E (2005) Design and implementation of a high-performance network intrusion prevention system. In: Security and privacy in the age of ubiquitous computing, pp 359–374 CrossRefGoogle Scholar
  18. 18.
    Zhao L, Luo Y, Bhuyan LN, Iyer R (2006) A network processor-based, content-aware switch. IEEE MICRO 26(3):72–84 CrossRefGoogle Scholar

Copyright information

© Springer Science+Business Media, LLC 2011

Authors and Affiliations

  • Pablo Cascón
    • 1
  • Julio Ortega
    • 1
  • Yan Luo
    • 2
  • Eric Murray
    • 2
  • Antonio Díaz
    • 1
  • Ignacio Rojas
    • 1
  1. 1.Department of Computer Architecture and TechnologyUniversity of GranadaGranadaSpain
  2. 2.Department of Electrical and Computer EngineeringUniversity of Massachusetts LowellLowellUSA

Personalised recommendations