Book ChapterDOI
An Extensible, System-On-Programmable-Chip, Content-Aware Internet Firewall
John W. Lockwood,C.E. Neely,Christopher K. Zuver,James Moscola,Sarang Dharmapurikar,David Lim +5 more
- pp 859-868
Reads0
Chats0
TLDR
An extensible firewall has been implemented that performs packet filtering, content scanning, and per-flow queuing of Internet packets at Gigabit/second rates and to mitigate the effect of Denial of Service attacks.Abstract:
An extensible firewall has been implemented that performs packet filtering, content scanning, and per-flow queuing of Internet packets at Gigabit/second rates. The firewall uses layered protocol wrappers to parse the content of Internet data. Packet payloads are scanned for keywords using parallel regular expression matching circuits. Packet headers are compared to rules specified in Ternary Content Addressable Memories (TCAMs). Per-flow queuing is performed to mitigate the effect of Denial of Service attacks. All packet processing operations were implemented with reconfigurable hardware and fit within a single Xilinx Virtex XCV2000E Field Programmable Gate Array (FPGA). The single-chip firewall has been used to filter Internet SPAM and to guard against several types of network intrusion. Additional features were implemented in extensible hardware modules deployed using run-time reconfiguration.read more
Citations
More filters
Patent
Malicious mobile code runtime monitoring system and methods
TL;DR: In this paper, a mobile protection code (MPC) is used to prevent malicious downloadable operation attempts to be received by the MPC and causing corresponding corresponding corresponding operations to be executed in response to the attempts.
Patent
Fast signature scan
TL;DR: In this article, the authors proposed a method for signature scanning in string fields, which includes processing one or more signatures into one or many formats that include fingerprints and data structures for each fixed-size signature or signature substring.
Proceedings ArticleDOI
The Mercury system: exploiting truly fast hardware for data search
TL;DR: A general framework under which a significant portion of the data mining task is implemented in fast hardware, close to the magnetic media on which it is stored is described and initial performance results for a set of applications are provided.
Internet Worm and Virus Protection in Dynamically Reconfigurable Hardware
TL;DR: A platform has been implemented that actively scans and filters Internet traffic for Internet worms and viruses at multi-Gigabit/second rates using the Field-programmable Port Extender (FPX), and logic that allows modules to be dynamically reconfigured to scan for new signatures.
Patent
Systems and methods for content type classification
TL;DR: In this paper, the content type classification for packets associated with a session based at least in part on a packet associated with the session that is a packet other than the first packet of the session is discussed.
References
More filters
Proceedings ArticleDOI
Assisting network intrusion detection with reconfigurable hardware
TL;DR: A module generator that extracts strings from the Snort NIDS rule-set, generates a regular expression that matches all extracted strings, synthesizes a FPGA-based string matching circuit, and generates an EDIF netlist that can be processed by Xilinx software to create an FPGAs bitstream is developed.
Proceedings ArticleDOI
Implementation of a content-scanning module for an Internet firewall
TL;DR: A module has been implemented in Field Programmable Gate Array (FPGA) hardware that scans the content of Internet packets at Gigabits/second rates and automatically generates the Finite State Machines (FSMs) to search for regular expressions.
Proceedings ArticleDOI
Dynamic hardware plugins in an FPGA with partial run-time reconfiguration
TL;DR: Tools and a design methodology have been developed to support partial run-time reconfiguration of FPGA logic on the Field Programmable Port Extender to support high-speed Internet packet processing circuits on this platform.
Book ChapterDOI
Specialized Hardware for Deep Network Packet Filtering
TL;DR: This work designs a deep packet filtering firewall on a field programmable gate array (FPGA) to take advantage of the parallelism while retaining its programmability and is capable of processing over 2.88 gigabits per second of network stream on an Altera EP20K series FPGA without manual optimization.
Proceedings ArticleDOI
Field programmable port extender (FPX) for distributed routing and queuing
TL;DR: The Field-programmable Port Extender (FPX) is being built to augment the Washington University Gigabit Switch (WUGS) with reprogrammable logic, and will first be used to implement fast IP lookup algorithms and distributed input queueing.