Advertisement

An Extensible, System-On-Programmable-Chip, Content-Aware Internet Firewall

  • John W. Lockwood
  • Christopher Neely
  • Christopher Zuver
  • James Moscola
  • Sarang Dharmapurikar
  • David Lim
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2778)

Abstract

An extensible firewall has been implemented that performs packet filtering, content scanning, and per-flow queuing of Internet packets at Gigabit/second rates. The firewall uses layered protocol wrappers to parse the content of Internet data. Packet payloads are scanned for keywords using parallel regular expression matching circuits. Packet headers are compared to rules specified in Ternary Content Addressable Memories (TCAMs). Per-flow queuing is performed to mitigate the effect of Denial of Service attacks. All packet processing operations were implemented with reconfigurable hardware and fit within a single Xilinx Virtex XCV2000E Field Programmable Gate Array (FPGA). The single-chip firewall has been used to filter Internet SPAM and to guard against several types of network intrusion. Additional features were implemented in extensible hardware modules deployed using run-time reconfiguration.

Keywords

Field Programmable Gate Array Regular Expression Internet Protocol Packet Header Queue Manager 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Franklin, R., Carver, D., Hutchings, B.L.: Assisting network intrusion detection with reconfigurable hardware. In: FCCM, Napa, CA (April 2002)Google Scholar
  2. 2.
    Lockwood, J.W.: Evolvable internet hardware platforms. In: The 3rd NASA/DoD Workshop on Evolvable Hardware (EH 2001), July 2001, pp. 271–279 (2001)Google Scholar
  3. 3.
    Braun, F., Lockwood, J., Waldvogel, M.: Reconfigurable router modules using network protocol wrappers. In: Brebner, G., Woods, R. (eds.) FPL 2001. LNCS, vol. 2147, pp. 254–263. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  4. 4.
    Cho, Y., Nahab, S., Mangione-Smith, W.H.: Specialized hardware for deep network packet filtering. In: Glesner, M., Zipf, P., Renovell, M. (eds.) FPL 2002. LNCS, vol. 2438, p. 452. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  5. 5.
    Moscola, J., Lockwood, J., Loui, R.P., Pachos, M.: Implementation of a contentscanning module for an Internet firewall. In: FCCM, Napa, CA (April 2003)Google Scholar
  6. 6.
    Brelet, J.-L.: Using block RAM for high performance read/write CAMs. Xilinx XAPP204 (May 2002)Google Scholar
  7. 7.
    Duan, H., Lockwood, J.W., Kang, S.M., Will, J.: High-performance OC- 12/OC-48 queue design prototype for input-buffered ATM switches. In: INFOCOM 1997, Kobe, Japan, April 1997, pp. 20–28 (1997)Google Scholar
  8. 8.
    Dharmapurikar, S., Lockwood, J.: Synthesizable design of a multi-module memory controller. Washington University, Department of Computer Science, Technical Report WUCS-01-26 (October 2001)Google Scholar
  9. 9.
    Acceleration of Algorithms in Hardware (September 2001), http://www.arl.wustl.edu/~lockwood/class/cs535/
  10. 10.
    Reconfigurable System-On-Chip Design (December 2002), http://www.arl.wustl.edu/~lockwood/class/cs536/
  11. 11.
    Lim, D., Neely, C.E., Zuver, C.K., Lockwood, J.W.: Internet-based tool for system-on-chip integration. In: International Conference on Microelectronic Systems Education (MSE), Anaheim, CA (June 2003)Google Scholar
  12. 12.
    Neely, C.E., Zuver, C.K., Lockwood, J.W.: Internet-based tool for system-onchip project testing and grading. In: International Conference on Microelectronic Systems Education (MSE), Anaheim, CA (June 2003)Google Scholar
  13. 13.
    Horta, E.L., Lockwood, J.W., Taylor, D.E., Parlour, D.: Dynamic hardware plugins in an FPGA with partial run-time reconfiguration. In: Design Automation Conference (DAC), New Orleans, LA (June 2002)Google Scholar
  14. 14.
    Sproull, T., Lockwood, J.W., Taylor, D.E.: Control and configuration software for a reconfigurable networking hardware platform. In: IEEE Symposium on Field- Programmable Custom Computing Machines (FCCM), Napa, CA (April 2002)Google Scholar
  15. 15.
    McMillan, S., Guccione, S.: Partial run-time reconfiguration using JRTR. In: Grünbacher, H., Hartenstein, R.W. (eds.) FPL 2000. LNCS, vol. 1896, pp. 352–360. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  16. 16.
    Fallside, H., Smith, M.J.S.: Internet connected FPL. In: Grünbacher, H., Hartenstein, R.W. (eds.) FPL 2000. LNCS, vol. 1896, pp. 48–57. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  17. 17.
    Lockwood, J.W., Turner, J.S., Taylor, D.E.: Field programmable port extender (FPX) for distributed routing and queuing. In: ACM International Symposium on Field Programmable Gate Arrays (FPGA 2000), Monterey, CA, USA, February 2000, pp. 137–144 (2000)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • John W. Lockwood
    • 1
  • Christopher Neely
    • 1
  • Christopher Zuver
    • 1
  • James Moscola
    • 1
  • Sarang Dharmapurikar
    • 1
  • David Lim
    • 1
  1. 1.Applied Research LaboratoryWashington University in Saint LouisSaint LouisUSA

Personalised recommendations