Slide 1

the 1st European NetFPGA Developers Workshop Design Remote Reconfiguration Supported Security Protection System on NetFPGA and Virtex5 Kai Zhang, Xiaoming Ding, Ke Xiong, Shuo Dai, Baolong Yu a new kind of high-efficiency and more secure strategy in network security protection

Slide 2

the 1st European NetFPGA Developers Workshop Author Introduction(1) Kai Zhang Master of Engineering in Signal and Information processing, Institute of Information Science, Beijing Jiaotong University (formerly knows as Northern Jiaotong University), Beijing, China. His research interests include Security Architecture, Reusable Methodology and Design & Implementation of LTE advanced. E- mail: kzhang0503@gmail.com Xiaoming Ding Associate Professor, Institute of Information Science, School of Computer & Information Technology, Beijing Jiaotong University, Beijing, China. His research interests include Information Theory, Information Security, EDA/SOPC Development and Reusable Methodology. E-mail: xmding@bjtu.edu.cn

Slide 3

the 1st European NetFPGA Developers Workshop Author Introduction(2) Ke Xiong Ke Xiong received his B.Sc. degree and Ph.D. degree in Beijing Jiaotong University, Beijing, China. He is now working as a postdoctor at Department of Electronic Engineering, Tsinghua University, China. His research interests include Next Generation Network, QoS Guarantee in IP Networks, Multimedia Communication, Network Information Theory and Network Coding.

Slide 4

the 1st European NetFPGA Developers Workshop Main Content 4. Conclusion 3. Implementation 2. Architecture 1. Introduction

Slide 5

the 1st European NetFPGA Developers Workshop 1. Introduction -background network security and terminal security issues -network attacks, including denial of service attacks, unauthorized access, distributed attacks and so on. -terminal attacks, viruses and Trojan horse attacks on USB storage devices cannot be completely resolved. -other problems, such as user information disclosure. One of the urgent & key problems that needs to be solved in information security. Underlines the importance of security measures

Slide 6

the 1st European NetFPGA Developers Workshop 1. Introduction -Solutions How to effectively improve network security and terminal security? 1. Traditional security protection systems? -Traditional network protection systems. Traditional software firewall Traditional hardware firewall -Traditional terminal protection systems. 2. Reconfigurable security protection systems ? -Reconfigurable network protection systems. Reconfigurable hardware firewall -Reconfigurable terminal protection systems.

Slide 7

the 1st European NetFPGA Developers Workshop 1. Introduction Reconfigurable hardware firewall HW firewall with remote reconfiguration supported Reconfigurable HW firewall Traditional HW firewall Software Firewall Remote Reconfiguration -Ensure the efficiency and security Update the HW circuits and SW system ASIC & Dedicated chips Reconfigurable hardware firewall

Slide 8

the 1st European NetFPGA Developers Workshop 1. Introduction NIDS A firewall is not the ultimate solution for network security. Total reliance on the firewall tool may provide a false sense of security. The firewall will not work alone (no matter how it is designed or implemented) as it is not a panacea. It is inconvenient for the firewall because most information about attacks of the firewall depends on the administrators.

Slide 9

the 1st European NetFPGA Developers Workshop Main Content 4. Conclusion 3. Implementation 2. Architecture 1. Introduction 2. Architecture 1. Introduction

Slide 10

the 1st European NetFPGA Developers Workshop 2. Architecture

Slide 11

the 1st European NetFPGA Developers Workshop 2. Architecture NIDS PetaLinux+libPcap SQL injection CGI attacks Reconfigurable Firewall Servers 1.Sample Web server 2.Web Camera App(RTP) Control Panel of The Hardware Firewall Filtering Table Two Register Tables

Slide 12

the 1st European NetFPGA Developers Workshop 2. Architecture Most parts of this protection system are designed and implemented in hardware to be faster and more secure. For instance, on the one hand, packet filtering in hardware, immunity from ARP attacks in hardware, monitoring and transmitting with hardware acceleration are designed and implemented on the NetFPGA to protect the subnet from network attacks. On the other hand, AES and DES encryption modules in hardware, immunity from the USB virus and Trojan horse by physical isolation are designed and implemented on the DE2 board to protect terminal security effectively.

Slide 13

the 1st European NetFPGA Developers Workshop Main Content 4. Conclusion 3. Implementation 2. Architecture 1. Introduction 3. Implementation 2. Architecture 1. Introduction

Slide 14

the 1st European NetFPGA Developers Workshop 3.1 Reconfigurable Hardware Firewall packet filtering NetFPGA User Data Path (in_data) Register Bits Words63:4847:3231:1615:0 1eth dst addeth sa hi 2eth sa lotypever,ihl,tos 3total lengthidflags,foftll,proto 4checksumsrc ipdst ip hi 5dsp ip losrc_portdst portTCP/UDP len 6 TCP/UDP cksum DATA 7

Slide 15

the 1st European NetFPGA Developers Workshop Main Content 4. Conclusion 3. Implementation 2. Architecture 1. Introduction 3. Implementation 2. Architecture 1. Introduction 4. Conclusion

Slide 16

the 1st European NetFPGA Developers Workshop 4 Innovation -Reconfigurable Hardware Firewall 1.Reconfigurable HW firewall packet filtering in hardware, immunity from ARP attacks in hardware 2.Reconfigurable design Improve performance, Reduce the cost 3.Remote reconfiguration Updating the system via any devices Hardware firewall with remote reconfiguration supported Traditional hardware firewall Traditional software firewall Updating hardware means a lot of time and money will be wasted 1.Low-performance 2.Its speed and throughput is not high enough

Slide 17

the 1st European NetFPGA Developers Workshop