Article

Network processor acceleration for a Linux* netfilter firewall

Authors:

Kristen Accardi,

Jon KruegerAuthors Info & Claims

ANCS '05: Proceedings of the 2005 ACM symposium on Architecture for networking and communications systems

Pages 115 - 123

https://doi.org/10.1145/1095890.1095906

Published: 26 October 2005 Publication History

Abstract

Network firewalls occupy a central role in computer security, protecting data, compute, and networking resources while still allowing useful packets to flow. Increases in both the work per network packet and packet rate make it increasingly difficult for general-purpose processor based firewalls to maintain line rate. In a bid to address these evolving requirements we have prototyped a hybrid firewall, using a simple firewall running on a network processor to accelerate a Linux* Netfilter Firewall executing on a general purpose processor. The simple firewall on the network processor provides high rate packet processing for all the packets while the general-purpose processor delivers high rate, full featured firewall processing for those packets that need it. This paper describes the hybrid firewall prototype with a focus on the software created to accelerate Netfilter with a network processor resident firewall. Measurements show our hybrid firewall able to maintain close to 2 Gb/sec line rate for all packet sizes, a significant improvement over the original firewall. We also include the hard won lessons learned while implementing the hybrid firewall.

References

[1]

W. R. Cheswick, S. Bellovin, A. Rubin. Firewalls and Internet Security, Second Edition. Addison-Wesley. 2003. San Francisco.

Digital Library

[2]

M. Kounavis, A. Kumar, H. Vin, R. Yavatkar, A. Campbell. "Directions in Packet Classification for Network Processors". 2004 http://comet.ctr.columbia.edu/~campbell/papers/np2.pdf

[3]

R. Peschi, P. Chandra, M. Castelino. "IP Forwarding Application Level Benchmark v1.6". Network Processing Forum May 12, 2003. http://www.npforum.org/techinfo/approved.shtml#ias

[4]

Computer Emergence Response Team. "CERT Advisory CA-1996-21 TCP SYN Flooding and IP Spoofing Attacks." Nov 29, 2000. http://www.cert.org/advisories/CA-1996-21.html

[5]

"Intel® IXP2800 Network Processor". Intel Corporation., http://www.intel.com/design/network/products/npfamily/IXP2800.htm

[6]

H. Welte. "What is Netfilter/IPTables?" http://www.netfilter.org

[7]

P. Brink, M. Castelino, D. Meng, C. Rawal, H. Tadepalli. "Network Processing Performance Metrics for IA- and NP-Based Systems". Intel Technology Journal, Volume 7, Issue4. 2003. pp.78--91.

[8]

"NPF Benchmarking Implementation Agreements". Network Processing Forum http://www.npforum.org/techinfo/approved.shtml#ias

[9]

B. Hickman, D. Newman, S. Tadjudin, T. Martin, "RFC3511 -- Benchmarking Methodology for Firewall Performance" The Internet Society. April 2003. http://www.faqs.org/rfcs/rfc3511.html.

Digital Library

[10]

L. Kean, S. B. M Nor. "A Benchmarking Methdology for NPU-Based Stateful Firewall". APCC 2003. Volume 3, 21--24 Sept. 2003 Page(s):904 -- 908

[11]

F. Hady, T. Bock, M. Cabot, J. Meinecke, K Oliver, W. Talarek. "Platform level support for High Throughput Edge Applications: The Twin Cities Prototype". IEEE Network. July/August 2003. pp. 22--27.

Digital Library

[12]

A. Kayssi, L. Harik, R. Ferzli, M. Fawaz. "FPGA-based Internet protocol firewall chip". Electronics, Circuits and Systems, 2000. ICECS 2000. Volume 1, 17-20 Dec. 2000 Page(s):316 -- 319

[13]

K. Vlachos. "A Novel Network Processor For Security Applications in High-Speed Data Networks". Bell Labs Technical Journal 8(1). pp 131--149. 2003.

[14]

"Corrent Security Appliances Sustain Maximum Throughput Under Attack". http://www.intel.com/design/embedded/casestudies/corrent.pdf

[15]

"Double Espresso." IPFabrics*. http://www.ipfabrics.com/products/de.php.

Cited By

Ghasr AEtehadi STajalli AMoghaddam M(2023)Toward Green Access Management for IoT Environments Using eBPF2023 7th International Conference on Internet of Things and Applications (IoT)10.1109/IoT60973.2023.10365378(1-7)Online publication date: 25-Oct-2023
https://doi.org/10.1109/IoT60973.2023.10365378
Garcia-Jimenez SMagana EAracil J(2020)NATRA: Network ACK-Based Traffic Reduction AlgorithmIEEE Access10.1109/ACCESS.2020.29976698(151229-151241)Online publication date: 2020
https://doi.org/10.1109/ACCESS.2020.2997669
Li JWu CYe JDing JFu QHuang J(2019)The Comparison and Verification of Some Efficient Packet Capture and Processing Technologies2019 IEEE Intl Conf on Dependable, Autonomic and Secure Computing, Intl Conf on Pervasive Intelligence and Computing, Intl Conf on Cloud and Big Data Computing, Intl Conf on Cyber Science and Technology Congress (DASC/PiCom/CBDCom/CyberSciTech)10.1109/DASC/PiCom/CBDCom/CyberSciTech.2019.00177(967-973)Online publication date: Aug-2019
https://doi.org/10.1109/DASC/PiCom/CBDCom/CyberSciTech.2019.00177
Show More Cited By

Index Terms

Network processor acceleration for a Linux* netfilter firewall
1. Security and privacy
  1. Network security

Recommendations

A Software Implementation for a Hybrid Firewall Using Linux Netfilter
WCSE '10: Proceedings of the 2010 Second World Congress on Software Engineering - Volume 01

We are developing an embedded hybrid firewall prototype which combines an embedded CPU (MPC8260) with a specifically designed FPGA-based packet classification coprocessor. The packet header matching between the input packets and a pre-defined rule set ...
TNC-compatible NAC System implemented on Network Processor
LCN '07: Proceedings of the 32nd IEEE Conference on Local Computer Networks

In this paper, based on the Trusted Network Connect architecture, we designed a novel TNC-compatible Network Access Control System which ensures that network administrators enforce security policies on endpoint connection and communication with ...
Application of evolutionary algorithm in performance optimization of embedded network firewall
Abstract
With the development of the network, the problem of network security is becoming increasingly serious. The importance of a firewall as the "first portal" to network security is obvious. In order to cope with a complex network environment, the ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ANCS '05: Proceedings of the 2005 ACM symposium on Architecture for networking and communications systems

October 2005

230 pages

ISBN:1595930825

DOI:10.1145/1095890

General Chair:
Alan Berenbaum
SMSC
,
Program Chairs:
Kai Li
Princeton University, Princeton, NJ
,
Jonathan Turner
Washington University in St. Louis

Copyright © 2005 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 26 October 2005

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

ANCS05

Sponsor:

ANCS05: Symposium on Architecture for Networking and Communications Systems 2005

October 26 - 28, 2005

NJ, Princeton, USA

Acceptance Rates

Overall Acceptance Rate 88 of 314 submissions, 28%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

10
Total Citations
View Citations
1,660
Total Downloads

Downloads (Last 12 months)2
Downloads (Last 6 weeks)0

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Ghasr AEtehadi STajalli AMoghaddam M(2023)Toward Green Access Management for IoT Environments Using eBPF2023 7th International Conference on Internet of Things and Applications (IoT)10.1109/IoT60973.2023.10365378(1-7)Online publication date: 25-Oct-2023
https://doi.org/10.1109/IoT60973.2023.10365378
Garcia-Jimenez SMagana EAracil J(2020)NATRA: Network ACK-Based Traffic Reduction AlgorithmIEEE Access10.1109/ACCESS.2020.29976698(151229-151241)Online publication date: 2020
https://doi.org/10.1109/ACCESS.2020.2997669
Li JWu CYe JDing JFu QHuang J(2019)The Comparison and Verification of Some Efficient Packet Capture and Processing Technologies2019 IEEE Intl Conf on Dependable, Autonomic and Secure Computing, Intl Conf on Pervasive Intelligence and Computing, Intl Conf on Cloud and Big Data Computing, Intl Conf on Cyber Science and Technology Congress (DASC/PiCom/CBDCom/CyberSciTech)10.1109/DASC/PiCom/CBDCom/CyberSciTech.2019.00177(967-973)Online publication date: Aug-2019
https://doi.org/10.1109/DASC/PiCom/CBDCom/CyberSciTech.2019.00177
Pesé MSchmidt KZweck H(2017)Hardware/Software Co-Design of an Automotive Embedded FirewallSAE Technical Paper Series10.4271/2017-01-1659Online publication date: 28-Mar-2017
https://doi.org/10.4271/2017-01-1659
Fiessler ALorenz CHager SScheuermann BMoore A(2017)HyPaFilter+IEEE/ACM Transactions on Networking10.1109/TNET.2017.274969925:6(3655-3669)Online publication date: 1-Dec-2017
https://dl.acm.org/doi/10.1109/TNET.2017.2749699
Fiessler AHager SScheuermann BMoore ACrowley PRizzo LMathy L(2016)HyPaFilterProceedings of the 2016 Symposium on Architectures for Networking and Communications Systems10.1145/2881025.2881033(25-36)Online publication date: 17-Mar-2016
https://dl.acm.org/doi/10.1145/2881025.2881033
Miteff SHazelhurst S(2015)NFShunt: A Linux firewall with OpenFlow-enabled hardware bypass2015 IEEE Conference on Network Function Virtualization and Software Defined Network (NFV-SDN)10.1109/NFV-SDN.2015.7387413(100-106)Online publication date: Nov-2015
https://doi.org/10.1109/NFV-SDN.2015.7387413
Krinkin KKrinkin M(2014)Implementation of IPv4 Reflection Scheme for Linux-Based Storage SystemsInternet of Things, Smart Spaces, and Next Generation Networks and Systems10.1007/978-3-319-10353-2_52(567-576)Online publication date: 2014
https://doi.org/10.1007/978-3-319-10353-2_52
Liang JChen XTan J(2011)The Design and Implementation of Fast Forwarding in Gateway ModelAdvanced Materials Research10.4028/www.scientific.net/AMR.403-408.161403-408(161-168)Online publication date: Nov-2011
https://doi.org/10.4028/www.scientific.net/AMR.403-408.161
Koht-arsa KSanguanpong S(2008)A practical approach for building a parallel firewall for ten gigabit Ethernet backbone2008 42nd Annual IEEE International Carnahan Conference on Security Technology10.1109/CCST.2008.4751324(331-338)Online publication date: Oct-2008
https://doi.org/10.1109/CCST.2008.4751324

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten