CN109495517A - A kind of firewall device based on field programmable gate array - Google Patents
A kind of firewall device based on field programmable gate array Download PDFInfo
- Publication number
- CN109495517A CN109495517A CN201910021687.XA CN201910021687A CN109495517A CN 109495517 A CN109495517 A CN 109495517A CN 201910021687 A CN201910021687 A CN 201910021687A CN 109495517 A CN109495517 A CN 109495517A
- Authority
- CN
- China
- Prior art keywords
- programmable gate
- gate array
- field programmable
- network
- data packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 238000012545 processing Methods 0.000 claims abstract description 29
- 230000006855 networking Effects 0.000 claims abstract description 6
- 238000012423 maintenance Methods 0.000 claims abstract description 5
- 238000001914 filtration Methods 0.000 abstract description 10
- 238000004364 calculation method Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 238000000034 method Methods 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 239000002245 particle Substances 0.000 description 1
- 238000010223 real-time analysis Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0245—Filtering by information in the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/10—Plc systems
- G05B2219/15—Plc structure of the system
- G05B2219/15057—FPGA field programmable gate array
Abstract
The present invention relates to a kind of field programmable gate array firewall devices, belong to computer network peace technical field.Field programmable gate array firewall device of the present invention includes cpu central processing unit, memory, external memory, PCIE bus interface, FPGA field programmable gate array, external network interface and internal network interface.The present invention initializes FPGA device, configures and is managed by CPU, is loaded into FPGA to networking rule table maintenance upgrade, and by embedded data packet filtering software and rule list.Universal cpu and operating system in FPGA firewall device proposed by the present invention are not involved in the parsing and filtering of network packet, only carry out the configuration and management of FPGA, therefore its safety is unrelated with universal cpu and operating system, can be from the threat at hardware malice back door and software security flaw.
Description
Technical field
The present invention relates to a kind of firewall devices based on field programmable gate array, i.e., a kind of to use FPGA (Field
Programmable Gate Array) Field Programmable Gate Array Devices firewall device, belong to computer network peace technology
Field.
Background technique
Firewall is the protecting information safety equipment between external network and internal network, it is according to pre-defining
Security strategy and rule, access to internal resource of monitoring and control external user, to the communication data for passing in and out inside and outside network
It is parsed and is filtered, so as to stop various unauthorized access and the network attack on internet to the maximum extent.
Data in network are by data packet group one by one at firewall will expend the parsing and filtering of each data packet
System resource.The structure of existing firewall is as shown in Figure 1, be in x86 universal cpu central processing unit hardware platform and general behaviour
Make under system environments, is realized using special grouping information filter software.With network flow and network application type
Constantly increase, the faced pressure of real-time analysis and filtering to network data flow is increasing, by universal cpu serial process energy
The restriction of power and pci bus speed, existing firewall is difficult to cope with current network data information filtering and what is handled in real time want
It asks, it is difficult to adapt to the network speed of current rapid growth.In addition, being based on x86 general purpose processor hardware platform and general operation system
The firewall of system, safety depend on universal cpu and operating system, therefore there are biggish hardware malice back doors and soft
The security risk of part security breaches.
Summary of the invention
The purpose of the present invention is to propose to a kind of firewall devices based on field programmable gate array, for carrying out data packet
Filtering, field programmable gate array (hereinafter referred to as FPGA) device therein is as independent subsystem, with parallel processing manner
Data packet is parsed and is filtered, the safety filtering delay of firewall is greatly lowered, improves the processing capacity of firewall
Firewall device proposed by the present invention based on field programmable gate array, comprising:
Central processing unit can compile scene for being initialized, being configured and being managed to Field Programmable Gate Array Devices
Arithmetic logic, interconnection resources and the I/O module of journey gate array device are configured, building for data pack receiving and transmitting, classification and
The dedicated task computing circuit of fixed field pattern match, to networking rule table maintenance upgrade, and by embedded data packet filtering
To Field Programmable Gate Array Devices, central processing unit is connected by internal bus with memory software loading;
Memory is handed over for temporarily storing operational data in central processing unit and central processing unit and external memory
The data changed;
External memory passes through high speed for storing the program and data of firewall device operation between external memory and central processing unit
Serial computer expansion bus is connected;
High speed serialization computer expansion bus interface, for the mutual of Field Programmable Gate Array Devices and central processing unit
Connection;
Field Programmable Gate Array Devices, for running embedded data packet filtering software, and according to rule list to disengaging
The network packet of Field Programmable Gate Array Devices is monitored and is filtered, using dedicated in the network layer of network packet
Task computing circuit realizes transmitting-receiving, classification and the fixed field pattern match of data packet, in the application layer of network packet
Using embedded software parsing and screen data packet, if data packet meets the rule in rule list, field programmable gate
The data packet is sent to internal network by internal network interface by array device, if data packet is unsatisfactory for the rule in rule list
Then, then Field Programmable Gate Array Devices directly abandons the data packet, and Field Programmable Gate Array Devices passes through high speed serialization meter
Calculation machine expansion bus interface is connected with central processing unit, and Field Programmable Gate Array Devices passes through external network interface and internet
It is connected, Field Programmable Gate Array Devices is connected by internal network interface with internal network;
External network interface sends field programmable gate to for receiving external network data, and by external network data
Array device;
Internal network interface, for sending intranet for the filtered network data of Field Programmable Gate Array Devices
Network.
Firewall device proposed by the present invention based on field programmable gate array, its advantage is that:
FPGA device in firewall device of the present invention receives external network data by external network interface, to receiving
To network packet be compared with rule list rule.If data packet meets rule list rule, by the number if FPGA device
Internal network is sent to by network interface according to packet.If data packet is unsatisfactory for rule list rule, FPGA device if, is directly abandoned
The data packet.Due to transmitting-receiving, classification of the FPGA device in a manner of independent particle system in network layer using hardware realization data packet
And fixed field pattern match, in application layer using parallel processing manner parsing and screen data packet, therefore can be big
The safety filtering of amplitude reduction firewall postpones, and the processing capacity of firewall is made to reach gigabit or more.Further it is proposed that
Universal cpu and operating system in FPGA firewall device are not involved in the parsing and filtering of network packet, only carry out FPGA's
Configuration and management, therefore its safety is unrelated with universal cpu and operating system, can leak from hardware malice back door and software security
The threat in hole.
Detailed description of the invention
Fig. 1 is existing universal cpu central processing unit firewall device structural schematic diagram.
Fig. 2 is the structural schematic diagram of the firewall device proposed by the present invention based on field programmable gate array.
Specific embodiment
Firewall device proposed by the present invention based on field programmable gate array, structure are as shown in Figure 2, comprising:
Central processing unit can compile scene for being initialized, being configured and being managed to Field Programmable Gate Array Devices
Arithmetic logic, interconnection resources and the I/O module of journey gate array device are configured, building for data pack receiving and transmitting, classification and
The dedicated task computing circuit of fixed field pattern match, to networking rule table maintenance upgrade, and by embedded data packet filtering
To Field Programmable Gate Array Devices, central processing unit is connected by internal bus with memory software loading;
Memory is handed over for temporarily storing operational data in central processing unit and central processing unit and external memory
The data changed;
External memory passes through high speed for storing the program and data of firewall device operation between external memory and central processing unit
Serial computer expansion bus is connected;
High speed serialization computer expansion bus interface, for the mutual of Field Programmable Gate Array Devices and central processing unit
Connection;
Field Programmable Gate Array Devices, for running embedded data packet filtering software, and according to rule list to disengaging
The network packet of Field Programmable Gate Array Devices is monitored and is filtered, using dedicated in the network layer of network packet
Task computing circuit realizes transmitting-receiving, classification and the fixed field pattern match of data packet, in the application layer of network packet
Using embedded software parsing and screen data packet, if data packet meets the rule in rule list, field programmable gate
The data packet is sent to internal network by internal network interface by array device, if data packet is unsatisfactory for the rule in rule list
Then, then Field Programmable Gate Array Devices directly abandons the data packet, and Field Programmable Gate Array Devices passes through high speed serialization meter
Calculation machine expansion bus interface is connected with central processing unit, and Field Programmable Gate Array Devices passes through external network interface and internet
It is connected, Field Programmable Gate Array Devices is connected by internal network interface with internal network;
External network interface sends field programmable gate to for receiving external network data, and by external network data
Array device;
Internal network interface, for sending intranet for the filtered network data of Field Programmable Gate Array Devices
Network.
It is of the invention based on FPGA field programmable gate array firewall device, including it is cpu central processing unit, memory, outer
It deposits, high speed serialization computer expansion bus interface (hereinafter referred to as PCIE), field programmable gate array, external network interface and interior
Portion's network interface.CPU is connected by internal bus with memory, and external memory is connected with CPU by PCIE bus, FPGA field-programmable
Gate array device is connected by PICE interface with CPU, and FPGA Field Programmable Gate Array Devices is by external network interface and mutually
Networking is connected, and FPGA Field Programmable Gate Array Devices is connected by internal network interface with internal network.
In FPGA Field Programmable Gate Array Devices firewall device proposed by the present invention, CPU be used for FPGA device into
Row initialization and management, configure the arithmetic logic of FPGA, interconnection resources and I/O module, building data pack receiving and transmitting, classification
And the dedicated tasks computing circuit such as fixed field pattern match, to networking rule table maintenance upgrade, and by embedded data packet
Filter software and rule list are loaded into FPGA.This memory therein for temporarily storing the operational data in CPU, and with it is outer
The data of portion's memory transactions.
The working principle of firewall device proposed by the present invention based on field programmable gate array is:
When device powers on, CPU reads FPGA management software from external memory and initializes to FPGA, patrols the operation of FPGA
It collects, interconnection resources and I/O module are configured, dedicated of building data pack receiving and transmitting, classification and fixed field pattern match etc.
Be engaged in computing circuit, and by external memory embedded data packet filtering software and rule list be loaded into FPGA.External network interface from
Outer net receiving network data, and send external network data to FPGA.FPGA device runs embedded data packet filtering software,
And it is monitored and is filtered according to network packet of the rule list to disengaging FPGA.If data packet meets rule list rule,
The data packet is then sent to internal network by internal network interface by FPGA device.If data packet is unsatisfactory for rule list rule
Then, FPGA device then directly abandons the data packet.
In one embodiment of field programmable gate array firewall device proposed by the present invention, CPU uses Intel (English
Te Er) -8300 cpu chip of Intel Core i5, Virtex-7 fpga chip of the FPGA using Xilinx (match Sentos) company, extranets
Network interface and internal network interface use the BCM5464 gigabit ethernet interface chip of Broadcom (Botong) company.
Claims (1)
1. a kind of firewall device based on field programmable gate array, it is characterised in that the firewall device includes:
Central processing unit, for being initialized, being configured and being managed to Field Programmable Gate Array Devices, to field programmable gate
Arithmetic logic, interconnection resources and the I/O module of array device are configured, and building is used for data pack receiving and transmitting, classification and fixation
The matched dedicated task computing circuit of field schema, to networking rule table maintenance upgrade, and by embedded data packet filtering software
It is loaded into Field Programmable Gate Array Devices, central processing unit is connected by internal bus with memory;
Memory, for temporarily storing operational data in central processing unit and central processing unit exchanges with external memory
Data;
External memory passes through high speed serialization for storing the program and data of firewall device operation between external memory and central processing unit
Computer expansion bus is connected;
High speed serialization computer expansion bus interface is connected for Field Programmable Gate Array Devices with the mutual of central processing unit
It connects;
Field Programmable Gate Array Devices, for running embedded data packet filtering software, and according to rule list to disengaging scene
The network packet of programmable gate array device is monitored and is filtered, and dedicated task is used in the network layer of network packet
Computing circuit realizes transmitting-receiving, classification and the fixed field pattern match of data packet, utilizes in the application layer of network packet
Embedded software parsing and screen data packet, if data packet meets the rule in rule list, field programmable gate array
The data packet is sent to internal network by internal network interface by device, if data packet is unsatisfactory for the rule in rule list,
Field Programmable Gate Array Devices directly abandons the data packet, and Field Programmable Gate Array Devices is expanded by high speed serialization computer
Exhibition bus interface is connected with central processing unit, and Field Programmable Gate Array Devices is connected by external network interface with internet,
Field Programmable Gate Array Devices is connected by internal network interface with internal network;
External network interface sends field programmable gate array to for receiving external network data, and by external network data
Device;
Internal network interface, for sending internal network for the filtered network data of Field Programmable Gate Array Devices.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910021687.XA CN109495517A (en) | 2019-01-10 | 2019-01-10 | A kind of firewall device based on field programmable gate array |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910021687.XA CN109495517A (en) | 2019-01-10 | 2019-01-10 | A kind of firewall device based on field programmable gate array |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109495517A true CN109495517A (en) | 2019-03-19 |
Family
ID=65714341
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910021687.XA Withdrawn CN109495517A (en) | 2019-01-10 | 2019-01-10 | A kind of firewall device based on field programmable gate array |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109495517A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110719267A (en) * | 2019-09-25 | 2020-01-21 | 山东三未信安信息科技有限公司 | Server board card and data processing method thereof |
CN116015696A (en) * | 2021-10-20 | 2023-04-25 | 中移系统集成有限公司 | Firewall system, malicious software detection method and device |
-
2019
- 2019-01-10 CN CN201910021687.XA patent/CN109495517A/en not_active Withdrawn
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110719267A (en) * | 2019-09-25 | 2020-01-21 | 山东三未信安信息科技有限公司 | Server board card and data processing method thereof |
CN116015696A (en) * | 2021-10-20 | 2023-04-25 | 中移系统集成有限公司 | Firewall system, malicious software detection method and device |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Liu et al. | A survey: Typical security issues of software-defined networking | |
JP3968724B2 (en) | Network security system and operation method thereof | |
Radoglou-Grammatikis et al. | Attacking iec-60870-5-104 scada systems | |
Fiorin et al. | A security monitoring service for NoCs | |
Alhijawi et al. | A survey on DoS/DDoS mitigation techniques in SDNs: Classification, comparison, solutions, testing tools and datasets | |
CN107251514A (en) | For the technology for the scalable security architecture for virtualizing network | |
CN106850549B (en) | Distributed encryption service gateway and implementation method | |
CN104378387A (en) | Virtual platform information security protection method | |
CN108574698B (en) | Method for carrying out network security protection on Internet of things system | |
CN103197231A (en) | Field programmable gate array (FPGA) device for diagnosing and predicting artificial circuit faults | |
CN109462599A (en) | A kind of honey jar management system | |
CN105516189B (en) | Network security enforcement system and method based on big data platform | |
CN109495517A (en) | A kind of firewall device based on field programmable gate array | |
CN101483649A (en) | Network safe content processing card based on FPGA | |
Daoud et al. | Analysis of black hole router attack in network-on-chip | |
CN106650425A (en) | Method and device for controlling security sandbox | |
KR102088308B1 (en) | Cloud security analysing apparatus, apparatus and method for management of security policy based on nsfv | |
Zvabva et al. | Evaluation of industrial firewall performance issues in automation and control networks | |
CN209676273U (en) | A kind of firewall device based on field programmable gate array | |
RU2660627C2 (en) | Method of dynamic control of conformity of the settings of switching devices of the program-defined network to the requirements of routing policies | |
Yao et al. | On-line Detection and Localization of DoS Attacks in NoC | |
CN101364895B (en) | High performance wideband Internet behavior real-time analysis and management system | |
CN112465302B (en) | System and method for evaluating network security risk of civil aircraft airborne system | |
Rouff et al. | Sok: Autonomic cybersecurity-securing future disruptive technologies | |
Kim et al. | Panop: Mimicry-resistant ann-based distributed nids for iot networks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WW01 | Invention patent application withdrawn after publication |
Application publication date: 20190319 |
|
WW01 | Invention patent application withdrawn after publication |