The Design And Implementation Of Hardware Firewall Based FPGA

This article presents a realization method based on FPGA hardware firewall by using FPGA to realize a gigabit wire-speed firewall.The traditional firewalls based on general CPU like X86 are unable to support the fast growth of network speed,unable to realize wire-speed filtration and forwarding.By adopting the mode of FPGA programmable component+general CPU,this project is capable of processing network data fast.After the network data connection and tracking are established, direct forwarding of fast processing board realized directly by FPGA can realize network data wire-speed processing,while under the support of the operating system,the general CPU completes the creation and maintenance of network data connection and tracking,and the maintenance of network rule tables.The FPGA hardware board and CPU work by their own function to realize fast forwarding.This article has designed hardware specifications based on FPGA hardware board,proposed the storage pattern for hardware connection track table,as well as the storage pattern and definition for rule table.The firewall system software adopts NetBSD operating system to have completed the NetBSD driving of hardware board;completed the creation,dispatch,and ageing for newly-created links in the software system,completed creation,deletion,revision of rules in the connection track.This article has completed the realization of firewall by realizing package filtration and address translation based on connection track, designing key data structure for connection track and package filtration, re-using the NetBSD operating system's route.This article increased partial realization in view of the penetration question of address translation application program.DoS attack is a common network attack method,this article uses software and hardware unified method to not only perfect the software part,but also to take corresponding measures in the hardware part;testing data indicates that it has obvious effect against the common Syn flood attack.In the practice process,we discovered the software flaws in NetBSD operating system kernel,and have revised it,causing it to be more perfect.Through testing analysis,the proposal presented in this paper is obviously better than the X86 plan,the NP plan,and the ASIC plan,it features flexibility,configurationality,and easy to upgrade.