防火墙处理器的开发框架

2002 IEEE International Conference on Field-Programmable Technology, 2002. (FPT). Proceedings. Pub Date : 2002-12-16 DOI:10.1109/FPT.2002.1188709

T. K. Lee, Sherif Yusuf, W. Luk, A. Sloman, Emil C. Lupu, Naranker Dulay

{"title":"防火墙处理器的开发框架","authors":"T. K. Lee, Sherif Yusuf, W. Luk, A. Sloman, Emil C. Lupu, Naranker Dulay","doi":"10.1109/FPT.2002.1188709","DOIUrl":null,"url":null,"abstract":"High-performance firewalls can benefit from the increasing size, speed and flexibility of advanced reconfigurable hardware. However direct translation of conventional firewall rules in a router-based rule set often leads to inefficient hardware implementation. Moreover, such lowlevel description of firewall rules tends to be difficult to manage and to extend. We describe a framework, based on the high-level policy specification language Ponder for capturing firewall rules as authorization policies with user-definable constraints. Our framework supports optimisations to achieve efficient utilisation of hardware resources. A pipelined firewall implementation developed using this approach running at 10 MHz is capable of processing 2.5 million packets per second, which provides similar performance to a version without optimisation and is about 50 times faster than a software implementation running on a 700 MHz PIII processor.","PeriodicalId":355740,"journal":{"name":"2002 IEEE International Conference on Field-Programmable Technology, 2002. (FPT). Proceedings.","volume":"138 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2002-12-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"13","resultStr":"{\"title\":\"Development framework for firewall processors\",\"authors\":\"T. K. Lee, Sherif Yusuf, W. Luk, A. Sloman, Emil C. Lupu, Naranker Dulay\",\"doi\":\"10.1109/FPT.2002.1188709\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"High-performance firewalls can benefit from the increasing size, speed and flexibility of advanced reconfigurable hardware. However direct translation of conventional firewall rules in a router-based rule set often leads to inefficient hardware implementation. Moreover, such lowlevel description of firewall rules tends to be difficult to manage and to extend. We describe a framework, based on the high-level policy specification language Ponder for capturing firewall rules as authorization policies with user-definable constraints. Our framework supports optimisations to achieve efficient utilisation of hardware resources. A pipelined firewall implementation developed using this approach running at 10 MHz is capable of processing 2.5 million packets per second, which provides similar performance to a version without optimisation and is about 50 times faster than a software implementation running on a 700 MHz PIII processor.\",\"PeriodicalId\":355740,\"journal\":{\"name\":\"2002 IEEE International Conference on Field-Programmable Technology, 2002. (FPT). Proceedings.\",\"volume\":\"138 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2002-12-16\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"13\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2002 IEEE International Conference on Field-Programmable Technology, 2002. (FPT). Proceedings.\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/FPT.2002.1188709\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2002 IEEE International Conference on Field-Programmable Technology, 2002. (FPT). Proceedings.","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/FPT.2002.1188709","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 13

摘要

高性能防火墙可以受益于高级可重构硬件不断增加的大小、速度和灵活性。然而，在基于路由器的规则集中直接转换传统防火墙规则通常会导致硬件实现效率低下。此外，这种对防火墙规则的低级描述往往难以管理和扩展。我们描述了一个基于高级策略规范语言Ponder的框架，用于将防火墙规则捕获为具有用户可定义约束的授权策略。我们的框架支持优化，以实现硬件资源的有效利用。使用这种方法开发的运行在10 MHz的流水线防火墙实现能够每秒处理250万个数据包，其性能与未优化的版本相似，并且比运行在700 MHz PIII处理器上的软件实现快约50倍。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Development framework for firewall processors

High-performance firewalls can benefit from the increasing size, speed and flexibility of advanced reconfigurable hardware. However direct translation of conventional firewall rules in a router-based rule set often leads to inefficient hardware implementation. Moreover, such lowlevel description of firewall rules tends to be difficult to manage and to extend. We describe a framework, based on the high-level policy specification language Ponder for capturing firewall rules as authorization policies with user-definable constraints. Our framework supports optimisations to achieve efficient utilisation of hardware resources. A pipelined firewall implementation developed using this approach running at 10 MHz is capable of processing 2.5 million packets per second, which provides similar performance to a version without optimisation and is about 50 times faster than a software implementation running on a 700 MHz PIII processor.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2002 IEEE International Conference on Field-Programmable Technology, 2002. (FPT). Proceedings.

自引率

0.00%

发文量