Hardware firewalls

Hardware Firewalls

Deepak JacobPratheek Suresh

MACE

8 April 2023 1Hardware Firewalls

Contents…

Securing Data. Need of firewalls. Operation & Role of hardware firewall. Filtering techniques. Implementing a hardware firewall. Conclusion.

8 April 2023 Hardware Firewalls 2

Security… Why do we care???

Destruction of local data, disruption of local service etc.

Unauthorised access to local data (financial info …)

Base for high bandwidth attack on other targets (commercial, government ..)

Gain passwords, keys to attack peer sites Illegal use of resources (stolen software,

child pornography ..)



Need for a Firewall

You do not need a firewall if: You have perfect (bug free)

OS & have infallible system administrators and users

You don’t care if you have security incidents (unauthorised access to resources)


Basic Firewall Operation


Contd…


Hardware Firewall

Known as Firewall Appliances or Internet Security Appliances.

External devices that act as a guard post between your network and external networks.

Very little configuration. Very little maintenance.


Features

Stateful

Configurable

Fail-safe

Access lists, NAT, port-forwarding/blocking

8 April 2023

Hardware Firewall on local network

9Hardware Firewalls

Hardware Firewall Configurations


Everything not specifically permitted is

denied !

Everything not specifically denied is

permitted !

Techniques

Packet Filtering

Stateful packet Inspection (SPI)

Packet Filtering


Certain types of data packets are allowed through and others may be blocked.

SPI


Packet filtering + logical analysis (state of the packet)

Uses a two step process to determine whether or not packets will be allowed or denied

Variables are• Source IP address• Destination IP address• Protocol type (TCP/UDP)• Source port• Destination port• Connection state

Packet Filtering

SPI


Compares the packets against the rules or filters. Checks the dynamic state table to verify that the

packets are part of a valid, established connection.

8 April 2023

How to choose a Hardware Firewall?

14Hardware Firewalls

Architecture: Extend of configurability. No. of supported sessions. Integration with Exchange mail servers or

collaboration servers. Type of interface: GUI/CLI/web based/remote login. Need for centralized management of multiple

firewalls. High availability (load balancing, failover) features.

Creating a hardware firewall…

Embedded system design.Field programmable gate array (FPGA).


• Semiconductor device

• Programmable logic components + Programmable Interconnects

SOC- Firewall Layout

Why use FPGAs ???

Offer large logic capacity. Presence of higher-level embedded functions (DSP

& PLL Blocks). Presence of embedded memories. Support full or partial in-system reconfiguration. Support a wide range of interconnection standards. Shorter time to market. Infield Debugging. Non-recurring engineering costs.


8 April 2023

Development Steps


FPGA Design Methodology

8 April 2023

VHDL or VHSIC Hardware Description Language, is commonly used as a design-entry language for

FPGAs ASIC in electronic design automation

How to program FPGA…?


8 April 2023

Benefits of Hardware Firewalls

Cost effective method of internet security for more than one computer.

Continues protecting without any necessary computer configuration.


Shortcomings…

Generally slower than their ASIC counterparts

Draws more power


8 April 2023

Conclusion

In this highly evolving and insecure world, preserving ones private data is a subject of prime concern to an individual.

Hardware firewalls using FPGA comes as cheap, efficient and reliable way of protecting an individual’s privacy.


References

www.ieee.org www.xilinx.com www.cisco.com www.windowsecurity.com Firewall Deployment for Multitier Applications By

Lenny Zeltser John W. Lockwood, Christopher Neely, Christopher

Zuver “CS536 Course Website,” Washington University.

Computer Networks by Andrew S Tanenbaum



Thank You


Queries???







System-On-Chip Internet Firewall– Core components:• Perform payload scanning, Packet classification, and Per-flow queuing– Extensible modules:• Implement new features in reconfigurable hardware– Implementation platform:• Runs on the Field Programmable Port Extender (FPX)• Integration Server– Reads uploaded VHDL/EDIF code– Combines modules at user-defined interfaces– Runs simplify and backend to implement custom SOC firewall• Test Server– Performs at-speed testing of SOC firewall– Injects and records Internet Traffic– Graphically displays input and output packets

Strengths & Weakness very little impact on

network performance can be implemented

transparently application independent more secure than basic

packet filtering firewalls provides application layer

protocol awareness have some logging

capabilities. provides higher degree of

security

Hardware Firewalls 31

does not break the client/server model and therefore allows a direct connection to be made between the two endpoints.

Rules can become complex, hard to manage, prone to error and difficult to test

Documents

Hardware firewalls