以Linux為基礎的網路安全與頻寬管理閘道器之實作與研究 (II)
(Implementation and study of Linux-based security gateway and bandwidth manager (II))


Principal Investigator

Ying-Dar Lin

Sponsor

National Science Council (NSC)

Keywords

security gateway, bandwidth management, router, VPN, firewall, speedup

Abstract

            In the recent years, the evolution of enterprise edge routers has two trends: broadband access and more intelligence. Broadband access implies the speed of processing packets needs to be accelerated. It can be accomplished by software acceleration, i.e. algorithm improvement, or hardware acceleration, i.e. adds-on independent hardware equipment. On the other hand, the intelligence is mainly categorized into security and quality of service (QoS). The function of security includes firewall, virtual private network (VPN), intrusion detection system (IDS), anti-virus, content filtering, etc. Regarding QoS, the management of bandwidth allocation is the most essential function.
            We built two integrated systems on the platform of Linux/Open Source with the Pentium CPU. They are security gateway, which includes VPN, firewall, IDS, routing, etc., and bandwidth manager (TCP masq). In the first stage of this project, we integrated these two systems to be an embedded system by the techniques of embedding, packaging, downsizing and costdown. After that, some black-box and white-box benchmarking will be done to compare the integration with the existing commercial products and identify the bottlenecks of the integration. The next two stages are software acceleration by algorithm improvement and development of new functions of content networking. The major targets include (1) the matching process of the intrusion type in IDS, (2) packet filter, (3) content filter and anti-virus, (4) per-flow processing in bandwidth manager, and (5) encryption/decryption of IP-Sec. (1)-(4) can be accelerated by software and (5) and parts of (1)~(4) can be accelerated by hardware. All of the researched methods will be implemented in the real system, along with analysis and benchmarking.
            We have completed integration and embedding in the first year. The 7-in-1 (routing, NAT, firewall, VPN, IDS, content filtering, bandwidth management) gateway has operated on Pentium-based, StrongARM-based, and MIPS-based platform with 8 MB flash and 64 MB RAM. The achievements are listed below:
(1) "Building an Integrated Security Gateway: Mechanisms, Performance, Evaluation, Implementation, and Research Issues," To appear in IEEE Communications Surveys and Tutorials.
(2) Excellence Award in MOE Competition on Communications Projects (bonus: 200,000 NT)
(3) Championship in Advantech TIC 100 Competition on Technology Innovation (bonus: 500,000 NT)
(4) Cooperate with ZyXel to develop ZyWall 500
            We will go on to complete software acceleration and research on new functions, including (1) content filtering and classification, which classifies and filters packet content, (2) anti-virus, which scans and blocks packets with computer viruses, and (3) P2P, which covers connectivity, scalability, and filtering in the second year. In the third year, we will implement, integrate, and test these new functions.