DOCSLIB.ORG

Hardware-Defined Networking by Brian Petersen

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Hardware-Defined Networking by Brian Petersen HARDWARE-DEFINED NETWORKING Books Networks Juniper MODERN NETWORKING FROM A HARDWARE PERSPECTIVE Hardware-Defined Networking (HDN) explores the patterns that are common to modern net- Distinguished Engineering Series working protocols and provides a framework for understanding the work that networking hard- ware performs on a packet-by-packet basis billions of times per second. These patterns are not revealed in the command line interfaces that are the daily tools of IT professionals. The architects and protocol designers of the Internet and other large-scale net- NETWORKING HARDWARE-DEFINED works understand these patterns, but they are not expressed in the standards documents that HARDWARE-DEFINED NETWORKING form the foundations of the networks that we all depend upon. HDN presents these essential networking patterns and describes their impact on hardware ar- MODERN NETWORKING FROM A HARDWARE PERSPECTIVE chitectures, resulting in a framework that software developers, dev ops, automation program- mers, and all the various networking engineers can understand how modern networks are built. Most networking books are written from a network administrator’s perspective (how to build and manage a network), while many new networking books are now written from a software Foundation Principles perspective (how to implement a network’s management plane in software); HDN’s perspective Tunnels will benefit both the hardware and the software engineers who need to understand the trade- offs of design choices. Network Virtualization Terminology Forwarding Protocols “Today, massive compute problems such as machine learning are being tackled by special- Load Balancing ized chips (GPUs, TPUs). So, how will specialized hardware handle the massive band- Overlay Protocols widths from IoT devices to Mega-Scale Data Centers and equally massive bandwidths from Virtual Private Networks those MSDCs to hand-helds? Here is just the book to find out: every time I open it I learn something new, something I didn’t know. Brian Petersen has taken a thoroughly modern Multicast snapshot of how it all comes together .” Connections Dr. Kireeti Kompella, SVP and CTO Engineering, Juniper Networks Quality of Service This hardware perspective of networking Time Synchronization “Brian Petersen has accomplished something quite remarkable with this book; he has dis- delivers a common framework for OAM tilled complex and seemingly disparate networking protocols and concepts into an emi- Security nently understandable framework. This book serves as both an excellent reference and as a software developers, dev ops, auto- Searching learning tool for individuals from a broad range of networking disciplines.” mation programmers, and all the various Jean-Marc Frailong, Chief Architect, Juniper Networks Firewall Filters networking engineers to understand how Routing Protocols Brian Petersen modern networks are built. Forwarding System Architecture ISBN 978-1-941441-51-0 5 4 0 0 0 Juniper Networks Books are singularly focused on network productivity and efficiency. Peruse the complete library at www.juniper.net/books. By Brian Petersen 9 781941 441510 HARDWARE-DEFINED NETWORKING Books Networks Juniper MODERN NETWORKING FROM A HARDWARE PERSPECTIVE Hardware-Defined Networking (HDN) explores the patterns that are common to modern net- Distinguished Engineering Series working protocols and provides a framework for understanding the work that networking hard- ware performs on a packet-by-packet basis billions of times per second. These patterns are not revealed in the command line interfaces that are the daily tools of IT professionals. The architects and protocol designers of the Internet and other large-scale net- NETWORKING HARDWARE-DEFINED works understand these patterns, but they are not expressed in the standards documents that HARDWARE-DEFINED NETWORKING form the foundations of the networks that we all depend upon. HDN presents these essential networking patterns and describes their impact on hardware ar- MODERN NETWORKING FROM A HARDWARE PERSPECTIVE chitectures, resulting in a framework that software developers, dev ops, automation program- mers, and all the various networking engineers can understand how modern networks are built. Most networking books are written from a network administrator’s perspective (how to build and manage a network), while many new networking books are now written from a software Foundation Principles perspective (how to implement a network’s management plane in software); HDN’s perspective Tunnels will benefit both the hardware and the software engineers who need to understand the trade- offs of design choices. Network Virtualization Terminology Forwarding Protocols “Today, massive compute problems such as machine learning are being tackled by special- Load Balancing ized chips (GPUs, TPUs). So, how will specialized hardware handle the massive band- Overlay Protocols widths from IoT devices to Mega-Scale Data Centers and equally massive bandwidths from Virtual Private Networks those MSDCs to hand-helds? Here is just the book to find out: every time I open it I learn something new, something I didn’t know. Brian Petersen has taken a thoroughly modern Multicast snapshot of how it all comes together .” Connections Dr. Kireeti Kompella, SVP and CTO Engineering, Juniper Networks Quality of Service This hardware perspective of networking Time Synchronization “Brian Petersen has accomplished something quite remarkable with this book; he has dis- delivers a common framework for OAM tilled complex and seemingly disparate networking protocols and concepts into an emi- Security nently understandable framework. This book serves as both an excellent reference and as a software developers, dev ops, auto- Searching learning tool for individuals from a broad range of networking disciplines.” mation programmers, and all the various Jean-Marc Frailong, Chief Architect, Juniper Networks Firewall Filters networking engineers to understand how Routing Protocols Brian Petersen modern networks are built. Forwarding System Architecture ISBN 978-1-941441-51-0 5 4 0 0 0 Juniper Networks Books are singularly focused on network productivity and efficiency. Peruse the complete library at www.juniper.net/books. By Brian Petersen 9 781941 441510 Hardware-Defined Networking Modern Networking from a Hardware Perspective by Brian Petersen 1. Preface .......................................................................3 2. Introduction ...................................................................5 3. Foundation Principles .........................................................8 4. Tunnels ...................................................................... 14 5. Network Virtualization. .23 6. Terminology .................................................................. 31 7. Forwarding Protocols .........................................................40 8. Load Balancing ...............................................................115 9. Overlay Protocols. 126 10. Virtual Private Networks .....................................................140 11. Multicast ....................................................................154 12. Connections. 167 13. Quality of Service ............................................................185 14. Time Synchronization ....................................................... 209 15. OAM ........................................................................239 16. Security .....................................................................277 17. Searching ...................................................................302 18. Firewall Filters ...............................................................315 19. Routing Protocols ...........................................................321 20. Forwarding System Architecture .............................................335 21. Conclusion ..................................................................349 ii Hardware-Defined Networking © 2017 by Juniper Networks, Inc. All rights reserved. About the Author Juniper Networks and Junos are registered trademarks of Brian Petersen’s engineering career largely mirrors the Juniper Networks, Inc. in the United States and other growth and progress in networking. After exploring a countries. The Juniper Networks Logo and the Junos logo, variety of disciplines, Brian joined 3Com Corporation back are trademarks of Juniper Networks, Inc. All other when Ethernet’s most formidable competitor was trademarks, service marks, registered trademarks, or “SneakerNet”— floppy discs. From there, Brian did registered service marks are the property of their respective pioneering work on high-density 100 Mbps Ethernet owners. Juniper Networks assumes no responsibility for bridges at Grand Junction Networks and, after its any inaccuracies in this document. Juniper Networks acquisition, at Cisco Systems. The volatile early 2000s led reserves the right to change, modify, transfer, or otherwise to a series of startups (notably Greenfield Networks and revise this publication without notice. TeraBlaze), culminating in several years at Broadcom Corporation and, since 2010, as a Distinguished Engineer Published by Juniper Networks Books at Juniper Networks. From building Ethernet MACs using Written and Illustrated by: Brian Petersen discrete logic elements to developing packet processing Editors: Patrick Ames, Nancy Koerbel architectures for multi-terabit packet forwarding engines intended for chassis-scale systems, Brian has developed a ISBN: 978-1-941441-51-0
Load more

Recommended publications
  • Impact Analysis of System and Network Attacks
    View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by DigitalCommons@USU Utah State University DigitalCommons@USU All Graduate Theses and Dissertations Graduate Studies 12-2008 Impact Analysis of System and Network Attacks Anupama Biswas Utah State University Follow this and additional works at: https://digitalcommons.usu.edu/etd Part of the Computer Sciences Commons Recommended Citation Biswas, Anupama, "Impact Analysis of System and Network Attacks" (2008). All Graduate Theses and Dissertations. 199. https://digitalcommons.usu.edu/etd/199 This Thesis is brought to you for free and open access by the Graduate Studies at DigitalCommons@USU. It has been accepted for inclusion in All Graduate Theses and Dissertations by an authorized administrator of DigitalCommons@USU. For more information, please contact [email protected]. i IMPACT ANALYSIS OF SYSTEM AND NETWORK ATTACKS by Anupama Biswas A thesis submitted in partial fulfillment of the requirements for the degree of MASTER OF SCIENCE in Computer Science Approved: _______________________ _______________________ Dr. Robert F. Erbacher Dr. Chad Mano Major Professor Committee Member _______________________ _______________________ Dr. Stephen W. Clyde Dr. Byron R. Burnham Committee Member Dean of Graduate Studies UTAH STATE UNIVERSITY Logan, Utah 2008 ii Copyright © Anupama Biswas 2008 All Rights Reserved iii ABSTRACT Impact Analysis of System and Network Attacks by Anupama Biswas, Master of Science Utah State University, 2008 Major Professor: Dr. Robert F. Erbacher Department: Computer Science Systems and networks have been under attack from the time the Internet first came into existence. There is always some uncertainty associated with the impact of the new attacks.
    [Show full text]
  • Strategic Use of the Internet and E-Commerce: Cisco Systems
    Journal of Strategic Information Systems 11 (2002) 5±29 www.elsevier.com/locate/jsis Strategic use of the Internet and e-commerce: Cisco Systems Kenneth L. Kraemer*, Jason Dedrick Graduate School of Management and Center for Research on Information Technology and Organizations, University of California, Irvine, 3200 Berkeley Place, Irvine, CA 92697-4650, USA Accepted 3October 2001 Abstract Information systems are strategic to the extent that they support a ®rm's business strategy. Cisco Systems has used the Internet and its own information systems to support its strategy in several ways: (1) to create a business ecology around its technology standards; (2) to coordinate a virtual organiza- tion that allows it to concentrate on product innovation while outsourcing other functions; (3) to showcase its own use of the Internet as a marketing tool. Cisco's strategy and execution enabled it to dominate key networking standards and sustain high growth rates throughout the 1990s. In late 2000, however, Cisco's market collapsed and the company was left with billions of dollars in unsold inventory, calling into question the ability of its information systems to help it anticipate and respond effectively to a decline in demand. q 2002 Elsevier Science B.V. All rights reserved. Keywords: Internet; e-commerce; Cisco Systems; Virtual Organization; Business Ecology 1. Introduction Information systems are strategic to the extent that they are used to support or enable different elements of a ®rm's business strategy (Porter and Millar, 1985). Cisco Systems, the world's largest networking equipment company, has used the Internet, electronic commerce (e-commerce), and information systems as part of its broad strategy of estab- lishing a dominant technology standard in the Internet era.
    [Show full text]
  • Network Design Reference for Avaya Virtual Services Platform 4000 Series
    Network Design Reference for Avaya Virtual Services Platform 4000 Series Release 4.1 NN46251-200 Issue 05.01 January 2015 © 2015 Avaya Inc. applicable number of licenses and units of capacity for which the license is granted will be one (1), unless a different number of All Rights Reserved. licenses or units of capacity is specified in the documentation or other Notice materials available to You. “Software” means computer programs in object code, provided by Avaya or an Avaya Channel Partner, While reasonable efforts have been made to ensure that the whether as stand-alone products, pre-installed on hardware products, information in this document is complete and accurate at the time of and any upgrades, updates, patches, bug fixes, or modified versions printing, Avaya assumes no liability for any errors. Avaya reserves thereto. “Designated Processor” means a single stand-alone the right to make changes and corrections to the information in this computing device. “Server” means a Designated Processor that document without the obligation to notify any person or organization hosts a software application to be accessed by multiple users. of such changes. “Instance” means a single copy of the Software executing at a Documentation disclaimer particular time: (i) on one physical machine; or (ii) on one deployed software virtual machine (“VM”) or similar deployment. “Documentation” means information published by Avaya in varying mediums which may include product information, operating Licence types instructions and performance specifications that Avaya may generally Designated System(s) License (DS). End User may install and use make available to users of its products and Hosted Services.
    [Show full text]
  • Networking Packet Broadcast Storms
    Lesson Learned Networking Packet Broadcast Storms Primary Interest Groups Balancing Authorities (BAs) Generator Operators (GOPs) Reliability Coordinators (RCs) Transmission Operators (TOPs) Transmission Owners (TOs) that own and operate an Energy Management System (EMS) Problem Statement When a second network cable was connected from a voice over internet protocol (VOIP) phone to a network switch lacking proper settings, a packet broadcast storm prevented network communications from functioning, and supervisory control and data acquisition (SCADA) was lost for several hours. Broadcast storm events have also arisen from substation local area network (LAN) issues. Details A conference room was set up for a training class that needed to accommodate multiple PCs. The bridge protocol data unit (BPDU) packet propagation prevention setting was disabled on a port in the conference room in order to place a network switch off of that port. Upon completion of the training, the network switch was removed; however, the BPDU packet propagation setting was inadvertently not restored. As part of a telephone upgrade project, the traditional phone in this conference room was recently replaced by a VOIP phone. Later, an additional network cable was connected to the output port of this VOIP phone into a secondary network jack within the conference room. When the second network cable was connected from a VOIP phone to a network switch lacking proper settings, a switching loop resulted. Spanning tree protocol is normally used to prevent switching loops from propagating broadcast packets continuously until the network capacity is overwhelmed. A broadcast packet storm from the switching loop prevented network communications from functioning and SCADA was lost for several hours.
    [Show full text]
  • Networking Hardware: Absolute Beginner's Guide T Networking, 3Rd Edition Page 1 of 15
    Chapter 3: Networking Hardware: Absolute Beginner's Guide t Networking, 3rd Edition Page 1 of 15 Chapter 3: Networking Hardware In this chapter z Working with network interface cards z Selecting and installing a NIC z Using hubs z Working with PC motherboards z Understanding processors and PC RAM z Working with hard drives z Differentiating server and client hardware Our Age of Anxiety is, in great part, the result of trying to do today’s jobs with yesterday’s tools. –Marshall McLuhan Now that we’ve discussed the different kinds of networks and looked at network topologies, we should spend some time discussing the hardware involved in networking. This chapter will concentrate on the connectivity devices that define the network topology—the most important being the network interface card. We will also take a look at hubs, routers, and switches. Another important aspect of building your network is selecting the hardware for your client PCs and your network servers. There are many good primers on computer hardware—for example, the Absolute Beginner’s Guide to PC Upgrades, published by Que. Also, numerous advanced books, such as Upgrading and Repairing PCs (by Scott Mueller, also from Que), are available, so we won't cover PC hardware in depth in this chapter. We will take a look at motherboards, RAM, and hard drives because of the impact these components have on server performance. We will also explore some of the issues related to buying client and server hardware. Let's start our discussion with the network interface card. We can then look at network connectivity devices and finish up with some information on PC hardware.
    [Show full text]
  • Understanding Linux Internetworking
    White Paper by David Davis, ActualTech Media Understanding Linux Internetworking In this Paper Introduction Layer 2 vs. Layer 3 Internetworking................ 2 The Internet: the largest internetwork ever created. In fact, the Layer 2 Internetworking on term Internet (with a capital I) is just a shortened version of the Linux Systems ............................................... 3 term internetwork, which means multiple networks connected Bridging ......................................................... 3 together. Most companies create some form of internetwork when they connect their local-area network (LAN) to a wide area Spanning Tree ............................................... 4 network (WAN). For IP packets to be delivered from one Layer 3 Internetworking View on network to another network, IP routing is used — typically in Linux Systems ............................................... 5 conjunction with dynamic routing protocols such as OSPF or BGP. You c an e as i l y use Linux as an internetworking device and Neighbor Table .............................................. 5 connect hosts together on local networks and connect local IP Routing ..................................................... 6 networks together and to the Internet. Virtual LANs (VLANs) ..................................... 7 Here’s what you’ll learn in this paper: Overlay Networks with VXLAN ....................... 9 • The differences between layer 2 and layer 3 internetworking In Summary ................................................. 10 • How to configure IP routing and bridging in Linux Appendix A: The Basics of TCP/IP Addresses ....................................... 11 • How to configure advanced Linux internetworking, such as VLANs, VXLAN, and network packet filtering Appendix B: The OSI Model......................... 12 To create an internetwork, you need to understand layer 2 and layer 3 internetworking, MAC addresses, bridging, routing, ACLs, VLANs, and VXLAN. We’ve got a lot to cover, so let’s get started! Understanding Linux Internetworking 1 Layer 2 vs.
    [Show full text]
  • Web Management Guide
    Web Management Guide Digital Data Communications GmbH. http://www.level1.com Web Management Guide GTP-2871 28-Port L3 Lite Managed Gigabit PoE Switch GTP-5271 52-Port L3 Lite Managed Gigabit PoE Switch How to Use This Guide This guide includes detailed information on the switch software, including how to operate and use the management functions of the switch. To deploy this switch effectively and ensure trouble-free operation, you should first read the relevant sections in this guide so that you are familiar with all of its software features. Who Should Read This guide is for network administrators who are responsible for operating and this Guide? maintaining network equipment. The guide assumes a basic working knowledge of LANs (Local Area Networks), the Internet Protocol (IP), and Simple Network Management Protocol (SNMP). How this Guide This guide provides detailed information about the switch’s key features. It also is Organized describes the switch’s web browser interface. For information on the command line interface refer to the CLI Reference Guide. The guide includes these sections: u Section I “Web Configuration” — Includes all management options available through the web browser interface. Related This guide focuses on switch software configuration through the web browser. Documentation For information on how to manage the switch through the command line interface, see the following guide: CLI Reference Guide Note: For a description of how to initialize the switch for management access via the CLI, web interface or SNMP, refer to “Initial Switch Configuration” in the CLI Reference Guide. Conventions The following conventions are used throughout this guide to show information: Note: Emphasizes important information or calls your attention to related features or instructions.
    [Show full text]
  • (Rapid) Spanning Tree Protocol
    STP – Spanning Tree Protocol indigoo.com STP & RSTP (RAPID) SPANNING TREE PROTOCOL DESCRIPTION OF STP AND RSTP, PROTOCOLS FOR LOOP FREE LAN TOPOLOGIES Peter R. Egli INDIGOO.COM1/57 © Peter R. Egli 2015 Rev. 1.60 STP – Spanning Tree Protocol indigoo.com Contents 1. Goal of STP: Loop-free topology for Ethernet networks 2. STP standards overview 3. IEEE 802.1D STP protocol 4. IEEE 802.1w RSTP Rapid STP 5. IEEE 802.1Q CST Common Spanning Tree 6. Cisco PVST+ and PVRST+ 7. IEEE 802.1s MST Multiple Spanning Tree Protocol 8. STP Pros and Cons 2/57 © Peter R. Egli 2015 Rev. 1.60 STP – Spanning Tree Protocol indigoo.com 1. Goal of STP: Loop-free topology for Ethernet networks Ethernet bridges (or switches) must forward unknown unicast and broadcast Ethernet frames to all physical ports. Therefore Ethernet networks require a loop-free topology, otherwise more and more broadcast and unknown unicast frames would swamp the network (creation of frame duplicates resulting in a broadcast storm). Unknown unicast frame: Frame with a target Ethernet address that is not yet known by the receiving bridge. Broadcast frame: Ethernet frame with a broadcast target Ethernet address, e.g. for protocols such as ARP or BOOTP / DHCP. Broadcast Ethernet frames and unknown unicast frames circle forever in an Ethernet network with loops. 3/57 © Peter R. Egli 2015 Rev. 1.60 STP – Spanning Tree Protocol indigoo.com 2. STP standards overview: A number of different STP ‘standards’ and protocols evolved over time. Standard Description Abbreviation Spanning Tree Protocol • Loop prevention. IEEE 802.1D • Automatic reconfiguration of tree in case of topology changes (e.g.
    [Show full text]
  • Computer Networking in Nuclear Medicine
    CONTINUING EDUCATION Computer Networking In Nuclear Medicine Michael K. O'Connor Department of Radiology, The Mayo Clinic, Rochester, Minnesota to the possibility of not only connecting computer systems Objective: The purpose of this article is to provide a com­ from different vendors, but also connecting these systems to prehensive description of computer networks and how they a standard PC, Macintosh and other workstations in a de­ can improve the efficiency of a nuclear medicine department. partment (I). It should also be possible to utilize many other Methods: This paper discusses various types of networks, network resources such as printers and plotters with the defines specific network terminology and discusses the im­ nuclear medicine computer systems. This article reviews the plementation of a computer network in a nuclear medicine technology of computer networking and describes the ad­ department. vantages and disadvantages of such a network currently in Results: A computer network can serve as a vital component of a nuclear medicine department, reducing the time ex­ use at Mayo Clinic. pended on menial tasks while allowing retrieval and transfer­ WHAT IS A NETWORK? ral of information. Conclusions: A computer network can revolutionize a stan­ A network is a way of connecting several computers to­ dard nuclear medicine department. However, the complexity gether so that they all have access to files, programs, printers and size of an individual department will determine if net­ and other services (collectively called resources). In com­ working will be cost-effective. puter jargon, such a collection of computers all located Key Words: Computer network, LAN, WAN, Ethernet, within a few thousand feet of each other is called a local area ARCnet, Token-Ring.
    [Show full text]
  • Network Storm Testing
    NETWORK STORM TESTING VERIFYING THE ROBUSTNESS OF CONTROL SYSTEM COMMUNICATIONS In this white paper, we discuss a stress situation that can impact communication and redundancy of networked control systems. How can this situation arise, and why should we test for it? Furthermore, we look into what we recommend, how control systems should be tested to avoid that their communication is impacted by network overload. 1/7 INTRODUCTION Let us start with a citation from a senior engineer with A normal Ethernet switch forwards broadcast and the major E&P company of Norway: multicast traffic on all its ports. Other (up- or down- link) switches receiving these broadcast or multicast “Be a demanding customer, prior to FAT, messages, will again forward them to all their ports and apply traffic generator packets on network so on. In an Ethernet network, any looped packet might remain on the network forever. A network storm, i.e. a segments to full bandwidth. Peer to Peer, network stress situation can arise in various ways and multicast and broadcast packets. Graceful can cause a Denial of Service (DoS) in the worst case. reconnect after storm or need for restart?” Probably, the most common reason for a network – Sr. IT Security Engineer, Statoil ASA storm is cabling problems, in particular if a cable loop But what is an unexpected network overload, or net- is present. Other factors contributing to a network work storm situation actually? A network storm can be stress situation are: compared to a room full of people talking loudly and making a conversation between 2 individuals impos- Poor network management and monitoring; sible.
    [Show full text]
  • Pakedge SK-8-EP User Guide
    SX-8-EP Enterprise-AV, Smart Managed Switches User Guide This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: 1. This device may not cause harmful interference. 2. This device must accept any interference received, including interference that may cause undesired operation. NOTE: This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one of the following measures: Reorient or relocate the receiving antenna. Increase the separation between the equipment and receiver. Connect the equipment into an outlet on a circuit different from that to which the receiver is connected. Consult the dealer or an experienced radio/TV technician for help. WARNING: Any changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate this equipment. WARNING: TO PREVENT FIRE OR SHOCK HAZARD, DO NOT EXPOSE THIS PRODUCT TO RAIN OR MOISTURE. THE UNIT MUST NOT BE EXPOSED TO DRIPPING OR SPLASHING WATER.
    [Show full text]
  • An Extensible System-On-Chip Internet Firewall
    An Extensible System-On-Chip Internet Firewall ----- ----- ----- ----- ----- ----- ABSTRACT Internet Packets A single-chip, firewall has been implemented that performs packet filtering, content scanning, and per-flow queuing of Internet Fiber packets at Gigabit/second rates. All of the packet processing Ethernet Backbone Switch operations are performed using reconfigurable hardware within a Switch single Xilinx Virtex XCV2000E Field Programmable Gate Array (FPGA). The SOC firewall processes headers of Internet packets Firewall in hardware with layered protocol wrappers. The firewall filters packets using rules stored in Content Addressable Memories PC 1 (CAMs). The firewall scans payloads of packets for keywords PC 2 using a hardware-based regular expression matching circuit. Lastly, the SOC firewall integrates a per-flow queuing module to Internal Hosts Internet mitigate the effect of Denial of Service attacks. Additional features can be added to the firewall by dynamic reconfiguration of FPGA hardware. Figure 1: Internet Firewall Configuration network, individual subnets can be isolated from each other and Categories and Subject Descriptors be protected from other hosts on the Internet. I.5.3 [Pattern Recognition]: Design Methodology; B.4.1 [Data Communications]: Input/Output Devices; C.2.1 [Computer- Recently, new types of firewalls have been introduced with an Communication Networks]: Network Architecture and Design increasing set of features. While some types of attacks have been thwarted by dropping packets based on the value of packet headers, new types of firewalls must scan the bytes in the payload General Terms of the packets as well. Further, new types of firewalls need to Design, Experimentation, Network Security defend internal hosts from Denial of Service (DoS) attacks, which occur when remote machines flood traffic to a victim host at high Keywords rates [1].
    [Show full text]