Development framework for firewall processors

Author

Lee, T.K. ; Yusuf, S. ; Luk, W. ; Sloman, M. ; Lupu, E. ; Dulay, N.

Author_Institution

Dept. of Comput., Imperial Coll., London, UK

fYear

2002

fDate

16-18 Dec. 2002

Firstpage

352

Lastpage

355

Abstract

High-performance firewalls can benefit from the increasing size, speed and flexibility of advanced reconfigurable hardware. However direct translation of conventional firewall rules in a router-based rule set often leads to inefficient hardware implementation. Moreover, such lowlevel description of firewall rules tends to be difficult to manage and to extend. We describe a framework, based on the high-level policy specification language Ponder for capturing firewall rules as authorization policies with user-definable constraints. Our framework supports optimisations to achieve efficient utilisation of hardware resources. A pipelined firewall implementation developed using this approach running at 10 MHz is capable of processing 2.5 million packets per second, which provides similar performance to a version without optimisation and is about 50 times faster than a software implementation running on a 700 MHz PIII processor.

Keywords

authorisation; digital filters; field programmable gate arrays; high level synthesis; pipeline processing; 10 MHz; Ponder; authorization policies; development framework; firewall processors; firewall rules; hardware packet filters; hardware resources; high-level policy specification language; optimisations; pipelined firewall implementation; user-definable constraints; Authorization; Educational institutions; Hardware; Information filtering; Information filters; Internet; Matched filters; Protocols; TCPIP; Throughput;

fLanguage

English

Publisher

ieee

Conference_Titel

Field-Programmable Technology, 2002. (FPT). Proceedings. 2002 IEEE International Conference on

Print_ISBN

0-7803-7574-2

Type

conf

DOI

10.1109/FPT.2002.1188709

Filename

1188709