Field Upgradeable, Dynamically Reconfigurable Accelerated Firewall for Networks

A conventional firewall does not have the capability to detect someone trying to break into a system or a network and it can itself be broken into. An Intrusion Detection System (IDS), on the other hand, does recognize attacks against the network that firewalls are unable to detect. IDS is designed to be a passive entity that is they are invisible to others on the network but this same capability is a handicap when it comes to blocking malicious packets at runtime, which is an essential feature of a Firewall, as it compromises its passive nature. In this paper a firewall architecture is discussed which uses IDS as a core engine for detecting threats and yet retains the ability to block any packet. The architecture employs hardware software co-simulation in order to process packets in real time. The IDS core is mapped onto an FPGA which is responsible for threat perception while the software implements the pass/block mechanism based on the IDS decision. Inside the FPGA, all the rules are applied in parallel on each packet achieving speedup not possible in software. Using the dynamic reconfigurability of the FPGA, the rule set of the firewall can be changed without stopping it.