| With the rapid expansion of the network applications and the continuous improvement of network performance, security gateway's throughput rapidly grows from the original scores of megabytes per second to several megahertz or multi-gigabit per second. Moreover, the security gateway is extending from the traditional firewall applications to the UTM, online data stream analysis, web access management and other fields. Therefore, the network management device needs to have a more powerful capability of CPU processing, data analysis and flow packet forwarding to support high-speed running of the entire network. In practical applications, the forward work often consumes too much server CPU resources, and makes the CPU not have enough resources to analyze high-speed data packet, limiting the network performance and application. A network security accelerator is designed to effectively solve the bottlenecks in network packet processing.Firstly, the background of the research is introduced. An overview of threats and countermeasures about network security, and the common technology about network acceleration is given. Then, implementations based on multi processors are compared, obtaining the main contents of this paper. By analyzing the principles of network isolation, the network security requirement of the separation is summed up. Algorithms that search for hardware principles and rules management for Packet Classification, TCAM is studied deeply. An appropriate hardware rules management is summed up. On above basis, a network security accelerator card based on FPGA is designed. The accelerator shares data analysis and forwarding workload for CPU, through hardware packet classification and sharing. At last, by matching the specific configuration items, and network data packet sampling, threatening messages can be effectively blocked with network security features.The design of network security accelerator card includes the overall framework, network interface, hardware search module, the hardware forwarding module, PCIE bus interface, power clock, power-down protection circuit, FPGA design. Finally, the main performance for network applications is compared with the software accelerated method.In this design, space for upgrade is reserved based on data packet analysis, rule matching, packet forwarding and other functions with hardware. While maintaining the existing hardware platform unchanged, functions of the address translation, state tracking and Qos can be achieved through software upgrades. This design is of better scalability and application. |
