An Extensible, System-On-Programmable-Chip, Content-Aware Internet Firewall

An extensible firewall has been implemented that performs packet filtering, content scanning, and per-flow queuing of Internet packets at Gigabit/second rates. The firewall uses layered protocol wrappers to parse the content of Internet data. Packet payloads are scanned for keywords using parallel regular expression matching circuits. Packet headers are compared to rules specified in Ternary Content Addressable Memories (TCAMs). Per-flow queuing is performed to mitigate the effect of Denial of Service attacks. All packet processing operations were implemented with reconfigurable hardware and fit within a single Xilinx Virtex XCV2000E Field Programmable Gate Array (FPGA). The single-chip firewall has been used to filter Internet SPAM and to guard against several types of network intrusion. Additional features were implemented in extensible hardware modules deployed using run-time reconfiguration.

[1]  Sung-Mo Kang,et al.  A high-performance OC-12/OC-48 queue design prototype for input-buffered ATM switches , 1997, Proceedings of INFOCOM '97.

[2]  John W. Lockwood,et al.  Implementation of a content-scanning module for an Internet firewall , 2003, 11th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, 2003. FCCM 2003..

[3]  Brad L. Hutchings,et al.  Assisting network intrusion detection with reconfigurable hardware , 2002, Proceedings. 10th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[4]  John W. Lockwood,et al.  Field programmable port extender (FPX) for distributed routing and queuing , 2000, FPGA '00.

[5]  John W. Lockwood,et al.  Dynamic hardware plugins in an FPGA with partial run-time reconfiguration , 2002, DAC '02.

[6]  Scott McMillan,et al.  Partial Run-Time Reconfiguration Using JRTR , 2000, FPL.

[7]  John W. Lockwood,et al.  Synthesizable Design of a Multi-Module Memory Controller , 2001 .

[8]  John W. Lockwood,et al.  Internet-based tool for system-on-chip project testing and grading , 2003, Proceedings 2003 IEEE International Conference on Microelectronic Systems Education. MSE'03.

[9]  John W. Lockwood Evolvable Internet hardware platforms , 2001, Proceedings Third NASA/DoD Workshop on Evolvable Hardware. EH-2001.

[10]  William H. Mangione-Smith,et al.  Specialized Hardware for Deep Network Packet Filtering , 2002, FPL.

[11]  Jean-Louis Brelet Using Block RAM for High Performance Read/Write CAMs , 2000 .

[12]  John W. Lockwood,et al.  Control and configuration software for a reconfigurable networking hardware platform , 2002, Proceedings. 10th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[13]  John W. Lockwood,et al.  Internet-based tool for system-on-chip integration , 2003, Proceedings 2003 IEEE International Conference on Microelectronic Systems Education. MSE'03.

[14]  John W. Lockwood,et al.  Reconfigurable Router Modules Using Network Protocol Wrappers , 2001, FPL.

[15]  Michael John Sebastian Smith,et al.  Internet Connected FPL , 2000, FPL.