Professional Documents
Culture Documents
Report - Hwre Firewalls
Report - Hwre Firewalls
Report - Hwre Firewalls
By
Deepak Jacob
&
Pratheek Suresh
Introduction
Data Security
Firewalls
Hardware Firewall
Basic Operation
Filtering Techniques
Pros & Cons
Life cycle
Hardware Firewall Solutions
Benefits of hardware firewalls
Implementation of hardware firewalls
FPGA
Hardware programming
VHDL
Pros and cons
2
Introduction
The Scope of the Problem
Just as police and fire fighting are among the essential services provided by
local governments, security has become a critical and necessary component of local
area networks—regardless of their size. With the proliferation of always-on
broadband Internet access, web commerce, wireless LANs, and network-enabled
business processes such as customer relationship management (CRM) and electronic
document handling, network vulnerability has increased, and with it the potential for
significant financial losses and serious damage to the business itself. The Computer
Security Institute's 2003 CSI/FBI Computer Crime and Security Survey (The survey
included organizations ranging from large corporations and government agencies to
small businesses.) Eighteen percent of the respondents represented enterprises with
fewer than 99 employees identify Internet connections as the part of the network that
is most frequently attacked. Seventy-eight percent of the survey respondents
reported that Internet connections were their weakest points, up from 57% in 1999.
Though viruses were named as the source of the majority of the attacks, the two
most often cited causes of financial losses were theft of proprietary information
(total reported loss: $70 million; average loss: $2.7 million) and denial of service
(total loss: $65 million).
However, it's difficult for organizations to know the full extent of the damage.
Seventy-five percent of the survey takers acknowledged losses from Internet attacks,
but just 47% were able to quantify them. But financial losses aren't the only
problem. Unauthorized use or misuse of networks can also undermine employee
morale and diminish the public's trust and confidence in the organization. If
information theft leads to criminal activity such as credit card fraud, there may also
be legal repercussions for the compromised organization. And in the case of
hospitals, public safety agencies, and other critical facilities, people's health and well
being may also be at risk. The number of security incidents—one incident may occur
over time and involve multiple sites—reported to the Carnegie Mellon Software
Engineering Institute's CERT Coordination Centre (CERT/CC) has grown from
52,658 in all of 2001 to 76,404 in just the first two quarters of 2003. The CERT/CC
Overview of Incident and Vulnerability Trends (May 2003) lists the following as
key characteristics of today's security threats:
Intruders are well prepared and organized, able to freely exchange information
and hacker-related tools.
Internet attacks are relatively easy, low risk, and hard to trace; source code
isn't required to find vulnerabilities.
Intruder tools and toolkits are more sophisticated and designed to support
large-scale attacks.
3
As business infrastructures increasingly rely on the Internet, and the
complexity of protocols and applications keeps growing, many network
administrators lack the resources, time, and training to counter threats.
Intruders are increasingly leveraging the availability of broadband
connections. Experiments conducted by various publications and security
organizations have shown that virtually all persistent Internet links are
periodically scanned for vulnerabilities, often beginning a few hours after the
connection is established. All these statistics, trends, and observations point to
one unavoidable fact: No network that is connected to the Internet can afford
to remain unprotected.
Firewalls
It is a program or hardware device that filters the inward bound information through
the Internet connection into private network or computer system. If an incoming
packet of information is flagged by the filters, it is not allowed.
4
Two types of fire walls-
Software firewalls
5
FIGURE 2: Basic Firewall Operation
Hardware firewalls
6
NAT and SPI
Pros
• Low overhead/high throughput. The stateful-inspection provides enhanced security
over the packet filtering model without sacrificing notable performance degradation.
• Like the packet filter, it also works at the network and transport layers, thus no
special client configuration or client software is required.
• Only temporarily opens holes in the Network Perimeter. Since the time a hole in
the perimeter is open is greatly reduced, many types of attacks that work against
static packet filters are more difficult or perhaps impossible to use against a dynamic
packet filter. Again, because there is very little work done outside of routing traffic,
the overhead is relatively low. Therefore, similar hardware platforms will often
produce higher throughput when using dynamic packet filtering techniques than
when using application gateways.
• Supports almost any service (e.g., back-channel services (life File Transport
Protocol (FTP) have to be handled as a special case). Since packet filters are
application-unaware, they can be set up to allow any type of IP traffic to pass thru
the firewall.
7
Cons
• Allows direct IP connections to internal hosts by external clients. While dynamic
packet filtering does well in reducing the amount of exposure, external systems—
under the control of the firewall—still are able to make an IP connection with an
internal machine as the endpoint. The primary disadvantage of any packet filtering
gateway is that once access has been granted by the device to a host on the internal
network, the attacker has direct access to any exploitable weaknesses in either the
software or the configuration of that host. The ability to jump off to other internal
hosts from that point is restrained only by the security present on those hosts.
• Offers no user authentication (if supported, it is supported via an application
gateway).
• This type of firewall requires more administrative setup than packet filtering. (The
connection table has to be built to track individual packet flows. These flows are
then checked against preset policies to determine access or denial action to be
taken.)
Hardware firewalls are more expensive than personal firewalls, but considering you
only need one to protect an entire network, hardware firewalls are the most cost
effective method for internet security protection if you have more than one computer
to protect. Unlike software firewalls, which have to be reinstalled and reconfigured
after a computer crash or upgrade to a newer computer, a hardware firewall
continues protecting without any computer configuration necessary - no matter what
computers are on the network.
Now we discuss a different approach for realizing digital systems, called embedded
system design. It leverages the advanced capabilities of today's IC technology by
implementing many of the components of the system within a single chip, such as a
field programmable gate array (FPGA). Embedded security systems are required as
purely software defences are unable to cope with packet rates on high-speed
networks. Reconfigurable logic is well suited to the changing nature of the threat
The design has been accomplished through hardware compilation on a platform
FPGA, a method appropriate to quickly matching changing threats.
8
An overview of the development steps.
They are:
Semiconductor device
Contains programmable logic components
Contains programmable interconnects
The programmable logic components can be programmed to duplicate the
functionality of basic logic gates such as AND, OR, XOR, NOT or more complex
combinational functions such as decoders or simple math functions.
They also include memory elements, which may be simple flip-flops or more
complete blocks of memories. A hierarchy of programmable interconnects allows
the logic blocks of an FPGA to be interconnected as needed by the system designer,
somewhat like a one-chip programmable breadboard. These logic blocks and
interconnects can be programmed after the manufacturing process by the
customer/designer (hence the term "field programmable") so that the FPGA can
perform whatever logical function is needed.
9
Why do we recommend FPGAs?
They offer large logic capacity, exceeding several million equivalent logic gates, and
include dedicated memory resources. It includes special hardware circuitry that is
often needed in digital systems, such as digital signal processing (DSP) blocks (with
multiply and accumulate functionality) and phase-locked loops (PLLs) (or delay-
locked loops (DLLs)) that support complex clocking schemes. They also support a
wide range of interconnection standards, such as double data rate (DDR SRAM)
memory, PCI and high-speed serial protocols.
In addition FPGAs provide a significant benefit as “off-the-shelf” chips that are
programmed by the end user. This user-programmability avoids the need for long
manufacturing times and high non-recurring engineering (NRE) costs that would be
required if a custom IC were manufactured. Also, the FPGA can be reprogrammed
as many times as needed to make changes or fix errors.
So how do we program a FPGA…?
There are two main aspects to the software tools for embedded system design:
1) the creation of the system hardware, and
2) the development of software that runs on the processors included in the system.
FPGA manufacturers provide automated tools to facilitate both parts of this
design flow. For creating the hardware circuitry, the tools allow the user to build a
system by making use of pre-designed building blocks for processors, memory
controllers, digital signal processing circuits and various communication modules
(such as UARTs ). The software allows easy initiation of these sub-circuits and can
automatically interconnect them on the FPGA chip. Design of these components
seamlessly integrates with the tool set used to create the custom logic circuits, which
are also implemented in the FPGA. The Electronic Design Automation tools
generate memory maps for the system, allowing the processor(s) to access the
system’s hardware resources. Application software development is supported with
the typical toolsets expected by software programmers, including compilers,
debuggers and operating system support.
The commonly used language for hardware designing is
10
VHDL or VHSIC Hardware Description Language, is commonly used as a
design-entry language for field-programmable gate arrays and application-
specific integrated circuits in electronic design automation of digital circuits
Limitations
Recent trends
A recent trend has been to take the coarse-grained architectural approach a step
further by combining the logic blocks and interconnects of traditional FPGAs with
embedded microprocessors and related peripherals to form a complete "system on a
programmable chip".
An example of an interesting area for future research is the use of soft processors on
FPGAs to create multiprocessor systems. Although such systems are already in use,
further research may discover better ways of interconnecting soft processors such
that faster program execution, and improved techniques for implementing memory
hierarchy to enable more efficient sharing of data. A more advanced topic is the
study of FPGA architecture features that best support multiprocessing with soft
processors without sacrificing chip area or speed performance for other types of
applications.
11