ABSTRACT

Computer worms such as Sapphire use the Internet to spread rapidly,

infecting millions of hosts and causing billions of dollars loss to various organizations.
With the increase in Internet bandwidth this problem is even more aggravated today.
We have implemented an SDN based Hardware accelerated Firewallthat
can mitigate the effects of these aggressive spreading worms. Our firewall design has
hardware engines that support Deep Packet Inspection and allow dynamic updates from
a remote controller using special Packets. This Firewall has a very low update latency
when compared to a traditional Open Flow switch on NetFPGA and can maintain high
throughput while performing Deep Packet Inspection.

PROJECT OVERVIEW

Our Firewall design consists of a dual core dual threaded RISC processor
with Lookup and Reroute hardware accelerators. The Firewall scans(DPI) the packets
at line rate,looking for a malicious signature . When a packet with a malicious signature
arrives at the Firewall it is forwarded to the controller. The controller then can make a
decision to allow or deny any more packets packets with similar pattern from the same
source. The controller then updates the hardware Access Control List (IP) in the Firewall
using a special packet known as "instruction packet". When the hardware Firewall
receives this Instruction Packet it updates its Access Control List. Our design can
support 10 million updates per second from a remote controller which is 163.93 times

greater than what an Openflow switch on NetFPGA can support.

The specifications of our processor are
1) Dual core Dual Threaded
2) 64 bit Data and 32 bit Instruction
3) 4 stage Pipelined with custom ISA
4) Convertible FIFO (SRAM) Data memory
5) Memory Mapped I/O for hardware accelerators (part of Data
memory)

Specification of Lookup Hardware Accelerator

1) Pattern matcher- The Pattern matcher perfoms Deep Packet Inspection and can .
The Patterns can be reconfigured using software registers on NetFPGA.

2) Packet classifier- This module is embedded within the pattern matcher and can
classify normal data packets from instruction packets from the controller
3) Access control list- We have have an IP access control list where each IP can be in
an Allow list or a Deny List. The IP in in the control list can be configured and
dynamically updated by a remote controller using an instruction packet.
Specification of Reroute Hardware accelerator
1) IP checksum updater- This calculates the new IP checksum and can be activated
activated only when it is required to reroute a packet to the controller