FIGHTER PILOT F-16

1
Design Remote Reconfiguration Supported Security
Protection System on NetFPGA and Virtex5
a new kind of high-efficiency and more secure
strategy in network security protection
Kai Zhang, Xiaoming Ding, Ke Xiong, Shuo Dai,
Baolong Yu
2
Author Introduction(1)
Kai Zhang Master of Engineering in Signal and
Information processing, Institute of Information
Science, Beijing Jiaotong University (formerly
knows as Northern Jiaotong University), Beijing,
China. His research interests include Security
Architecture, Reusable Methodology and Design
Implementation of LTE advanced. E-mail
kzhang0503_at_gmail.com Xiaoming Ding Associate
Professor, Institute of Information Science,
School of Computer Information Technology,
Beijing Jiaotong University, Beijing, China. His
research interests include Information Theory,
Information Security, EDA/SOPC Development and
Reusable Methodology. E-mail xmding_at_bjtu.edu.cn
3
Author Introduction(2)
Ke Xiong Ke Xiong received his B.Sc. degree and
Ph.D. degree in Beijing Jiaotong University,
Beijing, China. He is now working as a postdoctor
at Department of Electronic Engineering, Tsinghua
University, China. His research interests include
Next Generation Network, QoS Guarantee in IP
Networks, Multimedia Communication, Network
Information Theory and Network Coding.
4
Main Content
1. Introduction
1. Introduction
2. Architecture
3. Implementation
4. Conclusion
5
1. Introduction
-background
network security and terminal security
issues -network attacks, including denial of
service attacks, unauthorized access, distributed
attacks and so on. -terminal attacks, viruses
and Trojan horse attacks on USB storage devices
cannot be completely resolved. -other problems,
such as user information disclosure. ?One of
the urgent key problems that needs to be solved
in information security. ?Underlines the
importance of security measures
6
1. Introduction
-Solutions

• How to effectively improve network security and
  terminal security?
• 1. Traditional security protection systems?
• Traditional network protection systems.
• ? Traditional software firewall
• ? Traditional hardware firewall
• Traditional terminal protection systems.
• 2. Reconfigurable security protection systems ?
• Reconfigurable network protection systems.
• ? Reconfigurable hardware firewall
• Reconfigurable terminal protection systems.

7
1. Introduction Reconfigurable
hardware firewall
Reconfigurable hardware firewall
Remote Reconfiguration -Ensure the efficiency
and security
HW firewall with remote reconfiguration
supported
Update the HW circuits and SW system
Reconfigurable HW firewall
ASIC Dedicated chips
Traditional HW firewall
Software Firewall
8
1. Introduction
NIDS
A firewall is not the ultimate solution for
network security. ? Total reliance on the
firewall tool may provide a false sense of
security. The firewall will not work alone (no
matter how it is designed or implemented) as it
is not a panacea. ? It is inconvenient for the
firewall because most information about attacks
of the firewall depends on the administrators.
9
Main Content
1. Introduction
1. Introduction
2. Architecture
2. Architecture
3. Implementation
4. Conclusion
10
2. Architecture
11
2. Architecture
Reconfigurable Firewall
Filtering Table Two Register Tables
Control Panel of The Hardware Firewall
Servers 1.Sample Web server 2.Web Camera App(RTP)
NIDS PetaLinuxlibPcap SQL injection?CGI
attacks
12
2. Architecture
Most parts of this protection system are designed
and implemented in hardware to be faster and more
secure. For instance, on the one hand, packet
filtering in hardware, immunity from ARP attacks
in hardware, monitoring and transmitting with
hardware acceleration are designed and
implemented on the NetFPGA to protect the subnet
from network attacks. On the other hand, AES
and DES encryption modules in hardware, immunity
from the USB virus and Trojan horse by physical
isolation are designed and implemented on the DE2
board to protect terminal security effectively.
13
Main Content
1. Introduction
1. Introduction
2. Architecture
2. Architecture
3. Implementation
3. Implementation
4. Conclusion
14
3.1 Reconfigurable Hardware Firewall
packet filtering
User Data Path (in_data) Register Bits User Data Path (in_data) Register Bits User Data Path (in_data) Register Bits User Data Path (in_data) Register Bits User Data Path (in_data) Register Bits
Words 6348 6348 4732 3116 150
1 eth dst add eth dst add eth dst add eth dst add eth sa hi
2 eth sa lo eth sa lo eth sa lo type ver,ihl,tos
3 total length id id flags,fof tll,proto
4 checksum src ip src ip src ip dst ip hi
5 dsp ip lo src_port src_port dst port TCP/UDP len
6 TCP/UDP cksum DATA DATA DATA DATA
7 DATA DATA DATA DATA DATA
DATA DATA DATA DATA DATA
NetFPGA
15
Main Content
1. Introduction
1. Introduction
2. Architecture
2. Architecture
3. Implementation
3. Implementation
4. Conclusion
4. Conclusion
16
4 Innovation -Reconfigurable
Hardware Firewall
Hardware firewall with remote reconfiguration
supported
Firewall

• Reconfigurable HW firewall
• packet filtering in hardware, immunity from ARP
  attacks in hardware
• 2.Reconfigurable design
• Improve performance, Reduce the cost
• Remote reconfiguration
• Updating the system via any devices

Traditional hardware firewall
Updating hardware means a lot of time and money
will be wasted
Traditional software firewall

1. Low-performance
2. Its speed and throughput is not high enough

17
Thank you!