Compiling policy descriptions into reconfigurable firewall processors

Author

Lee, T.K. ; Yusuf, S. ; Luk, W. ; Sloman, M. ; Lupu, E. ; Dulay, N.

Author_Institution

Dept. of Comput., Imperial Coll., London, UK

fYear

2003

fDate

9-11 April 2003

Firstpage

39

Lastpage

48

Abstract

We describe a framework for capturing firewall requirements as high-level descriptions based on the policy specification language Ponder. The framework provides abstraction from hardware implementation while allowing performance control through constraints. Our hardware compilation strategy for such descriptions involves a rule reduction step to produce a hardware firewall rule representation. Three main methods have also been developed for resource optimization: partitioning; elimination; and sharing. A case study involving five sets of filter rules indicates that it is possible to reduce 67-80% of hardware resources over techniques based on regular content-addressable memory, and 24-63% over methods based on irregular content-addressable memory.

Keywords

authorisation; computer networks; content-addressable storage; filters; packet switching; processor scheduling; resource allocation; specification languages; Ponder; constraint control; hardware compilation; hardware firewall; hardware resource; irregular content-addressable memory; packet filter; policy description compilation; reconfigurable processor; resource optimization; rule elimination; rule reduction; rule representation; rule sharing; specification language; Authorization; Educational institutions; Hardware; High level languages; Information filtering; Information filters; Internet; Optimization methods; Protocols; Specification languages;

fLanguage

English

Publisher

ieee

Conference_Titel

Field-Programmable Custom Computing Machines, 2003. FCCM 2003. 11th Annual IEEE Symposium on

Print_ISBN

0-7695-1979-2

Type

conf

DOI

10.1109/FPGA.2003.1227240

Filename

1227240