Security mechanisms in high-speed networks.

摘要

This thesis attacks an important problem in securing next-generation Internet. Traditional router-based firewalls are not able to provide high throughput and low latency that is required by future high-speed ATM and IP networks. We design a high performance ATM firewall architecture that addresses this problem. The firewall architecture achieves a high throughput up to 150 Gbps and has very low latency, without sacrificing security, and encompasses three novel conceptual and engineering techniques. First, a Last Cell Hostage (LCH) scheme is introduced to minimize the latency caused by the packet filtering. Second, the throughput of packet filtering is dramatically improved using caching, for this purpose a novel cache architecture is developed. Third, the concept of (duality of Firewalling (QoF) is proposed to optimize the tradeoff between performance and security. Though targeted at ATM in this architecture, these techniques can be readily applied to an IP firewall to make it several orders of magnitude faster. This firewall nicely integrates the IP level security mechanisms into the hardware components of an ATM switch so that most of the filtering operations are performed in parallel with the normal cell processing and most of its cost is absorbed into the base cost of an ATM switch. Various applications of this firewall in the Internet and intranet security are also developed.; The proposed ATM firewall employs caching to dramatically improve its throughput. Since traditional caching approaches are not able to achieve a low and stable miss ratio at reasonable cost, we propose a cache architecture that exactly achieves this goal. Its design is based on our novel cache replacement algorithm called near-LRU that best exploits the locality behavior of the Internet traffic. To best approximate the fully-associative near-LRU algorithm using set-associative hardware, we invent a dynamic set-associative scheme that reduces the collision miss ratio caused by set-associativity by 75 to 90 percent. The architecture employs a lazy write-back scheme to achieve a high throughput of 150 Gbps. Since the cache architecture is built upon relatively inexpensive DRAM technology, its cost is low (below 2000 dollars) considering the high throughput it is able to support.