ABSTRACT
Department of Electrical and Computer Engineering, University of Massachusetts, Amherst, MA, USA
13.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375 13.2 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
13.2.1 Reconfigurable Network Security . . . . . . . . . . . . . . . . . . . . . . . . 377 13.2.2 Network Router Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378 13.2.3 FPGA-Based Network Routers . . . . . . . . . . . . . . . . . . . . . . . . . . 379
13.3 Monitoring System Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380 13.4 Monitoring Architectures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
13.4.1 Logic-Centric Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . 383 13.4.1.1 Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383 13.4.1.2 Generation of a Logic-Centric Monitor . . . . . . 385 13.4.1.3 Experimentation and Results . . . . . . . . . . . . . . . . 385
13.4.2 Memory-Centric Implementation . . . . . . . . . . . . . . . . . . . . . . . . 387 13.4.2.1 Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387 13.4.2.2 Experimentation and Results . . . . . . . . . . . . . . . . 388
13.5 Monitoring of FPGA-Based Finite State Machines . . . . . . . . . . . . . 389 13.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
The availability of the Internet affects our lives in numerous beneficial ways on a daily basis, making the security of network resources a critical need. Network routers serve as the backbone of this infrastructure, providing reliable and efficient data transfer for an ever-increasing workload. Although a broad spectrum of network security approaches have been implemented, most approaches have focused on reducing the ability of attackers to send malicious payloads to targeted end-systems. Network routers, through the use of
and
packet classification and intrusion detection, often serve as a first line of defense for these types of attacks. However, recent trends in router architecture to promote programmability have exposed the routers themselves to potential attacks, creating a need for new defense mechanisms. This need is especially acute for routers that include reconfigurable logic in the form of FPGA hardware. These platforms often either include software-programmable network processors (NPs) fashioned from reconfigurable logic or state machines that control the packet processing data plane.