Research On Content Filter In Hardware Firewall Based On FPGA

Network security and information content security are puzzling development of Internet. Along with rapid increasement of network bandwidth and incessant expansion, firewall as the most effective measure for access control is needed to integrate functions such as virtual private network (VPN), intrusion detect system (IDS), network address transition (NAT), and so on, especially content filter can support effectively plaintext information filter and virus characteristic code filter.Field Programmable Gates Arrays (FPGA) is used to implement hardware network firewall. FPGA processes packets without processor taking part in. Packets processing is irrelevant with processor and operating system, and backdoors or flaws of both processor and operating system cannot affect the security of firewall. Four methods used to improve the programmability of firewall include configurable registers, configurable memory, programmable RISC special process cell and reconfigurable FPGA. Because of its good programmability and low upgrade cost, practicability and market value of firewall based on FPGA are guaranteed.By analysis of existing multi-pattern matching algorithms and hardware filter content implementation methods, considering characteristics of firewall, principles of content filter design are proposed including low latency, supporting non-fixed-length pattern and forward matching. Comprehensive estimate to performance of content filter includes time of packets store and time of multi-pattern matching.Parallel hierarchy of state machine (SM) algorithm suitable to FPGA implementation is analyzed on distinct levels that there are three modes with parallel between SMs, parallel between matching units and parallel in matching units. Two improved strategies are presented which are multi-SM by Servos'Array and multi-sub-SM by parallel in matching units, and memory resources for SMs are optimized by compressing width of state pointers.Structure of multi-level filter is proposed according to protocol TCP/IP: access control reinforces inspection for protocols validity and assist inspection for dynamic protocols, special process cell (SPC) on FPGA filters fixed offset information by executing instructions, and hardware SMs filter texts. This structure reduces quantity of filtering packets and accelerates packets transmission.Implementation strategie of content filter directly affects work performance of firewall. Performance of packets transmission in hardware firewall is studied and validated by different implementation strategies and deployment schemes of hardware content filter unit. Content filter on data link layer can achieve the best mode that does not affect transmission performance,and sample inspection of content filter can well match acceses of sensitive keywords that does not affect transmission performance too.Approximate string matching depends on user subjective consciousness with problems for Chinese text such as code conversion, character replacement, homophone replacement, and so on. Complex operations for table lookup reduce performance of content filter. Algorithm of content filter by approximate string matching is presented that is implemented based on FPGA. Improvement for pretreatment and matching of SMs can support keywords approximate string matching to WEB and E-mail applications.Logs are the main method to check work state of firewall. Log management and audit system is designed in hardware firewall based on FPGA. Part of hardware produces logs of content filter, and part of software implements driver interface, database store, analysis and audit. Classification by VSM method and naive bayes algorithm for content filer logs distributing into little text space are used for log audit that describes network access and supplies user strategies.SM algorithms are paralleled on multi-core system. Structure of embedded multi-core processor FPEP (Four Parallel Embedded Processor) is proposed supporting SPACV V8 instructions set and RTEMS that is a real-time multi-task OS. FPEP is designed and validated on FPGA platform. Speedup is analyzed that average speedup is almost 0.7.