| With the rapid increasing of Internet nowadays, Broadband network comes into people's daily life. Meanwhile, people have to suffer security problems as they enjoy the convenience brought by Network such as hacker intrusion and network virus. Therefore, firewall product playes an important role and is of great interest in meeting the increasing demands of network security.This paper explores the research work on how to design a Giga-bit firewall based on intel's network processor IXP1200, which presents both high-performance and security functionality. During the developing period, the author and his friends solved many critical problems, including Multiple Layer Architecture, Working Modes, Allocation of Micro-engine, Attack Defence Policies and Web Uuser Interface. Also new ideas of improvement on both future network processors and firewall products have been well presented.Compared with the traditional firewall, which cannot make a good tradeoff between performance and flexibility, the NetChannel 5000 Series Firewall uses NP as its core processor. NP is a programmable hardware and it is optimized for packet processing, protocol analysis, routing, voice integration and QoS. In china, NP is the best choice to design network devices.Intel Co., Ltd invented a series of parallel programmable network processors, including IXP425, IXP1200, IXP2400 and IXP2800. IXP1200, one of the intel's Network Processors, is a primary product which is suitable for enterprise usage. It has a general purpose process and six micro engines. IXP1200 fits the requirements of Broad Band access device and it is the best choice of Giga-bit firewall.This paper begins with the introduction of the current situation of network security and the network processor's application. The author introduces hardware and software development platform of Intel IXP1200. He puts forward TCP Relay module, ARP Proxy module and WebUI module etc. He also develops the best allocation way of micro-engine through three experiments. In the end, the conclusion is made on the whole project and gives an expectation for the development of network security devices in .the future.The main innovative ideas in this paper are presented as follows:First, TCP Relay method is applied to defend SYN Flooding attack and control the whole process of TCP connection.Second, this paper provides new micro-engine allocation methods through three experiments. It puts forward a new idea to accelerate the performance of fast path.Third, a Config Wizard is put forward, which can help users to config firewall easily. Every common operator can config firewall efficiently with the Wizard.
|
PDF Full Text Request