Title :
Development framework for firewall processors
Author :
Lee, T.K. ; Yusuf, S. ; Luk, W. ; Sloman, M. ; Lupu, E. ; Dulay, N.
Author_Institution :
Dept. of Comput., Imperial Coll., London, UK
Abstract :
High-performance firewalls can benefit from the increasing size, speed and flexibility of advanced reconfigurable hardware. However direct translation of conventional firewall rules in a router-based rule set often leads to inefficient hardware implementation. Moreover, such lowlevel description of firewall rules tends to be difficult to manage and to extend. We describe a framework, based on the high-level policy specification language Ponder for capturing firewall rules as authorization policies with user-definable constraints. Our framework supports optimisations to achieve efficient utilisation of hardware resources. A pipelined firewall implementation developed using this approach running at 10 MHz is capable of processing 2.5 million packets per second, which provides similar performance to a version without optimisation and is about 50 times faster than a software implementation running on a 700 MHz PIII processor.
Keywords :
authorisation; digital filters; field programmable gate arrays; high level synthesis; pipeline processing; 10 MHz; Ponder; authorization policies; development framework; firewall processors; firewall rules; hardware packet filters; hardware resources; high-level policy specification language; optimisations; pipelined firewall implementation; user-definable constraints; Authorization; Educational institutions; Hardware; Information filtering; Information filters; Internet; Matched filters; Protocols; TCPIP; Throughput;
Conference_Titel :
Field-Programmable Technology, 2002. (FPT). Proceedings. 2002 IEEE International Conference on
Print_ISBN :
0-7803-7574-2
DOI :
10.1109/FPT.2002.1188709
