Study Of FPGA-Based Security Protection System For Typical Applications

Along with the development and popularity of networks, the technique and mode of network-based service system become mature. Especially cloud computing has been proved the efficiency and value, more and more companies and individuals choose online system as part of commercial and daily activities. However, network attack issues also increase and commit more and more serious loss such that each network system has to emphasize this problem. Current network attacks are mostly application-layer attacks and deep packet inspection (DPI) is the main approach to detect and prevent such attacks through comparing the payload of packets with the attack signature.However, DPI is a job with high time-complexity and space-complexity. Traditional software system couldn't afford enough performance due to the architecture limit, which could turn the security device into the bottleneck of the whole system Therefore, hardware accelerator made from Application Specific Integrated Circuit(ASIC)and Field Programmable Gate Array (FPGA) is proposed to solve this problemIn this paper, an integrated security system on chip is designed. Implementing Snort rules as the prototype to generate patterns suitable with hardware implementation, FPGA is designed to work as a packet filtering chip which supports header filtering, protocol recognition to perform security check at the network interface card, deep packet inspection in this design.This solution demonstrates excellent time efficiency in comprehensive layer 2 to 7 packet inspection.This paper is organized as follows. The first section gives an introduction to current security conversation system and talks about the need and direction to proceed optimizatioa Then three topics are studied particularly in section 3.1.The need to integrate firewall and IDS and the model of security system on chip.2.The configuration of NetFPGA which is used as the development platform and the feature make it applicable in high-rate network data processing.3.The respective algorithms for ordinary string and Perl Compatible Regular Expression (PCRE) and the combination structure to achieve DPI.4.Integrate header filtering, DPI, protocol recognition into a common security inspection platform. Then each function modules are talked in detail, including header filtering at wire speed, ordinary string pattern matching, PCRE pattern matching, connection decoder, the converting approach for Snort rules, distributed sniffer and so on. At the end, the experimental results are shown to exhibit the performance.