A Novel Parallel Approach for Disjoint Rule Generation and Optimization (DRGO) in Reconfigurable Firewall Using FPGA

Abstract

The packet classification is a core function of firewall, which is widely used in various applications of network infrastructure for security purpose. Nowadays, speed of data transfer is in Gbps. So, processing the packet at the same speed is very challenging task to achieve high throughput. In this paper, a field-programmable gate array (FPGA)-based reconfigurable firewall, namely DRGO firewall, is proposed that accepts only unique rule and processes packet in parallel. DRGO firewall resolves rule ambiguity in the rule set to perform deterministic action for an incoming packet and minimizes cardinality of ruleset to achieve better space efficiency and higher throughput. Such type of firewall is applicable in any network to classify unknown incoming packets. The storage cost per rule of DRGO firewall is 14 bytes. The proposed approach is implemented on Virtex-6 FPGA, and it achieves throughput of 142 Gbps at the clock rate of 442.6 MHz for minimum packet size of 40 bytes.