Design And Implementation Of NIPS Based On High-Speed Network Processor

Network intrusion prevention system (IPS) is now considered as a major and famous technology in security area. An IPS can filter network stream containing intrusion attacks, viruses and Trojans by matching with pre-fixed patterns (signatures). However, it is a hard work and research to deploy an IPS in a high-speed network due to its low processing performance. Network processor have become core processing components for various Internet routers and switches because of their high programmability and optimized packet processing capability. However, in order to implement deep packet inspection in network processor we still need to do more development work and further research.In this thesis, some network security mechanisms are analyzed, and the features, principles, working mode and key techniques are introduced in detail, then a design and implementation scheme of the high efficient and well-performed Gigabit Network IPS based on Intel Network Processor is addressed. This thesis contains following points:1. Introduced the current status of network security and common means of intrusion attack, analyzed the main feature of the security technology already widely deployed, such as Firewall, intrusion detection system and so on. And then we launched a study of the intrusion prevention system, introduced its basic concepts classifications and characteristics.2. Described the hardware architecture and software architecture of Intel high-speed network processor and analyzed its strong point and weak point compared with other hardware platform.3. Deeply analyzed the principle, working mode and key techniques of an intrusion prevention system. And then, we launched our high performance gigabit network IPS and its framework designed on Intel network processor.4. Described the software architecture and network traffic inspection and processing algorithms in our network IPS.5. Analyzed the test result of functionality and performance testing for NAT packet processing sub-system in our network IPS.6. Finally, this thesis made a comprehensive summing up the work and looking forward to the next stage of research.The test results show that the NAT packet processing sub-system of Gigabit Network IPS can achieve the goal as expected both in function and in performance, so it has good practicability.