Publications

"The Shunt: An FPGA-Based Accelerator for Network Intrusion Prevention"

N. Weaver, V. Paxson, and J.M. Gonzalez

Proceedings of International Symposium on Field Programmable Gate Arrays (FPGA), Monterey, California, pp. 199-206

February 2007

PDF

Overview:

Today's network intrusion prevention systems (IPSs) must perform increasingly sophisticated analysis---parsing protocols and interpreting application dialogs rather than simply searching for signature strings---for which the necessary algorithms defy full implementation in hardware, being much more readily implemented using general-purpose CPUs. Yet the performance of such CPUs increasingly lags behind that necessary to process today's high-rate traffic streams.

We observe that in many environments much of the traffic comprising a high-volume stream can, after some initial analysis, be qualified as ``likely uninteresting.'' Thus, we would like a means by which we can couple a general-purpose CPU with a specialized hardware element such that only the hardware element processes the bulk of the bytes in a network stream, while the CPU can still inspect those elements of network flows deemed germane for security analysis.

To this end, we have developed an in-line, FPGA-based IPS accelerator, the \emph{Shunt}, using the NetFPGA2 platform. The Shunt maintains several large state tables indexed by packet header fields, including IP/TCP flags, source and destination IP addresses, and connection tuples. The tables yield decision values the element makes on a packet-by-packet basis: forward the packet, drop it, or divert it through the IPS. By manipulating table entries, the IPS can specify the traffic it wishes to examine, directly block malicious traffic, and ``cutting through'' traffic streams once it has had an opportunity to ``vet'' them, all on a fine-grained basis. We base our design on a novel series of caches, with a ``fail safe'' miss policy, coupled to a host PC to handle both cache management and higher level IPS analysis. The design requires only 2 MB of SRAM for its extensive caches, and can support four Gbps Ethernets on a single Virtex 2 Pro 30.