Design and Implementation of a Full Bandwidth ATM Firewall

The ATM technology has been specified to provide users with the ability to request quality of service (QoS) for their applicati o ns and to enable high speed communications. However, access-control tools such as firewalls when used with ATM networks can de these properties. In this paper we describe a new architecture providing a high speed access-control service for ATM and IP o r ATM networks. While most of the alternatives to our proposal focus on the efficiency of the access-control process and provide no a ssurance of the quality of service, our solution delineates bounds to the minimal throughput and maximal delay that can be reached. Th e bounds can be insured, thanks to a new cell classification algorithm used in combination with an efficient hardware part called IFT. Moreover, whereas existing proposals focus on the IP access-control service, our proposal gives the security officer the abilit y to filter ATM traffics through new access-control parameters such as QoS or service descriptors. The complete architecture provides cesscontrol service at the ATM, IP and transport levels.

[1]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[2]  Bill Cheswick,et al.  Firewalls and internet security - repelling the wily hacker , 2003, Addison-Wesley professional computing series.

[3]  Patrick W. Dowd,et al.  An FPGA-based coprocessor for ATM firewalls , 1997, Proceedings. The 5th Annual IEEE Symposium on Field-Programmable Custom Computing Machines Cat. No.97TB100186).

[4]  T. V. Lakshman,et al.  High-speed policy-based packet forwarding using efficient multi-dimensional range matching , 1998, SIGCOMM '98.

[5]  Mukesh Singhal,et al.  Design of a high-performance ATM firewall , 1998, CCS '98.

[6]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[7]  Olivier Paul,et al.  Manageable Parameters to Improve Access Control in ATM Networks , 1998 .

[8]  Venkatachary Srinivasan,et al.  Packet classification using tuple space search , 1999, SIGCOMM '99.

[9]  Maryline Laurent-Maknavicius,et al.  An Alternative Access Control Architecture for IP over ATM Networks , 1999, Communications and Multimedia Security.

[10]  Carsten Benecke,et al.  A parallel packet screen for high speed networks , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[11]  Dan Grossman,et al.  Multiprotocol Encapsulation over ATM Adaptation Layer 5 , 1993, RFC.

[12]  Pankaj Gupta,et al.  Packet Classification using Hierarchical Intelligent Cuttings , 1999 .

[13]  Nick McKeown,et al.  Dynamic Algorithms with Worst-Case Performance for Packet Classification , 2000, NETWORKING.