The Design And Implementation Of The Security Gateway Based On IXP425

The Internet has entered a new era, and become a part of our life day by day; however, the security problem it brings has also become increasingly inevitable, which we have to pay attention to. Embedded System as a safety, low-cost, efficient platform has been widely used in various fields, and of course network security is one of them.VPN technology and Firewall Technology, as two of the most important technologies, have been widely used in network security area. The security gateway described in this paper, implenments the VPN function and Firewall function on an embedded system. The author has mainly finished the following study and work:1. The hardware design of the security gateway based on Network Processor IXP425 and PCI Encryption Card SafeXcel-1741. IXP425 as one of the latest Network Processor, which has a two micro core structure, integrating an XSCALE core works at 533MHZ and three Network Processing Engines, can process the data from network at wire speed. Encryption Card SafeXcel-1741 specially designed for network security applications, can deal with encryption/decryption calculation with a high speed. The PCI connection between IXP425 and SafeXcel-1741 makes them cooperate together and also makes the security gateway a good performance.2. The software design of the security gateway, includes implementations of IPSec Protocol, Firewall and Illegal VPN Detection. With the usage of the hook function supplied by VxWorks Network Stack, the above functions using the method called Pump-in-Line have been achieved. The encryption and hash calculation of AH, ESP and IKE are processed by the Encryption Card, data transmission between IXP425 and Encryption Card uses DMA mode, which increases the transmission speed.3. Based on the analysis of former research, the author indicates that the performance bottleneck of the security gateway is the deficiency to process the encryption calculation, and then comes up with the architecture of the cooperation of two processors, and gives a deep research on the communication mechanism, implementation technology and optimization method of the above architecture.4. Gives a deep research on the detection and termination of illegal VPN.Juding the result of the comparison between the data in an IPSec packet and the data in the database, a normal VPN connection is distinguishable from an illegal one. Because the AVL is a very fast method for the searching used in illegal VPN detection, we optimize and implement it in our design.5. Invistigates the method to offer VPN service for dynamic IP users. Identification problem for dynamic IP users is solved, by the adoption of the dynamic digital certificates, and the combination of VPN technology and LDAP technology.