FPGAs offer real-time monitoring

FPGAs offer real-time monitoring
Network security has been compromised by virus attacks, denial-of-service attacks and intruders. Our firewalls are still open to attack, and our information is prone to espionage as it is being sent across the Internet. Wouldn't it be great if it were possible to inspect network traffic for potential security problems at wire speed in real-time, from Layer 2 all the way to Layer 7? This would spawn a host of interesting applications, including centralized virus eradication at the network gateway; automatic detection and defeat of denial-of-service attacks, and real-time intrusion detection and interdiction.

All the products available today for these applications suffer from lack of performance, excessively high prices or both. This is because they are implemented using software running on general-purpose CPU platforms.

We know that dedicated silicon implementations would be far superior in terms of price/ performance, but no one has yet understood how to design chips that could implement these functions, or how to engineer a solution with the adaptability necessary to meet ever-changing security threats.

Today, virus protection is largely an individual responsibility, and people use intelligent desktop software written by companies such as McAfee or Norton to avoid viral attacks. Rather than make individuals enforce our Internet security, a better approach would be to create new devices such as centralized firewalls that could prevent viral attacks in corporate or governmental networks.

Nice idea. But there is a major obstacle to this. These software applications only use 5 to 10 percent of the processor resources of the individual machines, but if this protection is to be put into place in the outside pipe, such as the outside port of a router, it will require algorithms and technology that can deal with speeds as high as those found with OC-192.

Today, virus detection in e-mail and other data is based on software implementations. We need to move these software implementations into hardware, such as a field-programmable gate array (FPGA). Only then can intensive parsing of each individual packet be done, and the spread of viruses be prevented at the corporate entry point. Once we solve this, it can be taken one step further.

We can envision methodologies for stopping the propagation of viruses even in the backbone of the Internet. Whatever hardware-based device is deployed on the individual firewall or end-router point can also be scaled up for deployment on the Internet backbones.

Of course, this would require a new communication method that might be called something like a "Virus Protection Protocol" (VPP). With a new protocol and modern devices for virus protection, central agencies could quickly communicate that a new virus has been found which needs to be immediately blocked from further propagation. If this VPP were to operate like the BGP-4 Border Gateway Protocol, the damage could be limited very quickly.

Detecting viruses requires full protocol parsing and understanding of Layer 7. This cannot be achieved in software on a general-purpose processor if it needs to run at OC-192 speeds and faster. One possible way of addressing this is to do all the parsing process in FPGAs. Because FPGAs understand parallelism, they would make it possible to extract a great deal of field information in the brief amount of time available before a new frame arrives.

Complex protocols

Currently, since these protocols are relatively complex constructions, it is very difficult to detect just one known attack. It is infeasible to write such a program in VHDL or Verilog, because it would take too long. New virus elements could, however, be communicated as part of a methodology language, and a device could generate the binary tables for an FPGA on the fly and download them into the device. This new information would prevent the propagation of that particular virus.

Denial-of-service attacks represent an increasing threat to government, e-business and critical national network infrastructures. Recent attacks such as Code Red and NIMDA are estimated to have had an economic impact in excess of $2 billion. Threats that range from vandalism to terrorism make it urgent to implement solutions that not only monitor and analyze network traffic, but also filter malicious packets.

Using detailed attack profiles obtained through sophisticated traffic analysis, modern software could filter a wide class of denial-of-service attacks while minimizing disruption to legitimate traffic and to other components of the network infrastructure.

In the denial-of-service arena, we face a similar need to identify and drop these attacks at wire speed in the backbones of the network. Here again, similar to the e-mail virus spread, a hardware-based approach with algorithm-based FPGAs or processors would work.

Last but not least, how do we actually protect ourselves against network intrusions? On the old IBM System 34, three attempts on a single user ID with the wrong password, and that user ID was locked out. To break into a Unix computer at the U.S. government, a password-hacking algorithm would have to be run up to 200,000 times.

To address password hacking, most of the detection methods would require the fast processing of detailed bit-stream information, for which we are not equipped today. We would suggest the implementation of a protocol pro-cessor, which deals with the particular function of signing on. It should be capable of quickly identifying erroneous behavior and shutting down these attempts immediately.

A blue-sky concept we haven't proven yet, but believe is possible, would avoid the complexity of security keys that must be exchanged between two disparate entities, such as between the traveler and the airport access point. It would actually be a new protocol structure, based on a modification of the 802.11a/b (Wi-Fi) protocol-a self-morphing wireless encryption protocol.

Devices containing a self-morphing protocol can change their protocol structure and behavior, based on a piece of the protocol that gets sent by one side before the transmission direction is reversed. This is only possible if a technology is deployed which understands what we would call the "logic dispatch trees" or "jump trees" of the protocols, rather than hard-coded protocol information.

The new communications protocol compiler technologies now available enable precisely this form of communication by reducing the entire protocol to a minimum of four hardware building blocks for the jump trees, including stack and state behavior.

Under this scenario, only a tiny element would be randomly selected by one of the stations being addressed and sent to the other station to specify a change of the protocol's behavior. On the next communication round, the new sender would behave precisely as it was just told seconds before. At the end of its communication, it in turn would randomly pick something else to change. This would ensure that an intruder could not decode the data that is currently being transmitted.

See related chart