Design Remote Reconfiguration Supported Security Protection System on NetFPGA and Virtex5 a new kind of high-efficiency and more secure strategy in network security protection Kai Zhang, Xiaoming Ding, Ke Xiong, Shuo Dai, Baolong Yu the 1st European NetFPGA Developers Workshop Author Introduction(1) Kai Zhang Master of Engineering in Signal and Information processing, Institute of Information Science, Beijing Jiaotong University (formerly knows as Northern Jiaotong University), Beijing, China. His research interests include Security Architecture, Reusable Methodology and Design & Implementation of LTE advanced. Email: kzhang0503@gmail.com Xiaoming Ding Associate Professor, Institute of Information Science, School of Computer & Information Technology, Beijing Jiaotong University, Beijing, China. His research interests include Information Theory, Information Security, EDA/SOPC Development and Reusable Methodology. E-mail: xmding@bjtu.edu.cn the 1st European NetFPGA Developers Workshop Author Introduction(2) Ke Xiong Ke Xiong received his B.Sc. degree and Ph.D. degree in Beijing Jiaotong University, Beijing, China. He is now working as a postdoctor at Department of Electronic Engineering, Tsinghua University, China. His research interests include Next Generation Network, QoS Guarantee in IP Networks, Multimedia Communication, Network Information Theory and Network Coding. the 1st European NetFPGA Developers Workshop Main Content 1. Introduction 2. Architecture 3. Implementation 4. Conclusion the 1st European NetFPGA Developers Workshop 1. Introduction -background network security and terminal security issues -network attacks, including denial of service attacks, unauthorized access, distributed attacks and so on. -terminal attacks, viruses and Trojan horse attacks on USB storage devices cannot be completely resolved. -other problems, such as user information disclosure. ★One of the urgent & key problems that needs to be solved in information security. ★Underlines the importance of security measures the 1st European NetFPGA Developers Workshop 1. Introduction -Solutions How to effectively improve network security and terminal security? 1. Traditional security protection systems? -Traditional network protection systems. △ Traditional software firewall △ Traditional hardware firewall -Traditional terminal protection systems. 2. Reconfigurable security protection systems ? -Reconfigurable network protection systems. △ Reconfigurable hardware firewall -Reconfigurable terminal protection systems. the 1st European NetFPGA Developers Workshop 1. Introduction Reconfigurable hardware firewall Reconfigurable hardware firewall Remote Reconfiguration -Ensure the efficiency and security Update the HW circuits and SW system ASIC & Dedicated chips HW firewall with remote reconfiguration supported Reconfigurable HW firewall Traditional HW firewall Software Firewall the 1st European NetFPGA Developers Workshop 1. Introduction NIDS A firewall is not the ultimate solution for network security. ※ Total reliance on the firewall tool may provide a false sense of security. The firewall will not work alone (no matter how it is designed or implemented) as it is not a panacea. ※ It is inconvenient for the firewall because most information about attacks of the firewall depends on the administrators. the 1st European NetFPGA Developers Workshop Main Content 1. Introduction 2. Architecture 3. Implementation 4. Conclusion the 1st European NetFPGA Developers Workshop 2. Architecture the 1st European NetFPGA Developers Workshop 2. Architecture Reconfigurable Firewall Filtering Table Two Register Tables Control Panel of The Hardware Firewall NIDS PetaLinux+libPcap SQL injection、CGI attacks Servers 1.Sample Web server 2.Web Camera App(RTP) the 1st European NetFPGA Developers Workshop 2. Architecture Most parts of this protection system are designed and implemented in hardware to be faster and more secure. For instance, on the one hand, packet filtering in hardware, immunity from ARP attacks in hardware, monitoring and transmitting with hardware acceleration are designed and implemented on the NetFPGA to protect the subnet from network attacks. On the other hand, AES and DES encryption modules in hardware, immunity from the USB virus and Trojan horse by physical isolation are designed and implemented on the DE2 board to protect terminal security effectively. the 1st European NetFPGA Developers Workshop Main Content 1. Introduction 2. Architecture 3. Implementation 4. Conclusion the 1st European NetFPGA Developers Workshop 3.1 Reconfigurable Hardware Firewall –packet filtering User Data Path (in_data) Register Bits NetFPGA63:48 Words 47:32 31:16 15:0 1 eth dst add eth sa hi 2 ver,ihl,tos 4 eth sa lo type total id flags,fof length checksum src ip 5 dsp ip lo TCP/UDP len 6 TCP/UDP cksum 3 7 … src_port dst port tll,proto dst ip hi DATA DATA the 1st European NetFPGA Developers Workshop Main Content 1. Introduction 2. Architecture 3. Implementation 4. Conclusion the 1st European NetFPGA Developers Workshop 4 Innovation -Reconfigurable Hardware Firewall Hardware firewall with remote reconfiguration supported 1. Reconfigurable HW firewall packet filtering in hardware, immunity from ARP attacks in hardware 2.Reconfigurable design Improve performance, Reduce the cost 3. Remote reconfiguration Updating the system via any devices Traditional hardware firewall Updating hardware means a lot of time and money will be wasted Traditional software firewall 1. Low-performance 2. Its speed and throughput is not high the 1st European NetFPGA Developers Workshop enough the 1st European NetFPGA Developers Workshop