The Design And Implementation Of Firewall Forwarding Functions Based On Network Processor

Network Processor, as a protocol processor, has been used more and more widely because it can serve both high-performance and flexibility purposes. This thesis is mainly about designing the forward functions of G-bit line speed firewall based on IBM network processor.Firstly, this thesis analyzes the current status of network security and nail down the meaning of the research topics. Secondly, it analyzes the architecture of all network processors in the market. Next, introduces some knowledge on firewall design, then gives a detail description of programming environment of IBM NP4GS3C. Thirdly, it introduces something about pico-code programming and design the process flow of pico-code. Consequently, it designs and implements the forward function of firewall by pico-code. At last, it gives the test results of individual function modules and overall performance.This thesis does original work in the following four points:1. Implemented security filtering without the support of operating system protocol stack. All hardware devices in the chip are managed through embedded pico-code without an operating system. Thus it can avoid some security holes of operating system itself and promote the anti-attack ability of firewall2. Put forward a fast check algorithm of status table. The established connections (including both requests and responses connections) can be checked at one time. The number of new connections can reaches 20,000 and up to 1,000,000 connections can be maintained simultaneously.3. Put forward a non-linear matching algorithm of rule table. This algorithm distributes all rules dynamically, and each rule can be reached in similar time. This breaks through the performance limit of traditional firewall and promotes the performance.4. The slice and re-package of data paragraph. In order to understand the data flow, we adopt slice and re-package of IP package and re-sequence of TCP paragraph. And also we combined several TCP connections into one session. Thus those malicious packages can be recognized and threw away.