| The firewall is very important to ensure the security of networks. In order to meet the requirement of high speed processing, and the trend of new protocols and applications emerging in endlessly, network processors are adopted as the hardware platform of new generation high performance firewalls. However, traditional firewall systems can't be migrated to network processors directly. The technologies and algorithms of network processor based firewalls have their own characteristics, and need to be studied farther.This paper firstly analyses the technologies of network processors and firewalls, and educes the key points of network processor based firewalls. Then the prototype of stateful inspection firewall is designed and implemented, including system design, key modules design, prototype development and deployment. In order to take full advantage of the optimized hardware of network processors, after summarizing existing processing resources scheduling algorithms, a novel algorithm called Duplication-based Partial Dynamic Scheduling is proposed, and its performance is evaluated under a simulation tool.The technologies of the firewall designed in this paper are innovative in several aspects compared with other approaches. Tasks are appropriately partitioned between data plane and control plane, which communicate with mail box; data structures are fast to read and write, small to store, and simple to manage; the particular hardware units that network processors contain are used.The algorithm this paper proposed is the first to combine task duplication and partial dynamic mapping in network processors scheduling that aims to reduce the delay and increase the throughput. Experimental results showed this algorithm could increase the largest average throughput by about 30% than those without dynamic phase duplication.With the deep research of technologies and algorithms of network processor based firewall and the maturity of industrial manufactures, the network will be more secure. |
PDF Full Text Request