Filtro stateless a 10G definido em Bluespec e implementado em FPGA
Faglioni Junior, Marcos Augusto
MetadataShow full item record
One of the pillars of cybersecurity is the principle of isolation, and one of the main ways to apply this principle to networks with globally routable addresses is packet filtering. With the increasing bandwidth consumed by network applications, amount of connected devices, and incidence of lateral movement attacks, it's important to build customizable and low-cost high-performance filters. This work proposes the development of a stateless filter in FPGA. Stateless filters are programs that given an input (sequence of bits) return a decision, based on whether or not it matches previously defined criteria. The FPGA is a device that can be programmed at the hardware level and with this it is possible to achieve better performance when compared to general purpose processors. Thus, this work begins with the study of some traditional network protocols, such as IPv4 and IPv6, identifying fields of interest. Next, the work proposes a method to filter these packets, initially using the default blocking logic, so any packet outside the filter pattern will be dropped, explicitly allowing only some source and destination IPs and MACs. The importance of working with packet filtering is justified mainly by the potential of protecting computer systems avoiding possible invasions, since attacks, when remote, occur over the network, so the more efficient the filter, the better it can detect and block malicious packets. Thus, this proposal, even as an initial prototype filter, uses reconfigurable devices with faster connection interfaces and superior performance at a lower cost than commercial devices currently available.
The following license files are associated with this item: