Hardware Firewalls

Deepak Jacob
Pratheek Suresh
MACE

6 May 2008 Hardware Firewalls 1

Contents…

 Securing Data.
 Need of firewalls.
 Operation & Role of hardware firewall.
 Filtering techniques.
 Implementing a hardware firewall.
 Conclusion.

6 May 2008 Hardware Firewalls 2

 Security… Why do we care???
 Destruction of local data, disruption of local
service etc.
 Unauthorised access to local data (financial info
…)
 Base for high bandwidth attack on other targets
(commercial, government ..)
 Gain passwords, keys to attack peer sites
 Illegal use of resources (stolen software, child
pornography ..)

6 May 2008 Hardware Firewalls 3

6 May 2008 Hardware Firewalls 4
 Need for a Firewall
You do not need a firewall if:
 You have perfect (bug free) OS
& have infallible system
administrators and users
 You don’t care if you have
security incidents
(unauthorised access to
resources)

6 May 2008 Hardware Firewalls 5

 Basic Firewall Operation

6 May 2008 Hardware Firewalls 6

 Contd…

6 May 2008 Hardware Firewalls 7

 Hardware Firewall

 Known as Firewall Appliances or

Internet Security Appliances.
 External devices that act as a
guard post between your
network and external networks.
 Very little configuration.
 Very little maintenance.

6 May 2008 Hardware Firewalls 8

 Features

 Stateful
 Configurable
 Fail-safe
 Access lists, NAT,
port-
forwarding/blocking

Hardware Firewall on local

network

6 May 2008 Hardware Firewalls 9

Hardware Firewall Configurations

Everything not specifically permitted is denied !

Everything not specifically denied is permitted !

Techniques

Packet Filtering
Stateful packet Inspection (SPI)
6 May 2008 Hardware Firewalls 10
 Packet Filtering

Certain types of data packets are allowed through and

others may be blocked.

6 May 2008 Hardware Firewalls 11

 SPI
 Packet filtering + logical analysis (state of the
packet)
 Uses a two step process to determine whether or
not packets will be allowed or denied
Variables are
• Source IP address
• Destination IP address
• Protocol type (TCP/UDP) Packet
Filtering
• Source port
• Destination port
• Connection state
6 May 2008 Hardware Firewalls 12
 SPI

 Compares the packets against the rules or filters.

 Checks the dynamic state table to verify that the
packets are part of a valid, established connection.
6 May 2008 Hardware Firewalls 13
 How to choose a Hardware Firewall?

 Architecture: Extend of configurability.

 No. of supported sessions.
 Integration with Exchange mail servers or collaboration
servers.
 Type of interface: GUI/CLI/web based/remote login.
 Need for centralized management of multiple firewalls.
 High availability (load balancing, failover) features.

6 May 2008 Hardware Firewalls 14

 Creating a hardware firewall…
Embedded system design.
Field programmable gate array (FPGA).

• Semiconductor
device
• Programmable logic
components +
Programmable
Interconnects
SOC- Firewall Layout

6 May 2008 Hardware Firewalls 15

 Why use FPGAs ???
 Offer large logic capacity.
 Presence of higher-level embedded functions (DSP & PLL
Blocks).
 Presence of embedded memories.
 Support full or partial in-system reconfiguration.
 Support a wide range of interconnection standards.
 Shorter time to market.
 Infield Debugging.
 Non-recurring engineering costs.

6 May 2008 Hardware Firewalls 16

 Development Steps

FPGA Design Methodology

6 May 2008 Hardware Firewalls 17
 How to program FPGA…?

VHDL or VHSIC Hardware Description

Language, is commonly used as a design-
entry language for
 FPGAs
 ASIC in electronic design automation

6 May 2008 Hardware Firewalls 18

 Benefits of Hardware Firewalls

 Cost effective method of internet security for more

than one computer.
 Continues protecting without any necessary computer
configuration.

6 May 2008 Hardware Firewalls 19

 Shortcomings…

 Generally slower
than their ASIC
counterparts
 Draws more power

6 May 2008 Hardware Firewalls 20

 Conclusion

In this highly evolving and insecure world,

preserving ones private data is a subject of
prime concern to an individual.

Hardware firewalls using FPGA comes as

cheap, efficient and reliable way of protecting
an individual’s privacy.

6 May 2008 Hardware Firewalls 21

 References
 www.ieee.org
 www.xilinx.com
 www.cisco.com
 www.windowsecurity.com
 Firewall Deployment for Multitier Applications By Lenny
Zeltser
 John W. Lockwood, Christopher Neely, Christopher
Zuver “CS536 Course Website,” Washington University.
 Computer Networks by Andrew S Tanenbaum

6 May 2008 Hardware Firewalls 22

 Thank You

6 May 2008 Hardware Firewalls 23

 i es ? ? ?
Qu e r

6 May 2008 Hardware Firewalls 24

6 May 2008 Hardware Firewalls 25
6 May 2008 Hardware Firewalls 26
6 May 2008 Hardware Firewalls 27
6 May 2008 Hardware Firewalls 28
6 May 2008 Hardware Firewalls 29
 System-On-Chip Internet Firewall
– Core components:
• Perform payload scanning, Packet classification, and Per-flow queuing
– Extensible modules:
• Implement new features in reconfigurable hardware
– Implementation platform:
• Runs on the Field Programmable Port Extender (FPX)
• Integration Server
– Reads uploaded VHDL/EDIF code
– Combines modules at user-defined interfaces
– Runs simplify and backend to implement custom SOC firewall
• Test Server
– Performs at-speed testing of SOC firewall
– Injects and records Internet Traffic
– Graphically displays input and output packets

6 May 2008 Hardware Firewalls 30

 Strengths & Weakness
 very little impact on network
performance  does not break the
 can be implemented client/server model and
transparently therefore allows a direct
 application independent connection to be made
between the two endpoints.
 more secure than basic
packet filtering firewalls  Rules can become complex,
 provides application layer hard to manage, prone to
protocol awareness error and difficult to test
 have some logging
capabilities.
 provides higher degree of
security

Hardware Firewalls 31