Based On The Intel Ixa Architecture Firewall Technology

As a basic application security technology based on modern communication and information security, firewall is more and more applied in Internet. However, the performance of traditional firewalls can be bottleneck as it limits the bandwidth of the net, though they provide high-level security protection. This problem restricts practical application. A firewall of new generation should not only protect better the net behind firewall but also provide better performance. The basic function of firewall is packet filter, which checks every packet according to specified filter rules, so that to determine how to act to the packet. The filter rules are established based on packet header information such as IP source address, IP destination address, transmission protocol, TCP/UDP port, ICMP information type, etc. Dynamic filter checks packets according to the session state, which means its action should depend on the previous packets. NAT is a way to solve the intense demanding of Internet IP address, and can hide LAN address. NAT has two types which are static translation and dynamic translation. Proxy is a sophisticated firewall function which can implement security check of application layer. Moreover, perfect log and audit function are needed on a firewall of soundness. This thesis introduces a high performance firewall developed based on Intel IXA.Intel(r) IXA is a packet processing architecture that provides a foundation for software portability across multiple generations of network processors. Intel(r) IXA focuses on Intel(r) network processors and is based on microengine technology, the Intel(r) XScale(tm) microarchitecture and the Intel(r) IXA Hardware Abstraction Layer. Intel(r) IXA is an end-to-end family of high-performance, flexible and scalable hardware and software development building blocks designed to meet the growing performance requirements of today's networks. Based on programmable silicon and software building blocks, Intel(r) IXA solutions enable faster development, more cost-effective deployment and future upgradability of network and communications systems.Firstly this thesis introduces technology and knowledge relative to security and firewall, and illustrats Intel IXA, specially the structure andfunction of IXP1200 network processor. Afterwards, the thesis presents the whole hardware and software system of the firewall designed basing on Intel IXA, and emphasizes on dynamic filter and NAT. At the end of the thesis is the conclusion, and some improvement advice and solvent are given.