Abstract
Many computer network provide limited security through simple firewall feature in router and switch. Some networks that require higher security use deep packet filter to capture packets that can not be detected by simple firewall. Deep packet filters use list of rules for determining safety of packets. There is a high degree of parallelism in processing these rules because each rule represent independent pattern matching process. We find that the underlying architecture for existing software and hardware firewalls do not fully take advantage of this parallelism. Thus, we design a deep packet filtering firewall on a field programmable gate array (FPGA) to take advantage of the parallelism while retaining its programmability. Our implementation is capable of processing over 2.88 gigabits per second of network stream on an Altera EP20K series FPGA without manual optimization.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
J. McHugh, A. Christie, J. Allen, “Defending Yourself: The Role of Intrusion Detection Systems,” IEEE Software Magazine, Sept./Oct. 2000.
CERT/CC, “CERT Advisory CA-2001-19 Code RedWorm Exploiting Buffer Over-flow In IIS Indexing Service DLL”, Carnegie Mellon Software Engineering Institute, August 23, 2001.
Viacom Inc., “Firewall Q&A”, 2001.
J. Allen, A. Christie, W. Fithen, J. McHugh, J. Pickel, E. Stoner, “State of the Practice of Intrusion Detection Technologies,” Technical Report, Carnegie Mellon Software Engineering Institute, Jan. 2000.
M. Roesch, “Snort-Lightweight Intrusion Detection for Networks”, USENIX LISA’ 99 conference, Nov. 1999.
M. Karagiannis, “How to create a Stealth Packet Scrubber using Hogwash,” Application Notes for Hogwash, 2001.
Netperf.org, “Netperf documentation”, 1997.
SonicWall Inc.,“Denial of Service Attacks-An Emerging Vulnerability of Connected“ “Network,” White paper, 2001.
Broadcom Inc., “Strada Switch II BCM5616-Integrated Multi-layer Switch,” Product Brief, 2001.
PMC Sierra Inc., “PM2329 ClassiPi Network Classification Processor Datasheet,” Product Datasheet, PMC-2010146, Issue 4, 2001.
PMC Sierra Inc., “Preliminary PM2329 ClassiPi Wire-speed Performance Application Note,” Application Note, PMC-2010258, Issue 1, October 2001.
M. Iliopoulos, T. Antonakopoulos, “Reconfigurable network processors based on field programmable system level integrated circuits,” 10th Conference on Field Programmable Logic and Applications, pp. 39–47, 2000.
A. Dollas, D. Pnevmatikatos, N. Aslanides, et al., “Rapid prototyping of a reusable 4x4 active ATM switch core with the PCI pamette,” 12th International Workshop on Rapid Prototyping, pp. 17–23, 2001.
J.W. Lockwood, “Evolvable Internet hardware platforms,” Proceedings of the 3rd NASA/DoD Workshop on Evolvable Hardware, pp. 271–279, 2001.
F. Braun, J. Lockwood, M. Waldvogel,“Reconfigurable router modules using network protocol wrappers,” 11th Conference on Field Programmable Logic and Applications (FPL01), pp. 254–263, 2001.
H. Fallside, M.J.S. Smith, “Internet connected FPL,” 10th Conference on Field Programmable Logic and Applications, pp. 48–57, 2000.
F. Braun, J. Lockwood, M. Waldvogel, “Protocol wrappers for layered network packet processing in reconfigurable hardware,”IEEE Micro, Vol. 22, Issue 1, pp. 66–74, Jan.–Feb. 2002.
P.W. Dowd, J.T. McHenry, F.A. Pellegrino, T.M. Carrozzi and W.B. Cocks, “An FPGA-Based Coprocessor for ATM Firewalls,” Proceedings of the IEEE Symposium on FPGA’s for Custom Computing Machines (FCCM97), April 1997.
R. Sinnappan and S. Hazelhurst, “A Reconfigurable Approach to Packet Filtering,” In Proceedings of FPL 2001: 11th International Conference on Field Programmable Logic and Applications, Belfast, United Kingdom, August 2001.
R. Sidhu and V. K. Prasanna, “Fast Regular Expression Matching using FPGAs,” IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM01), April 2001.
D. Carver, R. Franklin, B.L. Hutchings, “Assisting Network Intrusion Detection with Reconfigurable Hardware,” Proceedings of the IEEE Symposium on FPGA’s for Custom Computing Machines (FCCM02), April 2002.
Altera Inc., “Altera Quartus II Development Software Manual”, 2001.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2002 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Cho, Y.H., Navab, S., Mangione-Smith, W.H. (2002). Specialized Hardware for Deep Network Packet Filtering. In: Glesner, M., Zipf, P., Renovell, M. (eds) Field-Programmable Logic and Applications: Reconfigurable Computing Is Going Mainstream. FPL 2002. Lecture Notes in Computer Science, vol 2438. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-46117-5_48
Download citation
DOI: https://doi.org/10.1007/3-540-46117-5_48
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-44108-3
Online ISBN: 978-3-540-46117-3
eBook Packages: Springer Book Archive