| Since Web Service has become the main flow of network applications, more and more malicious software and hacker attacks target at this filed and commit great loss. Web service is one type of application layer; hence web attacks belong to that of application layer. Web attacks not only have the common features of application attacks of which the activity exists in the payload of packets, but also imply the special characteristics of Web Service which is simple transmission protocol with complicated supported functions. These features make traditional firewall not able to fulfill the special requirements of Web Service protection. Only firewall with web enhancement can provide enough security by implementing safety strategy and protection mechanism and application layer scan.In this paper, common firewall architecture and platform are discussed, especially the performance issue of software implementation and the improvement brought by hardware realization. Furthermore, secure network card architecture based on FPGA is proposed, which performs packet scan in place of server CPU while executing packets reception and transmit. In this situation, server CPU is dedicated to web processing and released from the burden of security checking, the performance is improved as a result. During implementation, the header filtering and deep packet inspection is accelerated in hardware way, which reduces the delay of packet scanning and proves the efficiency in high-rate network environment.At the same time, approach to optimize the deep packet inspection which consumes the majority of packet scanning is discussed. The most important operation of DPI is pattern matching which compares payload of the packets with the rules designed to detect attacks, and this is the key to accelerate the whole system. Therefore a Reverse Parallel Shift Matching algorithm which is suitable with hardware implementation is designed and it shows improvement expected. Taking full usage of abundant programmable logic resources, this algorithm constructs multiple matching units to achieve high performance from parallel. Cooperated with Shift-or module, matching continues during the whole packet reception procedure and makes a better result.Based on the talk above, the overall structure and detailed module, such as header filtering, content detection, state control and alert reporting, are talked. Then this design is implemented on NetFPGA board which is built for high-rate network processing and management software is used to control and configure the board. At last the system performance is evaluated. The results demonstrate that with the aids of hardware, the system performance increases and shows availability in Web Service protection fields. |
PDF Full Text Request