The Secure Access Node Project: A Hardware-Based Large-Scale Security Solution for Access Networks

Rohrbeck, Jens; Altmann, Vlado; Pfeiffer, Stefan; Danielis, Peter; Skodzik, Jan; Timmermann, Dirk; Ninnemann, Matthias; Rönnau, Maik

Home // International Journal On Advances in Security, volume 4, numbers 3 and 4, 2011 // View article

The Secure Access Node Project: A Hardware-Based Large-Scale Security Solution for Access Networks

Authors:
Jens Rohrbeck
Vlado Altmann
Stefan Pfeiffer
Peter Danielis
Jan Skodzik
Dirk Timmermann
Matthias Ninnemann
Maik Rönnau

Keywords: Internet Security; Access Network; Hardware Firewall; Hardware Web Filter; Hardware Intrusion Detection.

Abstract:
Providing network security is one of the most important tasks in today’s Internet. Unfortunately, many users are not able to protect themselves and their networks. Therefore, a novel security concept is presented to protect users by providing security measures at the Internet Service Provider level. Already now, Internet Service Providers are using different security measures, e.g., Virtual Local Area Network tags, MAC limitation, or MAC address translation. The presented approach extends these security measures by three hardware-based security subsystems. A firewall engine controls the header of Ethernet frames, Internet packets, and the next following protocols. Furthermore, a Web filter module disables access to violent and child pornography Web content. The third subsystem is a Bloom filter-based deep packet inspection engine to observe the payload after the protocol header. Based on deep packet inspection, it is possible to detect network intruder. A firewall, a Web filter as well as a network intrusion detection system, at the ingress of the network, offer security measures to all connected users, especially to users with limited IT expert knowledge. Each of the mentioned systems has a powerful packet classification engine and a high speed rule set engine used by the firewall to find specific rules for each frame. The rule set engine does not need expensive content addressable memory. All described filter modules as well as the packet classification engine and the rule set engine are developed in reconfigurable hardware. Thus, rule updates and adjustments to the hardware are easy to realize. Adjustments can be made only by the Internet Service Provider administrator. Consequently, the security system itself is secured against attacks from users and from the network side. This novel security approach allows for the protection of up to 32,000 Internet users in wire speed. Furthermore, the prototype system is able to process network traffic at wire speed.

Pages: 234 to 244

Publication date: April 30, 2012

Published in: journal

ISSN: 1942-2636