Skip to main content
SpringerLink
Log in

An Extensible, System-On-Programmable-Chip, Content-Aware Internet Firewall

  • Conference paper
  • First Online:
Field Programmable Logic and Application (FPL 2003)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 2778))

Included in the following conference series:

Abstract

An extensible firewall has been implemented that performs packet filtering, content scanning, and per-flow queuing of Internet packets at Gigabit/second rates. The firewall uses layered protocol wrappers to parse the content of Internet data. Packet payloads are scanned for keywords using parallel regular expression matching circuits. Packet headers are compared to rules specified in Ternary Content Addressable Memories (TCAMs). Per-flow queuing is performed to mitigate the effect of Denial of Service attacks. All packet processing operations were implemented with reconfigurable hardware and fit within a single Xilinx Virtex XCV2000E Field Programmable Gate Array (FPGA). The single-chip firewall has been used to filter Internet SPAM and to guard against several types of network intrusion. Additional features were implemented in extensible hardware modules deployed using run-time reconfiguration.

This research was supported in part by a grant from Global Velocity, the National Science Foundation (ANI-0096052), and a gift from Xilinx

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Franklin, R., Carver, D., Hutchings, B.L.: Assisting network intrusion detection with reconfigurable hardware. In: FCCM, Napa, CA (April 2002)

    Google Scholar 

  2. Lockwood, J.W.: Evolvable internet hardware platforms. In: The 3rd NASA/DoD Workshop on Evolvable Hardware (EH 2001), July 2001, pp. 271–279 (2001)

    Google Scholar 

  3. Braun, F., Lockwood, J., Waldvogel, M.: Reconfigurable router modules using network protocol wrappers. In: Brebner, G., Woods, R. (eds.) FPL 2001. LNCS, vol. 2147, pp. 254–263. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  4. Cho, Y., Nahab, S., Mangione-Smith, W.H.: Specialized hardware for deep network packet filtering. In: Glesner, M., Zipf, P., Renovell, M. (eds.) FPL 2002. LNCS, vol. 2438, p. 452. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  5. Moscola, J., Lockwood, J., Loui, R.P., Pachos, M.: Implementation of a contentscanning module for an Internet firewall. In: FCCM, Napa, CA (April 2003)

    Google Scholar 

  6. Brelet, J.-L.: Using block RAM for high performance read/write CAMs. Xilinx XAPP204 (May 2002)

    Google Scholar 

  7. Duan, H., Lockwood, J.W., Kang, S.M., Will, J.: High-performance OC- 12/OC-48 queue design prototype for input-buffered ATM switches. In: INFOCOM 1997, Kobe, Japan, April 1997, pp. 20–28 (1997)

    Google Scholar 

  8. Dharmapurikar, S., Lockwood, J.: Synthesizable design of a multi-module memory controller. Washington University, Department of Computer Science, Technical Report WUCS-01-26 (October 2001)

    Google Scholar 

  9. Acceleration of Algorithms in Hardware (September 2001), http://www.arl.wustl.edu/~lockwood/class/cs535/

  10. Reconfigurable System-On-Chip Design (December 2002), http://www.arl.wustl.edu/~lockwood/class/cs536/

  11. Lim, D., Neely, C.E., Zuver, C.K., Lockwood, J.W.: Internet-based tool for system-on-chip integration. In: International Conference on Microelectronic Systems Education (MSE), Anaheim, CA (June 2003)

    Google Scholar 

  12. Neely, C.E., Zuver, C.K., Lockwood, J.W.: Internet-based tool for system-onchip project testing and grading. In: International Conference on Microelectronic Systems Education (MSE), Anaheim, CA (June 2003)

    Google Scholar 

  13. Horta, E.L., Lockwood, J.W., Taylor, D.E., Parlour, D.: Dynamic hardware plugins in an FPGA with partial run-time reconfiguration. In: Design Automation Conference (DAC), New Orleans, LA (June 2002)

    Google Scholar 

  14. Sproull, T., Lockwood, J.W., Taylor, D.E.: Control and configuration software for a reconfigurable networking hardware platform. In: IEEE Symposium on Field- Programmable Custom Computing Machines (FCCM), Napa, CA (April 2002)

    Google Scholar 

  15. McMillan, S., Guccione, S.: Partial run-time reconfiguration using JRTR. In: Grünbacher, H., Hartenstein, R.W. (eds.) FPL 2000. LNCS, vol. 1896, pp. 352–360. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  16. Fallside, H., Smith, M.J.S.: Internet connected FPL. In: Grünbacher, H., Hartenstein, R.W. (eds.) FPL 2000. LNCS, vol. 1896, pp. 48–57. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  17. Lockwood, J.W., Turner, J.S., Taylor, D.E.: Field programmable port extender (FPX) for distributed routing and queuing. In: ACM International Symposium on Field Programmable Gate Arrays (FPGA 2000), Monterey, CA, USA, February 2000, pp. 137–144 (2000)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Applied Research Laboratory, Washington University in Saint Louis, 1 Brookings Drive, Campus Box 1045, MO, 63130, Saint Louis, USA

    John W. Lockwood, Christopher Neely, Christopher Zuver, James Moscola, Sarang Dharmapurikar & David Lim

Authors
  1. John W. Lockwood
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Christopher Neely
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Christopher Zuver
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. James Moscola
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Sarang Dharmapurikar
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. David Lim
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Electrical and Electronic Engineering, Imperial College London, Exhibition Road, SW7 2BT, London, UK

    Peter Y. K. Cheung

  2. Department of Electrical & Electronic Engineering, Imperial College London, Exhibition Road, SW7 2BT, London, UK

    George A. Constantinides

Rights and permissions

Reprints and permissions

Copyright information

© 2003 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Lockwood, J.W., Neely, C., Zuver, C., Moscola, J., Dharmapurikar, S., Lim, D. (2003). An Extensible, System-On-Programmable-Chip, Content-Aware Internet Firewall. In: Y. K. Cheung, P., Constantinides, G.A. (eds) Field Programmable Logic and Application. FPL 2003. Lecture Notes in Computer Science, vol 2778. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-45234-8_83

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-45234-8_83

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-40822-2

  • Online ISBN: 978-3-540-45234-8

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation