Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Access Node: An FPGA-based Security Architecture for Access Networks The Sixth International Conference on Internet Monitoring and Protection (ICIMP.

Published byPamela Pohl Modified over 6 years ago

Similar presentations

Presentation on theme: "Secure Access Node: An FPGA-based Security Architecture for Access Networks The Sixth International Conference on Internet Monitoring and Protection (ICIMP."— Presentation transcript:

1 Secure Access Node: An FPGA-based Security Architecture for Access Networks
The Sixth International Conference on Internet Monitoring and Protection (ICIMP 2011) USSAF: User safety, privacy, and protection over Internet       St. Maarten, The Netherlands Antilles, March 20 – 25, 2011 J. Rohrbeck, V. Altmann, P. Danielis, S. Pfeiffer, D. Timmermann, University of Rostock, Germany Institute of Applied Microelectronics and Computer Engineering M. Ninnemann, M. Rönnau Nokia Siemens Networks Broadband Access Division Greifswald, Germany

2 Customers have to protect their private networks
Motivation Protection of Internet users is absolutely necessary!  Customers attack customers, networks, and services  They do that with or without awareness Internet security today  Networks with too few security measurements  A high level of security requires specialized knowledge Customers have to protect their private networks  They may not have the knowledge to do so 11/17/2018 11/17/2018 2

3 Internet Security of Users
How to protect users‘ network? Set filters against Use blacklists Deep Packet Inspection (DPI) Internet Security of Users e.g., Spoofing e.g., Domain blocking e.g., Unauthorized access Hard to configure security measures in the right way! Customers are overstrained with this task! Customers are not protected! 11/17/2018

4 How to Increase Network Security?
Customers Area Access Area Core Area Integrates a further stage of security into access area Provides basic protection for subscribers Eliminates misconfigured firewalls Fortifies the access node Creates a new service for ISPs Secure Access Node 11/17/2018

5 Requirements to the SecAN
Protection of Customers, access and core network Control of up to 32,000 connections Minimum traffic rate of 1 Gbit/s Uninterruptible traffic control Easy to upgrade 11/17/2018

6 SecAN - Architecture Flow ID Rule Set Conf Conf Conf Conf
Konfiguration: Keine Paketverarbeitung ohne Beginn und Ende werden signalisiert Bei Neukonfiguration kann: Datenverkehr blockiert Per Bypass am SecAN-System vorbeigeleitet werden Conf Conf Conf Conf 11/17/2018

7 SecAN - Architecture Packet Classification Engine (PCE)
Rule Set Engine (RSE) Packet Processing Engine (PPE) Receives & buffers Ethernet frames Extraction of frame parameters For frame classification & accelerated frame processing MACs, VLANs, ethertype, protocol, IPs, ports Search & deliver the specific rules set header infos L2: MACs, VLANs, Ethertypes L3: Protokoll, IPs L4: Ports Firewall: Applies rules from RSE Webfilter: Blocks blacklisted domains DPI: High speed pattern matching 11/17/2018

8 Packet Classfication & Rule Set Engine
PCE RSE RSE PCE Distinct Flow ID (32k) Rule ID (mapping) Rule Set 11/17/2018

9 Packet Processing Engine – Firewall
High speed modular filter chain Easy to maintain Easy to extend Actions: accept, drop, modify Log data generation 1 OSI Layer 2 OSI Layer 3 OSI Layer 4 Header Modification Ether- type VLANs MACs Proto- cols IPs Ports MAT IP Anti Spoof Filter chain: checks rule set data and against frame parameter in one cycle  not necessary to wait on frame data 11/17/2018

10 Packet Processing Engine – Web Filter
Filtering URL vs. Domain URL: nearly unlimited length  Domain: max. 255 byte  4096 blacklisted domains 2 Blacklisted CRC64 hash tree CRC64( ) = Domain Filter chain: checks rule set data and against frame parameter in one cycle  not necessary to wait on frame data Domain Domain Domain 11/17/2018

11 Packet Processing Engine – DPI
Snort database for attack pattern Real time pattern matching 192,480 pattern/cycle  Input data matching by Bloom filter 3 Index Index Index Compression k Hash functions Character string (signature) is mapped to an Integer (Index) h1 h2 hk Filter chain: checks rule set data and against frame parameter in one cycle  not necessary to wait on frame data SIGNATURE Signature 11/17/2018

12 Packet Processing Engine – DPI
Memory m-1 m-bit Vector / Array SDRAM: slow, external SRAM: quick, external BRAM: quick, internal 1 Bit Index Index Index Compression k Hash functions Character string (signature) is mapped to an Integer (Index) h1 h2 hk SIGNATURE Signature

13 Packet Processing Engine – DPI
m-1 m-bit Vector / Array 1 Bit Index Initializiation Index Index k Hash functions h1 h2 hk Signature

14 Packet Processing Engine – DPI
m-1 m-bit Vector / Array 1 Bit 1 1 1 Index Programming & Searching Index Index k Hash functions h1 h2 hk Signature E1

15 Packet Processing Engine – DPI
Analysis: MATCH: all indizes show to a ‘1’ MISMATCH: a minimum of one index is ‘0’

16 Implementation of the SecAN
DPI Web Filter Firewall Configuration 11/17/2018

17 Summary ISP provided security solutions
Low latency web data control (Hardware-software-co-design) Successfully prototyped Flexibility by reconfiguration Modular  expandable System performance Speed: 4.57 Gbit/s Modul Slices BRAM PCE & RSE 4,106 (9%) 15 (10%) Firewall Ca. 560/module (1.2%) 0 (0%) Web filter 897 (2%) 13 (9%) DPI module 17,150 (38%) 134 (90%) customers misconfigurations are eliminated Firewall: MAC CS je: 528 Slices IP CS je: 514 Slices Port CS je: 593 Slices IP Anti Spoof:556 Slices 11/17/2018

18 Thank you for your attention! Questions?
11/17/2018

Download ppt "Secure Access Node: An FPGA-based Security Architecture for Access Networks The Sixth International Conference on Internet Monitoring and Protection (ICIMP."

Similar presentations

A Search Memory Substrate for High Throughput and Low Power Packet Processing Sangyeun Cho, Michel Hanna and Rami Melhem Dept. of Computer Science University.

A Search Memory Substrate for High Throughput and Low Power Packet Processing Sangyeun Cho, Michel Hanna and Rami Melhem Dept. of Computer Science University.
A Scalable and Reconfigurable Search Memory Substrate for High Throughput Packet Processing Sangyeun Cho and Rami Melhem Dept. of Computer Science University.

A Scalable and Reconfigurable Search Memory Substrate for High Throughput Packet Processing Sangyeun Cho and Rami Melhem Dept. of Computer Science University.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Presented by Serge Kpan LTEC 4550.020 Network Systems Administration 1.

Presented by Serge Kpan LTEC Network Systems Administration 1.
William Stallings Data and Computer Communications 7 th Edition (Selected slides used for lectures at Bina Nusantara University) Internetworking.

William Stallings Data and Computer Communications 7 th Edition (Selected slides used for lectures at Bina Nusantara University) Internetworking.
Deep Packet Inspection with Regular Expression Matching Min Chen, Danny Guo {michen, CSE Dept, UC Riverside 03/14/2007.

Deep Packet Inspection with Regular Expression Matching Min Chen, Danny Guo {michen, CSE Dept, UC Riverside 03/14/2007.
Institute of Technology, Sligo Dept of Computing Semester 3, version 2.1.3 Semester 3 Chapter 3 VLANs.

Institute of Technology, Sligo Dept of Computing Semester 3, version Semester 3 Chapter 3 VLANs.
Intrusion Prevention System Group 6 Mu-Hsin Wei Renaud Moussounda Group 6 Mu-Hsin Wei Renaud Moussounda.

Intrusion Prevention System Group 6 Mu-Hsin Wei Renaud Moussounda Group 6 Mu-Hsin Wei Renaud Moussounda.
Firewall Slides by John Rouda

Firewall Slides by John Rouda
Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.

Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
OSI Model Routing Connection-oriented/Connectionless Network Services.

OSI Model Routing Connection-oriented/Connectionless Network Services.
FIREWALL Mạng máy tính nâng cao-V1.

FIREWALL Mạng máy tính nâng cao-V1.
AIS, 20141 Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.

January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.
By : Himanshu Mishra Nimish Agarwal CPSC 624.  A system designed to prevent unauthorized access to or from a private network.  It must have at least.

By : Himanshu Mishra Nimish Agarwal CPSC 624.  A system designed to prevent unauthorized access to or from a private network.  It must have at least.
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.

Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.
Introduction to Packet Processing Prof. Chu-Sing Yang December, 10, 2014 Aaron Liao

Introduction to Packet Processing Prof. Chu-Sing Yang December, 10, 2014 Aaron Liao

Similar presentations

Ads by Google