Title :
Compiling policy descriptions into reconfigurable firewall processors
Author :
Lee, T.K. ; Yusuf, S. ; Luk, W. ; Sloman, M. ; Lupu, E. ; Dulay, N.
Author_Institution :
Dept. of Comput., Imperial Coll., London, UK
Abstract :
We describe a framework for capturing firewall requirements as high-level descriptions based on the policy specification language Ponder. The framework provides abstraction from hardware implementation while allowing performance control through constraints. Our hardware compilation strategy for such descriptions involves a rule reduction step to produce a hardware firewall rule representation. Three main methods have also been developed for resource optimization: partitioning; elimination; and sharing. A case study involving five sets of filter rules indicates that it is possible to reduce 67-80% of hardware resources over techniques based on regular content-addressable memory, and 24-63% over methods based on irregular content-addressable memory.
Keywords :
authorisation; computer networks; content-addressable storage; filters; packet switching; processor scheduling; resource allocation; specification languages; Ponder; constraint control; hardware compilation; hardware firewall; hardware resource; irregular content-addressable memory; packet filter; policy description compilation; reconfigurable processor; resource optimization; rule elimination; rule reduction; rule representation; rule sharing; specification language; Authorization; Educational institutions; Hardware; High level languages; Information filtering; Information filters; Internet; Optimization methods; Protocols; Specification languages;
Conference_Titel :
Field-Programmable Custom Computing Machines, 2003. FCCM 2003. 11th Annual IEEE Symposium on
Print_ISBN :
0-7695-1979-2
DOI :
10.1109/FPGA.2003.1227240
