Hardware Firewalls

Deepak Jacob Pratheek Suresh MACE
6 May 2008 Hardware Firewalls 1

Contents…
      Securing Data. Need of firewalls. Operation & Role of hardware firewall. Filtering techniques. Implementing a hardware firewall. Conclusion.

6 May 2008

Hardware Firewalls

2

Security… Why do we care???
 Destruction of local data, disruption of local service etc.  Unauthorised access to local data (financial info …)  Base for high bandwidth attack on other targets (commercial, government ..)  Gain passwords, keys to attack peer sites  Illegal use of resources (stolen software, child pornography ..)

6 May 2008

Hardware Firewalls

3

6 May 2008

Hardware Firewalls

4

Need for a Firewall
You do not need a firewall if:  You have perfect (bug free) OS & have infallible system administrators and users  You don’t care if you have security incidents (unauthorised access to resources)

6 May 2008

Hardware Firewalls

5

Basic Firewall Operation

6 May 2008

Hardware Firewalls

6

Contd…

6 May 2008

Hardware Firewalls

7

Hardware Firewall
 Known as Firewall Appliances or Internet Security Appliances.  External devices that act as a guard post between your network and external networks.  Very little configuration.  Very little maintenance.

6 May 2008

Hardware Firewalls

8

Features
 Stateful  Configurable  Fail-safe  Access lists, NAT, portforwarding/blocking
Hardware Firewall on local network
6 May 2008 Hardware Firewalls 9

Hardware Firewall Configurations
Everything not specifically permitted is denied ! Everything not specifically denied is permitted !

Techniques
Packet Filtering Stateful packet Inspection (SPI)
6 May 2008 Hardware Firewalls 10

Packet Filtering

Certain types of data packets are allowed through and others may be blocked.
6 May 2008 Hardware Firewalls 11

SPI
Packet filtering + logical analysis (state of the packet)  Uses a two step process to determine whether or not packets will be allowed or denied Variables are • Source IP address • Destination IP address Packet • Protocol type (TCP/UDP) Filtering • Source port • Destination port • Connection state 
6 May 2008 Hardware Firewalls 12

SPI

 Compares the packets against the rules or filters.  Checks the dynamic state table to verify that the packets are part of a valid, established connection.
6 May 2008 Hardware Firewalls 13

How to choose a Hardware Firewall?
 Architecture: Extend of configurability.  No. of supported sessions.  Integration with Exchange mail servers or collaboration servers.  Type of interface: GUI/CLI/web based/remote login.  Need for centralized management of multiple firewalls.  High availability (load balancing, failover) features.

6 May 2008

Hardware Firewalls

14

Creating a hardware firewall…
Embedded system design.
Field programmable gate array (FPGA). • Semiconductor device • Programmable logic components + Programmable Interconnects SOC- Firewall Layout
6 May 2008 Hardware Firewalls 15

Why use FPGAs ???
 Offer large logic capacity.  Presence of higher-level embedded functions (DSP & PLL Blocks).  Presence of embedded memories.  Support full or partial in-system reconfiguration.  Support a wide range of interconnection standards.  Shorter time to market.  Infield Debugging.  Non-recurring engineering costs.

6 May 2008

Hardware Firewalls

16

Development Steps

FPGA Design Methodology 6 May 2008 Hardware Firewalls 17

How to program FPGA…?
VHDL or VHSIC Hardware Description Language, is commonly used as a designentry language for
 FPGAs  ASIC in electronic design automation

6 May 2008

Hardware Firewalls

18

Benefits of Hardware Firewalls
 Cost effective method of internet security for more than one computer.  Continues protecting without any necessary computer configuration.

6 May 2008

Hardware Firewalls

19

Shortcomings…
 Generally slower than their ASIC counterparts  Draws more power

6 May 2008

Hardware Firewalls

20

Conclusion
In this highly evolving and insecure world, preserving ones private data is a subject of prime concern to an individual. Hardware firewalls using FPGA comes as cheap, efficient and reliable way of protecting an individual’s privacy.

6 May 2008

Hardware Firewalls

21

References
www.ieee.org www.xilinx.com www.cisco.com www.windowsecurity.com Firewall Deployment for Multitier Applications By Lenny Zeltser  John W. Lockwood, Christopher Neely, Christopher Zuver “CS536 Course Website,” Washington University.  Computer Networks by Andrew S Tanenbaum     

6 May 2008

Hardware Firewalls

22

Thank You

6 May 2008

Hardware Firewalls

23

Q

s??? erie u

6 May 2008

Hardware Firewalls

24

6 May 2008

Hardware Firewalls

25

6 May 2008

Hardware Firewalls

26

6 May 2008

Hardware Firewalls

27

6 May 2008

Hardware Firewalls

28

6 May 2008

Hardware Firewalls

29

System-On-Chip Internet Firewall – Core components: • Perform payload scanning, Packet classification, and Per-flow queuing – Extensible modules: • Implement new features in reconfigurable hardware – Implementation platform: • Runs on the Field Programmable Port Extender (FPX) • Integration Server – Reads uploaded VHDL/EDIF code – Combines modules at user-defined interfaces – Runs simplify and backend to implement custom SOC firewall • Test Server – Performs at-speed testing of SOC firewall – Injects and records Internet Traffic – Graphically displays input and output packets

6 May 2008

Hardware Firewalls

30

Strengths & Weakness
 very little impact on network performance  can be implemented transparently  application independent  more secure than basic packet filtering firewalls  provides application layer protocol awareness  have some logging capabilities.  provides higher degree of security  does not break the client/server model and therefore allows a direct connection to be made between the two endpoints.  Rules can become complex, hard to manage, prone to error and difficult to test

Hardware Firewalls

31

Sign up to vote on this title
UsefulNot useful