In the recent years, the evolution of enterprise edge routers has two
trends: broadband access and more intelligence. Broadband access implies the
speed of processing packets needs to be accelerated. It can be accomplished
by software acceleration, i.e. algorithm improvement, or hardware
acceleration, i.e. adds-on independent hardware equipment. On the other
hand, the intelligence is mainly categorized into security and quality of
service (QoS). The function of security includes firewall, virtual private
network (VPN), intrusion detection system (IDS), anti-virus, content
filtering, etc. Regarding QoS, the management of bandwidth allocation is the
most essential function.
We built two integrated systems on the platform of Linux/Open Source with
the Pentium CPU. They are security gateway, which includes VPN, firewall,
IDS, routing, etc., and bandwidth manager (TCP masq). In the first stage of
this project, we integrated these two systems to be an embedded system by
the techniques of embedding, packaging, downsizing and costdown. After that,
some black-box and white-box benchmarking will be done to compare the
integration with the existing commercial products and identify the
bottlenecks of the integration. The next two stages are software
acceleration by algorithm improvement and development of new functions of
content networking. The major targets include (1) the matching process of
the intrusion type in IDS, (2) packet filter, (3) content filter and
anti-virus, (4) per-flow processing in bandwidth manager, and (5)
encryption/decryption of IP-Sec. (1)-(4) can be accelerated by software and
(5) and parts of (1)~(4) can be accelerated by hardware. All of the
researched methods will be implemented in the real system, along with
analysis and benchmarking.
We have completed integration and embedding in the first year. The 7-in-1
(routing, NAT, firewall, VPN, IDS, content filtering, bandwidth management)
gateway has operated on Pentium-based, StrongARM-based, and MIPS-based
platform with 8 MB flash and 64 MB RAM. The achievements are listed
below:
(1) "Building an Integrated Security Gateway: Mechanisms, Performance,
Evaluation, Implementation, and Research Issues," To appear in IEEE
Communications Surveys and Tutorials.
(2) Excellence Award in MOE Competition on Communications Projects (bonus:
200,000 NT)
(3) Championship in Advantech TIC 100 Competition on Technology Innovation
(bonus: 500,000 NT)
(4) Cooperate with ZyXel to develop ZyWall 500
We will go on to complete software acceleration and research on new
functions, including (1) content filtering and classification, which
classifies and filters packet content, (2) anti-virus, which scans and
blocks packets with computer viruses, and (3) P2P, which covers
connectivity, scalability, and filtering in the second year. In the third
year, we will implement, integrate, and test these new functions.