Research Of Gigabit Firewall Based On IXP2400

Development of network brings us not only convience and serious network security problem. The problem impacts people's order at life and work, even security of our country and nation. Especial recent years,network bandwidth blows up with growth of internet user and emergency of new service. The trend is in urgent need of high speed network equipment which can support upgraded bandwidth. As a barrier between intranet and extranet, firewall is one of the most important tools to protect network so that it is the network security product which paid attention first.Aiming at the present development and status of utilization of firewall, the thesis has broadly studied and analyzed the performance of gigabit firewalls base on different hardware plane, designed and implemented a scheme for gigabit firewall based on IXP2400. The main contents and conclusions of the thesis are summarized as follows:Analyze the bottleneck of gigabit firewall base on X86, point out limitation of such gigabit firewall on its hardware; Then compare ASIC with network processor, discuss superiority of network processor which we will choose for firewall.Present HSBIPG(Hash Search Based on IP Group)packet classification algorithm for various applications include firewall which needs large classification. The algorithm is considered high speed and high performance.Designing and implementing HSIPBG packet classification algorithm based on the Intel IXP2400 network processor. The employing of network processor and HSIPBG proved to allows the solution for firewall working line rate in 1G or higher broadband with high performance and expansibility by experiment.The thesis researches and discusses difficulties of designing and implementing a line rate gigabit firewall and present a comprehensive and systemic firewall system based on network processor. At present, some of conclusions have been applied successfully, and the others will be consummated and generalized in the future as the production of "973" project.