Internet Firewalls in the DECOS System-on-a-Chip Architecture

A big part of requests in today´s Internet are malicious connection attempts aimed at compromising hosts in order to gain illegal access. Intrusion tools perform automatic scans to seek out promising targets, probe for vulnerabilities, and even mount autonomous attacks. Outgoing from this scenario, this paper discusses approaches to govern access to a network of System-on-a-Chip (SoC) components that provides an Ethernet interface to the Internet for maintenance purposes. Security measures are needed to protect the SoC from unauthorized access to internal information such as diagnostic interfaces or bus communication. Since the SoC should be realized as a compact embedded system, the implementation of security mechanisms has to fit the available processing and memory resources. In order to be able to cope with changing security requirements and different deployment environments a multi-level security architecture is proposed. The architecture partitions the system into intrusion containment regions and provides corresponding access privileges. As part of the architecture, the implementation of an Internet Firewall providing low level authentication to a network of SoC s is shown.