-
FPGA Network FirewallingDavid Thomas
-
OutlineThe Diadem firewall projectRole of FPGAs within DiademThe
IBM FPGA FirewallPrimary GoalsProgress
-
The Diadem ProjectFunded by the EU (your tax Euros at work)Nine
partnersFour academicThree industrialFive countriesFrance, Germany,
Slovenia, UK, PolandThree year project, 6 months left
-
Diadem GoalsCreate a firewall that uses distributed elements
within networks to detect and respond to attacksMonitoring elements
detect attacks in progressPolicy elements decide how to react to
attacksFirewall elements put reaction policy into effectTarget
areas are large organisations or ISPs with many peering points to
foreign networks
-
Example network architecture
-
Diadem network architecture
-
Example : SYN flood attack (1)TCP uses three way
handshaking:client -> server : SYNclient server : ACK
establishedBetween steps 2 and 3 server must maintain state, using
system memoryMemory can only be released after a timeout.After
memory is used up no new connections can be established
- Example : SYN flood attack (2)Attacker uses zombies to spoof
source addressesZombies continually perform steps 1 but never send
packet 3fake_ip1 -> server : SYNfake_ip1 server :
SYNfake_ip2
-
Example : SYN flood responseUse firewall between clients and
server to screen new connectionsclient->fwall:SYNclientfwall:ACK
(client added to whitelist)clientfwall->server:SYN (client now
on whitelist)clientserver:ACK (connection established)
-
Diadem network architecture
-
Accelerated network architecture
-
The IBM FPGA Firewall (1)IBM (one of the partners) have created
a hardware accelerated firewallUses a host PC and a PCI FPGA
cardHost PC reads packets from network and extracts packet
headerssrcIp,dstIp,srcPort,dstPort,flags : ~ 100 bitsFPGA does
packet classification: looks at packet headers supplied by host and
determines correct action (accept, reject, log etc.)Host PC applies
appropriate action to packet and sends it back to networkThe FPGA
only does packet classification
-
The IBM FPGA Firewall (2)Theyve had some problemsThey use weird
FPGA boards with no supportTheyre talking to the FPGA in kernel
mode!The number of rules they can apply is limited by the amount of
TCAM they can instantiateTCAMs use SRL16s, not block RAMsNo
expertise in FPGAsThere is a bottleneck on the PC sideIt is
difficult to process gigabit streams in software, even when packet
classification is done in hardware
-
Enter ImperialWhat IC brings to the tableWe have RC300s: full
duplex Gb ethernetWe know a lot about FPGAsWe dont take three hours
for lunchOur goal: a standalone FPGA firewallPerforms the
functionality of IBM firewallUses the same API as the IBM
firewallOperates at high data and packet rates
-
Current Platform: RC300Virtex-II xc2v600 FPGA6 M Gates (33K
Slices)2.6 MBits of embedded RAMIntel IXF1104 MACTwo full duplex
1Gb ethernet portsExposed to FPGA as two 8-bit streams at
125MHzSamsung ZBT SRAM4MB of 36 bit wide RAM @ 117MHzFour
independent banksZBT: can interleave reads and writes at full
speed
-
Firewall Model
Workstation
Router
Cloud
The height of the text box and its associated line increases or
decreases as you add text. To change the width of the comment, drag
the side handle.
FirewallElement
Intranet
RC300Firewall Device
Table updates sent via network
Table updates sent over USB
Internet
SystemManager
Rule changes sent to firewall element
Rule changes translated into updates for firewalls internal
tables
-
AssumptionsThe firewall does not need to be very cleverRules are
translated into tables elsewhereUpdates are sent to the firewall as
binary patches to be applied to internal tables (as UDP packets or
over USB)The firewall does not need to maintain stateNo support for
packet fragmentation/assemblyNo need to recognise packets as part
of a streamThe firewall is connected to a single endpoint at each
portOnly needs to know two Ethernet MACs, no ARPThe set of firewall
responses is very simple
-
ClassificationClassifications is performed on a subset of packet
header infoSource and destination IP address (2x32 bits)Source and
destination ports (2x16 bits)Miscellaneous flags/protocol type (~12
bits)Rules specify list of rules in order or
priorityDest=server:80, src=?:?, Protocol=TCP AcceptDest=server:?,
src=?:?, Protocol=? RejectClassifier needs to find the first
matching rule within the list
-
ResponsesBasicAccept, RejectRedirect (patch IP dest for inward,
source for outward)Log (Envelope packet info and send to an
IP)Reply with errorThrottling (random drop)Simple combinations of
abovePossibleThrottling (limit to specified rate)SYN flood
protectionStatistics gathering
-
Firewall Architecture
The height of the text box and its associated line increases or
decreases as you add text. To change the width of the comment, drag
the side handle.
Name
RC300
Port 0
Router
MBlaze
USB
Classifier
Processor
Classifier
Processor
Classifier
Classifier
Processor
Classifier
Processor
Processor
Classifier
Port 1
Processor
BRAMs
BRAMs
BRAMs
Router
ZBT RAM
DDR RAM
ZBT RAM
ZBT RAM
Bulk storage for things like half-open connections
Fast storage for table overflow
USB comms route to host
Network comms route to host
Cryptosupport
-
IntegrationActs as simple front-end firewallActs as a high-speed
barrier when under attackWill still require existing IBM firewall
behind it to apply more complex rules (e.g. content inspection)Can
implement same API as existing IBM firewallAPI implemented on Linux
host Host translates API calls into table updates and forwards them
to the RC300 over Ethernet or USBMay only support a subset of
functionality
-
ProgressBasic firewall is workingSupport up to 1024 rules (IBM
does 256)Support up to 17.5 Mpackets/sUp to 800 Gb/sLimited by the
Celoxica PSLCurrently working on integration with Diadem API
-
SummaryDiadem firewall projectDistributed firewall to respond to
distributed attacksFPGAs used within the firewall for speedInitial
implementation currently running on the RC300
