Improving IPS by network processors
Many present applications usually require high communication throughputs. Multiprocessor nodes and multicore architectures, as well as programmable NICs (Network Interface Cards) provide new opportunities to take advantage of the available multigigabits per second link bandwidths. Nevertheless, to achieve adequate communication performance levels efficient parallel processing of network tasks and interfaces should be considered. In this paper, we leverage network processors as heterogeneous microarchitectures with several cores that implement multithreading and are suited for packet processing, to investigate on the use of parallel processing to accelerate the network interface, and thus the network applications developed above it. More specifically, we have implemented an intrusion prevention system (IPS) with such a network processor. We describe the IPS we have developed that after its offloaded implementation allows faster packet processing of both normal and corrupted traffic. The benefits from placing the IPS close to the network, by using specialized network processors, give many times lower latency and higher bandwidth available to the legitimate traffic.
KeywordsNetwork processors Offloading IPS Parallel network interface Multithreading
Unable to display preview. Download preview PDF.
- 1.Intel i/o acceleration technology. http://www.intel.com/technology/ioacceleration/
- 2.Intel network processors. http://www.intel.com/design/network/products/npfamily/
- 3.Bos H, Xu L, van Reeuwijk K., Cristea M., Huang K. (2005) Network intrusion prevention on the network card. In: IXA Education Summit, Hudson, MA, USA, September 2005. Google Scholar
- 4.Byrne J, Gwennap L (2005) A guide to network processors. The Linley Group, Mountain View Google Scholar
- 5.Cascón P, Ortega J, Haider WM, Díaz AF, Rojas I (2009) A multi-threaded network interface using network processors. In: Proc. of the 17th euromicro international conference on parallel, distributed, and network-based processing, February 2009 Google Scholar
- 6.de Bruijn W, Bos H (2008) Model-T: rethinking the OS for terabit speeds. In: Computer communications workshops, 2008. INFOCOM. IEEE Conference on, pp 1–6 Google Scholar
- 7.Luo Y, Xiang K, Fan J, Zhang C (2009) Distributed intrusion detection with intelligent network interfaces for future networks. In: IEEE international conference on communications, Dresden, Germany, June 2009 Google Scholar
- 8.Mackenzie K, Shi W, Mcdonald A, Ganev I (2003) An intel IXP1200-based network interface. In: Proceedings of the workshop on novel uses of system area networks at HPCA (SAN-2 2003) Google Scholar
- 9.Willmann M, Brogioli P, Rixner S (2006) Parallelization strategies for network interface firmware. In: Proceedings of the workshop on optimizations for DSP and embedded systems Google Scholar
- 14.Snell Q, Mikler A, Gustafson J, Helmer G (2007) A network protocol independent performance evaluator. http://www.scl.ameslab.gov/netpipe/
- 15.Snort (2009) Snort open source network intrusion prevention and detection system (ids/ips). http://www.snort.org
- 16.Willmann P, Rixner S, Cox AL (2006) An evaluation of network stack parallelization strategies in modern operating systems. In: Proceedings of the annual conference on USENIX ’06 annual technical conference, Boston, MA, pp 8–8. USENIX Association Google Scholar