Software as Basis for Updatability and Agility
Software as Basis for Updatability and AgilityUsing network firewalls and testing sandboxes as representative categories of the
network security solutions market, the majority of these solutions are software-based
and utilize virtual machines and environments. This is for agility, portability, and
economical reasons—very little initial capital is typically needed for software-based
products. Most importantly is the ability to update and patch products as new
vulnerabilities and threat vectors are discovered.
Even more of the network and packet processing functionality is moving into
software and virtual machine structures as a result of research and early product
development in software defined networks by a variety of large original equipment
manufacturers (OEMs).
Reconfigurable Hardware as Alternative
Reconfigurable hardware such as FPGAs can offer significant advantages to network
security appliances, plus offer all of the updatability and agility advantages of
software through FPGA system on a chip (SoC) products, new design entry models
such as Open Computing Language (OpenCL™), and virtualization support in both
the ARM® Cortex®-A9 and ARM Cortex-A53 hard processor subsystems. This
virtualization capability is leveraged for software-defined networking (SDN)
capabilities on FPGAs and programmable logic SoCs as well.
The data bandwidths and speeds of reconfigurable hardware are a key security
advantage. Hardware can enable the network to monitor all activity, while processor
and software solutions may enable only partial monitoring until the parallelization
model becomes too encumbering. By using reconfigurable hardware instead of
dedicated fixed circuits, the necessary ability to update and patch products as new
vulnerabilities are detected is maintained. Additionally, because the data processing
path is reconfigurable, older hardware can be updated to support new and better
security standards.
Brief History of Research into Programmable Hardware for
Network Security
In a thesis on reconfigurable hardware for network security, Sascha Muhlbach
summarizes previous work, study, and demonstrations of security elements on
various FPGAs. He breaks these research efforts into the categories of packet
classification, pattern matching, anomaly detection, and applications and
communication support.
Packet classification is typically used for filtering in network firewalls, and is
accelerated in FPGAs in systems today using ternary content addressable memory
(TCAM) architectures. Pattern matching includes the rule-based IDS applications,
most recently demonstrated on Altera FPGAs. Anomaly detection includes statistical
implementations of IDS systems. Applications and communication support refer to a
variety of acceleration functions for protocol operations requiring security, including
domain name system (DNS), Secure Shell (SSH), and so on.
In edge-of-network, Internet of Things (IoT) applications, hardware security is being
recognized as the preferred approach as well. As summarized in the
Electronicsofthings.com blog:Overview of Network Security Products and Capabilities Page 5
Shifting from Software to Hardware for Network Security February 2016 Altera, now part of Intel
“A hardware-first approach with respect to security and implementation of necessary
functionality on the SoC level is vital for fully securing devices and platforms such as
FPGAs, wearables, smartphones, tablets, and other intelligent appliances.”
In each of the applications described above, FPGA hardware has several distinct
security advantages above and beyond just performance acceleration goals.
Hardware Advantage: Fewer Data Vulnerabilities
When designed correctly, FPGAs cannot be altered without detection. Tampering of
hardware circuits and hardware anti-tamper features requires physical access to the
hardware. This is enabled through authenticated partial reconfiguration as well as the
OpenCL and high-level synthesis programming models described hereafter. In
addition, a key feature not available for software security solutions is fail-safe
operation. Correctly implemented, fail-safe designs ensure the operating parameters
of the security product are within its operational boundaries. If the security product
has a logical or physical error, such as failure of component, power supply surge, and
unknown glitches, the product will fail to a safe state. This ensures the product does
not continue operating in a defective state.
Also, FPGA-based network products cannot be altered via a network connection or
front door attack. If there is an attempt to alter the design, either the anti-tamper
mechanisms or fail-safe design feature will detect and shut down the product. 每天读点英文提高阅读能力
页:
[1]
