FIGHTER PILOT F-16

advertisement
Design Remote Reconfiguration Supported Security
Protection System on NetFPGA and Virtex5
a new kind of high-efficiency and more secure strategy in
network security protection
Kai Zhang, Xiaoming Ding, Ke Xiong, Shuo Dai, Baolong Yu
the 1st European NetFPGA Developers Workshop
Author Introduction(1)
Kai Zhang
Master of Engineering in Signal and Information processing,
Institute of Information Science, Beijing Jiaotong University
(formerly knows as Northern Jiaotong University), Beijing, China.
His research interests include Security Architecture, Reusable
Methodology and Design & Implementation of LTE advanced. Email: kzhang0503@gmail.com
Xiaoming Ding
Associate Professor, Institute of Information Science, School of
Computer & Information Technology, Beijing Jiaotong University,
Beijing, China. His research interests include Information Theory,
Information Security, EDA/SOPC Development and Reusable
Methodology. E-mail: xmding@bjtu.edu.cn
the 1st European NetFPGA Developers Workshop
Author Introduction(2)
Ke Xiong
Ke Xiong received his B.Sc. degree and Ph.D. degree in Beijing
Jiaotong University, Beijing, China. He is now working as a
postdoctor at Department of Electronic Engineering, Tsinghua
University, China. His research interests include Next Generation
Network, QoS Guarantee in IP Networks, Multimedia
Communication, Network Information Theory and Network
Coding.
the 1st European NetFPGA Developers Workshop
Main Content
1. Introduction
2. Architecture
3. Implementation
4. Conclusion
the 1st European NetFPGA Developers Workshop
1. Introduction
-background
network security and terminal security issues
-network attacks, including denial of service attacks, unauthorized
access, distributed attacks and so on.
-terminal attacks, viruses and Trojan horse attacks on USB
storage devices cannot be completely resolved.
-other problems, such as user information disclosure.
★One of the urgent & key problems that needs to be
solved in information security.
★Underlines the importance of security measures
the 1st European NetFPGA Developers Workshop
1. Introduction
-Solutions
How to effectively improve network security and
terminal security?
1. Traditional security protection systems?
-Traditional network protection systems.
△ Traditional software firewall
△ Traditional hardware firewall
-Traditional terminal protection systems.
2. Reconfigurable security protection systems ?
-Reconfigurable network protection systems.
△ Reconfigurable hardware firewall
-Reconfigurable terminal protection systems.
the 1st European NetFPGA Developers Workshop
1. Introduction
Reconfigurable hardware firewall
Reconfigurable hardware firewall
Remote Reconfiguration
-Ensure the efficiency and security
Update the HW circuits
and SW system
ASIC & Dedicated
chips
HW firewall with remote
reconfiguration supported
Reconfigurable HW firewall
Traditional HW firewall
Software Firewall
the 1st European NetFPGA Developers Workshop
1. Introduction
NIDS
A firewall is not the ultimate solution for network
security.
※ Total reliance on the firewall tool may provide a false sense
of security. The firewall will not work alone (no matter how it is
designed or implemented) as it is not a panacea.
※ It is inconvenient for the firewall because most information
about attacks of the firewall depends on the administrators.
the 1st European NetFPGA Developers Workshop
Main Content
1. Introduction
2. Architecture
3. Implementation
4. Conclusion
the 1st European NetFPGA Developers Workshop
2. Architecture
the 1st European NetFPGA Developers Workshop
2. Architecture
Reconfigurable
Firewall
Filtering Table
Two Register Tables
Control Panel of The
Hardware Firewall
NIDS
PetaLinux+libPcap
SQL injection、CGI
attacks
Servers
1.Sample Web server
2.Web Camera App(RTP)
the 1st European NetFPGA Developers Workshop
2. Architecture
Most parts of this protection system are designed and
implemented in hardware to be faster and more secure.
For instance,
on the one hand, packet filtering in hardware, immunity
from ARP attacks in hardware, monitoring and
transmitting with hardware acceleration are designed and
implemented on the NetFPGA to protect the subnet from
network attacks.
On the other hand, AES and DES encryption modules in
hardware, immunity from the USB virus and Trojan horse
by physical isolation are designed and implemented on
the DE2 board to protect terminal security effectively.
the 1st European NetFPGA Developers Workshop
Main Content
1. Introduction
2. Architecture
3. Implementation
4. Conclusion
the 1st European NetFPGA Developers Workshop
3.1 Reconfigurable Hardware Firewall
–packet filtering
User Data Path (in_data) Register Bits
NetFPGA63:48
Words
47:32
31:16
15:0
1
eth dst add
eth sa hi
2
ver,ihl,tos
4
eth sa lo
type
total
id
flags,fof
length
checksum
src ip
5
dsp ip lo
TCP/UDP len
6
TCP/UDP
cksum
3
7
…
src_port
dst port
tll,proto
dst ip hi
DATA
DATA
the 1st European NetFPGA Developers Workshop
Main Content
1. Introduction
2. Architecture
3. Implementation
4. Conclusion
the 1st European NetFPGA Developers Workshop
4 Innovation
-Reconfigurable Hardware Firewall
Hardware firewall with remote reconfiguration
supported
1. Reconfigurable HW firewall
packet filtering in hardware, immunity
from ARP attacks in hardware
2.Reconfigurable design
Improve performance, Reduce the cost
3. Remote reconfiguration
Updating the system via any devices
Traditional hardware firewall
Updating hardware means a lot of time and
money will be wasted
Traditional software firewall
1. Low-performance
2. Its speed and throughput is not high
the 1st European
NetFPGA Developers Workshop
enough
the 1st European NetFPGA Developers Workshop
Download