Research And Design Of The Hardware Firewall System Based On FPGA

With the development and popularization of the network, especially under the background of cloud computing becoming more and more completed, there is a need to transport the vast amount of data, so the network security becomes more and more important. The traditional intrusion detection system mainly adopts the port identification technology. But now a lot of application layer protocols do not use fixed port for communication to achieve network intrusion. The research on the solution of fast packet filtering and precise matching is of great significance.According to the present situation of the security filter system,this paper proposes a design scheme of embedded security protection system which is based on FPGA. The hardware environment of the scheme is the NetFPGA development platform, using four gigabit Ethernet front-end ports and PCI interface, which has greatly improved the data transferring rate. Based on FPGA, the design completed quintuple matching and content inspection, and proposed a two-stage matching solution.Secondly, this paper focuses on three large modular of system design. Statistics modules is mainly used to complete the monitoring of network packet traffic and packet analysis. BLOOM FILTER match Module, using counting BLOOM FILTER to complete the matching of packet IP address, MAC address and protocol type. Regular expression matching modules aims to complete the inspection of packet content.Finally, the data packets of different IP addresses and MAC addresses are tested, from which we can see that the data packets are in line with the actual requirements, indicating that the program can fulfill its intended protective function, completing network packet filtering in the high-speed network environment.In summary, this paper proposes a packet safety protection system based on NetFPGA development platform, and adopts two-stage matching scheme. This program not only increases the efficiency of data packet inspection, adapting the high-speed network transmission requirements, but also improves the accuracy of the data packet filtering, making a quick response to the invasion of external high-speed, which has great practicality.