Title :
MPFC: Massively Parallel Firewall Circuits
Author :
Hager, Sven ; Winkler, Frank ; Scheuermann, Bjorn ; Reinhardt, Klaus
Author_Institution :
Comput. Eng. Group, Humboldt Univ. of Berlin, Berlin, Germany
Abstract :
The process of matching the header fields of network packets against a set of rules is a performance critical task of firewalls. Software-based solutions have no chance to keep pace with the ever-growing data rates in high-speed networks. However, specialized filtering hardware is costly because complex logic is required in order to be able to apply arbitrary rulesets to a packet stream. By adapting the implemented logic to the specific firewall ruleset, FPGAs allow for much more specifically tailored and thus more efficient processing than ruleset-independent circuits in an ASIC. We present MPFC, a method to generate customized firewall circuits in the form of synthesizable VHDL code for FPGA configuration. The highly parallel MPFC circuits achieve a deterministic throughput of one packet per clock cycle, can be operated at high clock frequencies, and provide orders of magnitudes shorter processing latencies than previous work in this direction.
Keywords :
application specific integrated circuits; field programmable gate arrays; firewalls; hardware description languages; pattern matching; ASIC; FPGA configuration; MPFC; complex logic; customized firewall circuits; firewall performance critical task; firewall ruleset; header field matching process; massively parallel firewall circuits; network packets; packet stream; processing latencies; ruleset-independent circuits; software-based solutions; specialized filtering hardware; synthesizable VHDL code; Clocks; Field programmable gate arrays; Hardware; Logic gates; Pipelines; Vectors; Vegetation; Circuit Generation; FPGA; Firewall;
Conference_Titel :
Local Computer Networks (LCN), 2014 IEEE 39th Conference on
Conference_Location :
Edmonton, AB
Print_ISBN :
978-1-4799-3778-3
DOI :
10.1109/LCN.2014.6925785
