Putting it on the NIC: A Case Study on application offloading to a Network Interface Card (NIC)
|
|
- May Pierce
- 8 years ago
- Views:
Transcription
1 This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE CCNC 2006 proceedings. Putting it on the NIC: A Case Study on application offloading to a Network Interface Card (NIC) Yaron Weinsberg, Elan Pavlov, Yossi Amir, Gilad Gat, Sharon Wulff Department of Computer Science The Hebrew University Of Jerusalem {wyaron,elan}@cs.huji.ac.il Abstract We have implemented a firewall application on a Network Interface Card (NIC). We have tested the CPU utilization and the bandwidth in a variety of scenarios. The benefits of offloading code are most pronounced when rejecting packets. Our results suggest significant benefits of offloading applications and in particular firewall logic to a NIC. I. INTRODUCTION There are many communication applications that act on every incoming packet. Offloading such applications to the network interface card (NIC) has many potential advantages. Utilizing the onboard computational power of the NIC can reduce the demands put on the CPU. If the NIC can process incoming information it can avoid costly interrupts to the CPU. In addition, the NIC can serve as a gatekeeper thus avoiding potential threats to the CPU. Furthermore, applications on a NIC can be built such that they are system and OS independent. An application of particular promise for offloading is a firewall application. Since a firewall is an application that filters packets by a user defined security policy, earlier filtering (especially discarding packets) has a potential for significant improvements in performance. A firewall application on a NIC also has the additional advantage that it is harder for an adversary to modify than a software application running at the host. We have designed and implemented a firewall application which we call SCIRON (Secure-Communication IntegRated Over NIC) on a NIC. The system consists of three elements: The firewall logic, a management console and a policy builder. This paper presents SCIRON, and shows that offloading full applications has significant advantages and market potential more so than TCP offload engines [9] (TOEs) or protocol specific offloaded extensions. II. RELATED WORK Numerous firewall applications exist in the market today. The objective of firewall applications is to protect the network from external and internal attacks. Firewall applications range from commercial products developed by leading companies in the industry (such as Checkpoint [2] and Cisco [3]), to lightweight free tools such as Linux IP-Chains [10] and more advanced open source solutions such as Snort [7] and ClamAV [4]. These products share a common philosophy of filtering communication at the network stack layer. The packet filtering module is integrated into the operating system s kernel and intercepts each incoming and outgoing packet. The packet is evaluated against the Firewall s security policy and will be either discarded or allowed access to (or from) the protected computer. Recently, 3COM has independently developed [1] an intrusion detection system (IDS) suit which is a distributed firewall bundle for servers and desktops, priced at around 800$. Our philosophy of offloading firewall logic to the NIC is similar to their product but has significant cost advantages. Furthermore, although there is evidently commercial potential, there has been no research released on the quality of such a solution. III. SYSTEM DESCRIPTION The system is divided into three main parts: The firewall logic is what controls which packets are accepted and which are filtered. For purposes of comparison we implemented the firewall both on the NIC and as a driver. We then compared in section IV the results of the implementation on a NIC vs the results of the implementation as a driver. The second part is a policy builder which creates the policy that regulates the firewall logic. Since the number of rules effects the speed of the system we attempt to find a small set of rules that implements the given policy. As this problem is non-polynomial time complete we utilize several heuristics (detailed in the full paper). In addition we warn of conflicting or redundant rules. Finally, there is a management console which controls the loading of rules to a specific computer in the network as well as logging and other management activities. A. Overview and Motivation Offloading firewall logic to a NIC offers several benefits, as an off the shelf OS independent implementation. It is also harder to tamper with a hardware implementation as opposed to a software implementation. Finally, it allows flexibility in accessing a remote host without jeopardizing the whole segment. Firewall applications are computationally expensive for several reasons: The host s CPU is repeatedly interrupted by the NIC on incoming packets. The processing power required to handle the interrupts is wasted if the packet is doomed to be discarded /05/$ IEEE. 1013
2 An adversary can try to perform a denial of service (DoS) attack by sending packets from many computers, in an attempt to overload the system. The networking stack has significant overhead. The PCI [6] bus is a major bottleneck especially in today s incline towards faster networking fabrics (should be reduced in the future PCI express). Offloading firewall activities to the NIC can evade some of these issues. We have implemented a static, 5-tuple (protocol, IP-source-address, IP-destination-address, source-port, destination-port) firewall, at the NIC. Our motivation was to examine the benefits from such an offload and to measure the expected performance in CPU utilization and overall throughput. B. Environment Our programmable interface card is based on the Tigon chipset. The Tigon programmable Ethernet controller, released in 1997 is used in the family of 3Com s Gigabit NICs. The Tigon controller supports a PCI host interface and a full-duplex Gigabit Ethernet interface. Figure 5 shows a block diagram of the Tigon. The Tigon has two 88 MHz MIPS R4000-based processors which share access to external SRAM. Each processor has a one-line (64-byte) instruction cache to capture spatial locality for instructions from the SRAM. In the Tigon, each processor also has a private on-chip scratch pad memory, which serves as a low-latency softwaremanaged cache. Hardware DMA and MAC controllers enable the firmware to transfer data to and from the system s main memory and the network, respectively. SRAM of 1 MB. This NIC does not provide a CPU interrupt mechanism. Although in our architecture, the NIC s operating system is designed as a non-preemptive kernel, our work does provide the OS specification for interrupt-enabled NIC hardware. C. Programming Model SCIRON [11] is based on a previous project conducted in our lab called STORM [12]. STORM provides a framework on top of the original NIC s firmware which enables a developer to install predefined hooks. Hooks can be installed both at the firmware level and/or at the kernel level (inside the NIC s driver). STORM s framework also enables adding custom events which are triggered by the driver. These triggers can be used as a communication method between the firmware and the network driver. Figure 2 presents the modules and hooks provided by STORM s framework. The Rx and Tx stubs provide the hooks necessary for intercepting traffic on the NIC. These hooks, enable SCIRON s firewall to filter traffic according to a predefined security policy. The firmware s trace module provides development and debugging capabilities of firmware code. We utilize this capability for transmitting packets from within the NIC for remote logging. Fig. 2. STORM s modules Fig. 1. Tigon Controller Block Diagram Scratch Pad CPU A CPU B Scratch Pad Memory Bus Memory Bus Arbiter External RAM Read DMA PCI Interface Write DMA MAC Figure 3 presents a sample hook invocation performed by STORMś framework. The storm pre recv hook is invoked in the receive control flow of the NIC s firmware. PCI Full-Duplex Gigabit Ethernet The Tigon Chipset The Tigon controller uses an event-loop approach instead of an interrupt driven logic. The motivation is to increase the NIC s runtime performance by lowering the overhead imposed by interrupting the host s CPU each time a packet arrives or a DMA request is ready. Furthermore, on a single processor the need for synchronization and its associated overhead is eliminated. Our system is comprised of the Netgear GA620T NIC, which uses Tigon version II chipset, with an external Fig. 3. Installing a Hook /* call the hook and get packet verdict */ BOOL allowed = storm_pre_recv(pkt); if (!allowed) { /* discard packet */ storm_discard(pkt) } /* allow packet */... The storm pre recv hook receives a pointer to the beginning of the communication packet, i.e. the ethernet header, and 1014
3 returns false if the packet is to be discarded or true if it is to be allowed (forwarded to the operating system). SCIRON s firewall is implemented as a set of such firmware hooks that are installed using STORM s API. These hooks are compiled and linked with the firmware image and are installed during NIC initialization. In order to simulate common kernel-based firewalls for performance evaluation, we have also installed hooks at the driver layer (also using STORM s framework). All comparisons shown in Section IV, compare the same firewall code (with the same filtering policy) between the driver based firewall and the NIC based firewall. Currently the firewall code is fully stateless thus state is not saved between successive hook invocations. Fig. 4. SCIRON s Managment Console Architecture D. SCIRON Architecture This section presents the main components of SCIRON runtime. The runtime is comprised of two main components: The SCIRON enforcement module and SCIRON s management console. 1) Enforcement module: The enforcement module is the engine of SCIRON s firewall that actively enforces the security policy upon incoming and outgoing packets. SCIRON s firewall is an ordered 5-tuple firewall. When a packet arrives, a sequential pass over the rules is performed. The action (accept or reject) associated with the first rule that matches the packet header is performed. If there is no match, the default policy action (reject all) is performed 2) Management Console: SCIRON s management console provides remote administration and logging capabilities. Administrators can remotely install security policies at enforcement modules of machines in their domain. This is done by communicating with SCIRON s embedded enforcement module using a proprietary protocol called SRPP (SCIRON Remote Policy Protocol). An administrator can also determine the policy for monitoring and logging events to the management console. This is done by marking specific rules as log-rules. Packets caught by these rules will generate a log packet containing the packet s information. The logged packet is then sent to the management console. Allowing real-time monitoring and tracking of the network activities, enables the administrator to immediately act upon potential attacks. SCIRON management console is comprised of the following modules: (1) Management console GUI - a tool used for defining and managing the security policy. (2) Log viewer - A server application which receives log packets sent by the various enforcement modules and displays them graphically to the administrator. (3) Policy builder - a tool for verifying the correctness of the security policy defined by the administrator, by searching for shadowed and redundancy rules. The verifier implements the algorithm presented in [8] IV. EXPERIMENTAL RESULTS There are many parameters that influence firewall performance. Such issues as, the number of rules, current CPU utilization, packet size, ratio of incoming to outgoing packets, total number of packets, number of packets accepted vs number rejected etc., can all potentially influence performance. Performance is measured using two parameters. The first is the load on the CPU and the second is the throughput. In this section we present and discuss several typical results. In the first scenario we present (Figure 5), the firewall discards all the packets it receives. During this scenario the CPU is only running system processes. The CPU is on the left of the graph and throughput is on the right. Fig. 5. Receiving - Discarding all packets As we expect, in this scenario the CPU utilization when using the firewall implemented on the NIC is approximately zero, whilst for the same firewall on the host it is quite high. The second scenario presented is the complementary scenario in which the firewall accepts all received packets. In this case we see that the CPU utilization and throughput is much higher when the SCIRON firewall is deployed (see Figure 6). The host CPU utilization is very high (98.12%), leaving very little CPU time to the host applications. Most of the CPU cycles are consumed in the networking stack and interrupt handlers. Although the CPU has more computational power than the NIC it has to do less work for each incoming packet (as rule matching is done by the NIC) leading to higher throughput. 1015
4 Fig. 6. Receiving - Accepting all packets Fig. 8. Sending - Accepting all packets The third scenario, given in Figure 7, is probably a more realistic behavior for a typical host machine. Fig. 7. Receiving - 50% acceptance rate It is evident that the NIC based firewall has better performance both in CPU utilization and throughput. Finally, the last scenario is somewhat less typical. In this scenario all user packets are compliant to the firewall rules, hence all packets are forwarded. As we can see in Figure 8, SCIRON firewall performance is inferior to the host s firewall. Since, all outgoing packets have to be processed, the computational power of the firewall becomes a bottleneck as the host CPU speed is faster than the NIC s processor. We expect that this difference will be less outstanding in high end NIC cards. In practice, most machines are driven by incoming bandwidth and not outgoing bandwidth. A. Extensions Offloading code can potentially exacerbate the security problem by adding more opportunities for bugs. Unfortunately, even if an offloaded protocol design can be shown to be secure, this does not imply that all of its implementations would be secure. In fact, many (if not most) security holes are implementation bugs, not specification bugs. Hackers actively find and exploit bugs, and an offloaded code bug could be much more severe than traditional user-level applications bugs, because it might allow unbounded and unchecked access to host memory. An additional minor problem is that in some scenarios implementation of a firewall on a NIC suffers drawbacks compared to standard implementations. These scenarios typically involve a heavy load of outgoing packets. These two problems lead us to consider a mixed paradigm: Utilize a NIC firewall for preliminary filtering of incoming traffic along with a conventional firewall for additional filtering. Any bugs offloaded to the NIC can easily be dealt with via the conventional firewall. Since most of the performance gain is due to faster discarding of unwanted packets this solutions conserves most of the benefits of offloading the firewall logic to the NIC. In addition the conventional firewall can filter outgoing packets thereby eliminating the bottleneck associated with the NIC filtering. In the future we intend to look at a Stateful Packet Inspection (SPI) firewall, in which filtering depends on prior packets received to avoid such attacks as denial of service (DoS). We expect that the advantages of an SPI firewall on a NIC will be substantial although less pronounced than for a stateless packet inspection. We also intend to port this work to the NICOS operating system which was also developed in our lab [5]. V. CONCLUSIONS We learned that offloading firewall logic to a NIC has many advantages. In scenarios with a heavy incoming packet load (especially if packets need to be discarded) a firewall offloaded to a NIC significantly improves both CPU utilization as well as packet throughput. On the less likely scenarios of heavy outgoing packet traffic, offloading firewall logic to a NIC is slower than conventional firewalls. It is important to note that our implementation is based on an obsolete NIC. We expect that the performance gain will be more pronounced when utilizing an advanced NIC. Although current NICs hardware 1016
5 is continuously improving, the host CPU speed will likely continue to be faster than NIC hardware. In order to further improve the sending flow performance, a mixed paradigm can be used. In this model, the processing of outgoing packet is performed at the host while the incoming packets are processed in the NIC. We will further study this kind of solution in future research. REFERENCES [1] 3com embedded firewall. [2] Checkpoint. [3] Cisco systems inc. [4] Clamav. [5] Network Interface Card Operating System (NICOS). Homepage at wyaron/. [6] PCISIG industry organization, PCI specification. [7] Snort. [8] E. S. Al-Shaer and H. H. Hamed. Discovery of policy anomalies in distributed firewalls. In INFOCOM, [9] A. Currid. TCP offload to the rescue. Queue, 2(3):58 65, [10] L. Journal. Building a firewall with ip chains. www2.linuxjournal.com/article/3622. [11] Y. Weinsberg. SCIRON, Secure Communication IntegRated over NIC. Homepage at wyaron/sciron.html/. [12] Y. Weinsberg. STORM, Super-fast Transport Over Replicated Machines. Homepage at wyaron/storm.html/. 1017
Sockets vs. RDMA Interface over 10-Gigabit Networks: An In-depth Analysis of the Memory Traffic Bottleneck
Sockets vs. RDMA Interface over 1-Gigabit Networks: An In-depth Analysis of the Memory Traffic Bottleneck Pavan Balaji Hemal V. Shah D. K. Panda Network Based Computing Lab Computer Science and Engineering
More informationStateful Inspection Technology
Stateful Inspection Technology Security Requirements TECH NOTE In order to provide robust security, a firewall must track and control the flow of communication passing through it. To reach control decisions
More informationTCP Offload Engines. As network interconnect speeds advance to Gigabit. Introduction to
Introduction to TCP Offload Engines By implementing a TCP Offload Engine (TOE) in high-speed computing environments, administrators can help relieve network bottlenecks and improve application performance.
More informationExploiting Task-level Concurrency in a Programmable Network Interface
Exploiting Task-level Concurrency in a Programmable Network Interface Hyong-youb Kim, Vijay S. Pai, and Scott Rixner Rice University hykim, vijaypai, rixner @rice.edu ABSTRACT Programmable network interfaces
More informationD1.2 Network Load Balancing
D1. Network Load Balancing Ronald van der Pol, Freek Dijkstra, Igor Idziejczak, and Mark Meijerink SARA Computing and Networking Services, Science Park 11, 9 XG Amsterdam, The Netherlands June ronald.vanderpol@sara.nl,freek.dijkstra@sara.nl,
More informationInternational Journal of Enterprise Computing and Business Systems ISSN (Online) : 2230-8849
WINDOWS-BASED APPLICATION AWARE NETWORK INTERCEPTOR Ms. Shalvi Dave [1], Mr. Jimit Mahadevia [2], Prof. Bhushan Trivedi [3] [1] Asst.Prof., MCA Department, IITE, Ahmedabad, INDIA [2] Chief Architect, Elitecore
More informationRecon 2011 - Montreal
How to develop a rootkit for Broadcom NetExtreme network cards Guillaume Delugré Sogeti / ESEC R&D guillaume(at)security-labs.org Recon 2011 - Montreal . Delugré How to develop a rootkit for Broadcom NetExtreme
More informationA Research Study on Packet Sniffing Tool TCPDUMP
A Research Study on Packet Sniffing Tool TCPDUMP ANSHUL GUPTA SURESH GYAN VIHAR UNIVERSITY, INDIA ABSTRACT Packet sniffer is a technique of monitoring every packet that crosses the network. By using this
More informationStress-Testing a Gbps Intrusion Prevention Device on DETER
Stress-Testing a Gbps Intrusion Prevention Device on DETER Nicholas Weaver Vern Paxson ICSI Acknowledgements Joint work with Jose Chema Gonzalez Sponsored by NSF/DHS ANI-0335290 (EMIST) DOE DE-F602-04ER25638
More informationPROFESSIONAL SECURITY SYSTEMS
PROFESSIONAL SECURITY SYSTEMS Security policy, active protection against network attacks and management of IDP Introduction Intrusion Detection and Prevention (IDP ) is a new generation of network security
More informationParallel Firewalls on General-Purpose Graphics Processing Units
Parallel Firewalls on General-Purpose Graphics Processing Units Manoj Singh Gaur and Vijay Laxmi Kamal Chandra Reddy, Ankit Tharwani, Ch.Vamshi Krishna, Lakshminarayanan.V Department of Computer Engineering
More informationCisco Integrated Services Routers Performance Overview
Integrated Services Routers Performance Overview What You Will Learn The Integrated Services Routers Generation 2 (ISR G2) provide a robust platform for delivering WAN services, unified communications,
More informationCisco PIX vs. Checkpoint Firewall
Cisco PIX vs. Checkpoint Firewall Introduction Firewall technology ranges from packet filtering to application-layer proxies, to Stateful inspection; each technique gleaning the benefits from its predecessor.
More informationNetwork Security Demonstration - Snort based IDS Integration -
Network Security Demonstration - Snort based IDS Integration - Hyuk Lim (hlim@gist.ac.kr) with TJ Ha, CW Jeong, J Narantuya, JW Kim Wireless Communications and Networking Lab School of Information and
More informationΕΠΛ 674: Εργαστήριο 5 Firewalls
ΕΠΛ 674: Εργαστήριο 5 Firewalls Παύλος Αντωνίου Εαρινό Εξάμηνο 2011 Department of Computer Science Firewalls A firewall is hardware, software, or a combination of both that is used to prevent unauthorized
More informationSecurity Overview of the Integrity Virtual Machines Architecture
Security Overview of the Integrity Virtual Machines Architecture Introduction... 2 Integrity Virtual Machines Architecture... 2 Virtual Machine Host System... 2 Virtual Machine Control... 2 Scheduling
More informationFirewalls and IDS. Sumitha Bhandarkar James Esslinger
Firewalls and IDS Sumitha Bhandarkar James Esslinger Outline Background What are firewalls and IDS? How are they different from each other? Firewalls Problems associated with conventional Firewalls Distributed
More informationGigabit Ethernet Design
Gigabit Ethernet Design Laura Jeanne Knapp Network Consultant 1-919-254-8801 laura@lauraknapp.com www.lauraknapp.com Tom Hadley Network Consultant 1-919-301-3052 tmhadley@us.ibm.com HSEdes_ 010 ed and
More informationIntel DPDK Boosts Server Appliance Performance White Paper
Intel DPDK Boosts Server Appliance Performance Intel DPDK Boosts Server Appliance Performance Introduction As network speeds increase to 40G and above, both in the enterprise and data center, the bottlenecks
More informationHow To Monitor And Test An Ethernet Network On A Computer Or Network Card
3. MONITORING AND TESTING THE ETHERNET NETWORK 3.1 Introduction The following parameters are covered by the Ethernet performance metrics: Latency (delay) the amount of time required for a frame to travel
More informationTechnical Brief. DualNet with Teaming Advanced Networking. October 2006 TB-02499-001_v02
Technical Brief DualNet with Teaming Advanced Networking October 2006 TB-02499-001_v02 Table of Contents DualNet with Teaming...3 What Is DualNet?...3 Teaming...5 TCP/IP Acceleration...7 Home Gateway...9
More informationProtecting and controlling Virtual LANs by Linux router-firewall
Protecting and controlling Virtual LANs by Linux router-firewall Tihomir Katić Mile Šikić Krešimir Šikić Faculty of Electrical Engineering and Computing University of Zagreb Unska 3, HR 10000 Zagreb, Croatia
More informationCS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013
CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access
More informationIncreasing Web Server Throughput with Network Interface Data Caching
Increasing Web Server Throughput with Network Interface Data Caching Hyong-youb Kim, Vijay S. Pai, and Scott Rixner Computer Systems Laboratory Rice University Houston, TX 77005 hykim, vijaypai, rixner
More informationFirewalls Overview and Best Practices. White Paper
Firewalls Overview and Best Practices White Paper Copyright Decipher Information Systems, 2005. All rights reserved. The information in this publication is furnished for information use only, does not
More informationImproving the Database Logging Performance of the Snort Network Intrusion Detection Sensor
-0- Improving the Database Logging Performance of the Snort Network Intrusion Detection Sensor Lambert Schaelicke, Matthew R. Geiger, Curt J. Freeland Department of Computer Science and Engineering University
More informationΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science
ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας Department of Computer Science Firewalls A firewall is hardware, software, or a combination of both that is used to prevent unauthorized Internet users
More informationNetwork Defense Tools
Network Defense Tools Prepared by Vanjara Ravikant Thakkarbhai Engineering College, Godhra-Tuwa +91-94291-77234 www.cebirds.in, www.facebook.com/cebirds ravikantvanjara@gmail.com What is Firewall? A firewall
More information10 Gbit Hardware Packet Filtering Using Commodity Network Adapters. Luca Deri <deri@ntop.org> Joseph Gasparakis <joseph.gasparakis@intel.
10 Gbit Hardware Packet Filtering Using Commodity Network Adapters Luca Deri Joseph Gasparakis 10 Gbit Monitoring Challenges [1/2] High number of packets to
More information- Introduction to PIX/ASA Firewalls -
1 Cisco Security Appliances - Introduction to PIX/ASA Firewalls - Both Cisco routers and multilayer switches support the IOS firewall set, which provides security functionality. Additionally, Cisco offers
More informationTMOS Secure Development and Implementation
TMOS Secure Development and Implementation Overview TMOS the foundation and architecture for F5 s application delivery controllers running on the BIG-IP platform brings a wealth of security to existing
More informationIntel Ethernet Switch Load Balancing System Design Using Advanced Features in Intel Ethernet Switch Family
Intel Ethernet Switch Load Balancing System Design Using Advanced Features in Intel Ethernet Switch Family White Paper June, 2008 Legal INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL
More informationIntel Data Direct I/O Technology (Intel DDIO): A Primer >
Intel Data Direct I/O Technology (Intel DDIO): A Primer > Technical Brief February 2012 Revision 1.0 Legal Statements INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE,
More informationSemantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual. Document Version 1.0
Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual Document Version 1.0 Table of Contents 1 SWAF... 4 1.1 SWAF Features... 4 2 Operations and User Manual... 7 2.1 SWAF Administrator
More informationMulti-Stage Packet Filtering in Network Smart Cards
Multi-Stage Packet Filtering in Network Smart Cards HongQian Karen Lu Smart Cards Research, Axalto, Inc., 8311 North FM 620 Road, Austin, TX 78726, USA karenlu@axalto.com Abstract: Network smart cards
More informationFirewalls. Ahmad Almulhem March 10, 2012
Firewalls Ahmad Almulhem March 10, 2012 1 Outline Firewalls The Need for Firewalls Firewall Characteristics Types of Firewalls Firewall Basing Firewall Configurations Firewall Policies and Anomalies 2
More informationChapter 9 Firewalls and Intrusion Prevention Systems
Chapter 9 Firewalls and Intrusion Prevention Systems connectivity is essential However it creates a threat Effective means of protecting LANs Inserted between the premises network and the to establish
More informationDesign Issues in a Bare PC Web Server
Design Issues in a Bare PC Web Server Long He, Ramesh K. Karne, Alexander L. Wijesinha, Sandeep Girumala, and Gholam H. Khaksari Department of Computer & Information Sciences, Towson University, 78 York
More informationWireshark in a Multi-Core Environment Using Hardware Acceleration Presenter: Pete Sanders, Napatech Inc. Sharkfest 2009 Stanford University
Wireshark in a Multi-Core Environment Using Hardware Acceleration Presenter: Pete Sanders, Napatech Inc. Sharkfest 2009 Stanford University Napatech - Sharkfest 2009 1 Presentation Overview About Napatech
More informationAccelerate In-Line Packet Processing Using Fast Queue
Accelerate In-Line Packet Processing Using Fast Queue Chun-Ying Huang 1, Chi-Ming Chen 1, Shu-Ping Yu 1, Sheng-Yao Hsu 1, and Chih-Hung Lin 1 Department of Computer Science and Engineering, National Taiwan
More informationIntroduction to MPIO, MCS, Trunking, and LACP
Introduction to MPIO, MCS, Trunking, and LACP Sam Lee Version 1.0 (JAN, 2010) - 1 - QSAN Technology, Inc. http://www.qsantechnology.com White Paper# QWP201002-P210C lntroduction Many users confuse the
More informationHigh-Performance IP Service Node with Layer 4 to 7 Packet Processing Features
UDC 621.395.31:681.3 High-Performance IP Service Node with Layer 4 to 7 Packet Processing Features VTsuneo Katsuyama VAkira Hakata VMasafumi Katoh VAkira Takeyama (Manuscript received February 27, 2001)
More informationChapter 14 Virtual Machines
Operating Systems: Internals and Design Principles Chapter 14 Virtual Machines Eighth Edition By William Stallings Virtual Machines (VM) Virtualization technology enables a single PC or server to simultaneously
More informationExtensible Network Configuration and Communication Framework
Extensible Network Configuration and Communication Framework Todd Sproull and John Lockwood Applied Research Laboratory Department of Computer Science and Engineering: Washington University in Saint Louis
More informationResource Utilization of Middleware Components in Embedded Systems
Resource Utilization of Middleware Components in Embedded Systems 3 Introduction System memory, CPU, and network resources are critical to the operation and performance of any software system. These system
More informationco Characterizing and Tracing Packet Floods Using Cisco R
co Characterizing and Tracing Packet Floods Using Cisco R Table of Contents Characterizing and Tracing Packet Floods Using Cisco Routers...1 Introduction...1 Before You Begin...1 Conventions...1 Prerequisites...1
More informationChapter 11 Cloud Application Development
Chapter 11 Cloud Application Development Contents Motivation. Connecting clients to instances through firewalls. Chapter 10 2 Motivation Some of the questions of interest to application developers: How
More informationSIDN Server Measurements
SIDN Server Measurements Yuri Schaeffer 1, NLnet Labs NLnet Labs document 2010-003 July 19, 2010 1 Introduction For future capacity planning SIDN would like to have an insight on the required resources
More informationMEASURING WORKLOAD PERFORMANCE IS THE INFRASTRUCTURE A PROBLEM?
MEASURING WORKLOAD PERFORMANCE IS THE INFRASTRUCTURE A PROBLEM? Ashutosh Shinde Performance Architect ashutosh_shinde@hotmail.com Validating if the workload generated by the load generating tools is applied
More informationAccelerating High-Speed Networking with Intel I/O Acceleration Technology
White Paper Intel I/O Acceleration Technology Accelerating High-Speed Networking with Intel I/O Acceleration Technology The emergence of multi-gigabit Ethernet allows data centers to adapt to the increasing
More informationCS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013
CS 356 Lecture 17 and 18 Intrusion Detection Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists
More informationVirtualization: TCP/IP Performance Management in a Virtualized Environment Orlando Share Session 9308
Virtualization: TCP/IP Performance Management in a Virtualized Environment Orlando Share Session 9308 Laura Knapp WW Business Consultant Laurak@aesclever.com Applied Expert Systems, Inc. 2011 1 Background
More informationChapter 1 - Web Server Management and Cluster Topology
Objectives At the end of this chapter, participants will be able to understand: Web server management options provided by Network Deployment Clustered Application Servers Cluster creation and management
More informationI/O Virtualization Using Mellanox InfiniBand And Channel I/O Virtualization (CIOV) Technology
I/O Virtualization Using Mellanox InfiniBand And Channel I/O Virtualization (CIOV) Technology Reduce I/O cost and power by 40 50% Reduce I/O real estate needs in blade servers through consolidation Maintain
More informationA host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.
A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules. Firewalls can be categorized by their location on the network: A network-based
More informationInternational Journal of Scientific & Engineering Research, Volume 4, Issue 8, August-2013 1300 ISSN 2229-5518
International Journal of Scientific & Engineering Research, Volume 4, Issue 8, August-2013 1300 Efficient Packet Filtering for Stateful Firewall using the Geometric Efficient Matching Algorithm. Shriya.A.
More informationQuantifying the Performance Degradation of IPv6 for TCP in Windows and Linux Networking
Quantifying the Performance Degradation of IPv6 for TCP in Windows and Linux Networking Burjiz Soorty School of Computing and Mathematical Sciences Auckland University of Technology Auckland, New Zealand
More information10/100/1000Mbps Ethernet MAC with Protocol Acceleration MAC-NET Core with Avalon Interface
1 Introduction Ethernet is available in different speeds (10/100/1000 and 10000Mbps) and provides connectivity to meet a wide range of needs from desktop to switches. MorethanIP IP solutions provide a
More informationPerformance Evaluation of Linux Bridge
Performance Evaluation of Linux Bridge James T. Yu School of Computer Science, Telecommunications, and Information System (CTI) DePaul University ABSTRACT This paper studies a unique network feature, Ethernet
More informationWhere IT perceptions are reality. Test Report. OCe14000 Performance. Featuring Emulex OCe14102 Network Adapters Emulex XE100 Offload Engine
Where IT perceptions are reality Test Report OCe14000 Performance Featuring Emulex OCe14102 Network Adapters Emulex XE100 Offload Engine Document # TEST2014001 v9, October 2014 Copyright 2014 IT Brand
More informationRouter Architectures
Router Architectures An overview of router architectures. Introduction What is a Packet Switch? Basic Architectural Components Some Example Packet Switches The Evolution of IP Routers 2 1 Router Components
More informationWelcome to the Dawn of Open-Source Networking. Linux IP Routers Bob Gilligan gilligan@vyatta.com
Welcome to the Dawn of Open-Source Networking. Linux IP Routers Bob Gilligan gilligan@vyatta.com Outline About Vyatta: Open source project, and software product Areas we re working on or interested in
More informationStream Processing on GPUs Using Distributed Multimedia Middleware
Stream Processing on GPUs Using Distributed Multimedia Middleware Michael Repplinger 1,2, and Philipp Slusallek 1,2 1 Computer Graphics Lab, Saarland University, Saarbrücken, Germany 2 German Research
More informationImplementation and Performance Evaluation of M-VIA on AceNIC Gigabit Ethernet Card
Implementation and Performance Evaluation of M-VIA on AceNIC Gigabit Ethernet Card In-Su Yoon 1, Sang-Hwa Chung 1, Ben Lee 2, and Hyuk-Chul Kwon 1 1 Pusan National University School of Electrical and Computer
More informationBuilding A Secure Microsoft Exchange Continuity Appliance
Building A Secure Microsoft Exchange Continuity Appliance Teneros, Inc. 215 Castro Street, 3rd Floor Mountain View, California 94041-1203 USA p 650.641.7400 f 650.641.7401 ON AVAILABLE ACCESSIBLE Building
More informationThe Lagopus SDN Software Switch. 3.1 SDN and OpenFlow. 3. Cloud Computing Technology
3. The Lagopus SDN Software Switch Here we explain the capabilities of the new Lagopus software switch in detail, starting with the basics of SDN and OpenFlow. 3.1 SDN and OpenFlow Those engaged in network-related
More informationLow-rate TCP-targeted Denial of Service Attack Defense
Low-rate TCP-targeted Denial of Service Attack Defense Johnny Tsao Petros Efstathopoulos University of California, Los Angeles, Computer Science Department Los Angeles, CA E-mail: {johnny5t, pefstath}@cs.ucla.edu
More informationCMPT 471 Networking II
CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access
More informationLeveraging NIC Technology to Improve Network Performance in VMware vsphere
Leveraging NIC Technology to Improve Network Performance in VMware vsphere Performance Study TECHNICAL WHITE PAPER Table of Contents Introduction... 3 Hardware Description... 3 List of Features... 4 NetQueue...
More informationCisco Application Networking for Citrix Presentation Server
Cisco Application Networking for Citrix Presentation Server Faster Site Navigation, Less Bandwidth and Server Processing, and Greater Availability for Global Deployments What You Will Learn To address
More informationWHITE PAPER. Extending Network Monitoring Tool Performance
WHITE PAPER Extending Network Monitoring Tool Performance www.ixiacom.com 915-6915-01 Rev. A, July 2014 2 Table of Contents Benefits... 4 Abstract... 4 Introduction... 4 Understanding Monitoring Tools...
More informationEnhanced Diagnostics Improve Performance, Configurability, and Usability
Application Note Enhanced Diagnostics Improve Performance, Configurability, and Usability Improved Capabilities Available for Dialogic System Release Software Application Note Enhanced Diagnostics Improve
More informationA Low Latency Library in FPGA Hardware for High Frequency Trading (HFT)
A Low Latency Library in FPGA Hardware for High Frequency Trading (HFT) John W. Lockwood, Adwait Gupte, Nishit Mehta (Algo-Logic Systems) Michaela Blott, Tom English, Kees Vissers (Xilinx) August 22, 2012,
More informationSecurity Technology: Firewalls and VPNs
Security Technology: Firewalls and VPNs 1 Learning Objectives Understand firewall technology and the various approaches to firewall implementation Identify the various approaches to remote and dial-up
More informationCollecting Packet Traces at High Speed
Collecting Packet Traces at High Speed Gorka Aguirre Cascallana Universidad Pública de Navarra Depto. de Automatica y Computacion 31006 Pamplona, Spain aguirre.36047@e.unavarra.es Eduardo Magaña Lizarrondo
More informationBest Practices for Deploying SSDs in a Microsoft SQL Server 2008 OLTP Environment with Dell EqualLogic PS-Series Arrays
Best Practices for Deploying SSDs in a Microsoft SQL Server 2008 OLTP Environment with Dell EqualLogic PS-Series Arrays Database Solutions Engineering By Murali Krishnan.K Dell Product Group October 2009
More informationTCP Servers: Offloading TCP Processing in Internet Servers. Design, Implementation, and Performance
TCP Servers: Offloading TCP Processing in Internet Servers. Design, Implementation, and Performance M. Rangarajan, A. Bohra, K. Banerjee, E.V. Carrera, R. Bianchini, L. Iftode, W. Zwaenepoel. Presented
More informationWe will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall
Chapter 10 Firewall Firewalls are devices used to protect a local network from network based security threats while at the same time affording access to the wide area network and the internet. Basically,
More informationProxy Server, Network Address Translator, Firewall. Proxy Server
Proxy Server, Network Address Translator, Firewall 1 Proxy Server 2 1 Introduction What is a proxy server? Acts on behalf of other clients, and presents requests from other clients to a server. Acts as
More informationHow Much Broadcast and Multicast Traffic Should I Allow in My Network?
PowerConnect Application Note #5 November 2003 How Much Broadcast and Multicast Traffic Should I Allow in My Network? This Application Note relates to the following Dell PowerConnect products: PowerConnect
More informationLustre Networking BY PETER J. BRAAM
Lustre Networking BY PETER J. BRAAM A WHITE PAPER FROM CLUSTER FILE SYSTEMS, INC. APRIL 2007 Audience Architects of HPC clusters Abstract This paper provides architects of HPC clusters with information
More informationIMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT
IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT Roopa K. Panduranga Rao MV Dept of CS and Engg., Dept of IS and Engg., J.N.N College of Engineering, J.N.N College of Engineering,
More informationCut Network Security Cost in Half Using the Intel EP80579 Integrated Processor for entry-to mid-level VPN
Cut Network Security Cost in Half Using the Intel EP80579 Integrated Processor for entry-to mid-level VPN By Paul Stevens, Advantech Network security has become a concern not only for large businesses,
More informationFirewall Introduction Several Types of Firewall. Cisco PIX Firewall
Firewall Introduction Several Types of Firewall. Cisco PIX Firewall What is a Firewall? Non-computer industries: a wall that controls the spreading of a fire. Networks: a designed device that controls
More informationFirewalls P+S Linux Router & Firewall 2013
Firewalls P+S Linux Router & Firewall 2013 Firewall Techniques What is a firewall? A firewall is a hardware or software device which is configured to permit, deny, or proxy data through a computer network
More informationChapter 2 TOPOLOGY SELECTION. SYS-ED/ Computer Education Techniques, Inc.
Chapter 2 TOPOLOGY SELECTION SYS-ED/ Computer Education Techniques, Inc. Objectives You will learn: Topology selection criteria. Perform a comparison of topology selection criteria. WebSphere component
More informationHANIC 100G: Hardware accelerator for 100 Gbps network traffic monitoring
CESNET Technical Report 2/2014 HANIC 100G: Hardware accelerator for 100 Gbps network traffic monitoring VIKTOR PUš, LUKÁš KEKELY, MARTIN ŠPINLER, VÁCLAV HUMMEL, JAN PALIČKA Received 3. 10. 2014 Abstract
More informationBroadcom Ethernet Network Controller Enhanced Virtualization Functionality
White Paper Broadcom Ethernet Network Controller Enhanced Virtualization Functionality Advancements in VMware virtualization technology coupled with the increasing processing capability of hardware platforms
More informationPCI Express High Speed Networks. Complete Solution for High Speed Networking
PCI Express High Speed Networks Complete Solution for High Speed Networking Ultra Low Latency Ultra High Throughput Maximizing application performance is a combination of processing, communication, and
More informationOpenFlow with Intel 82599. Voravit Tanyingyong, Markus Hidell, Peter Sjödin
OpenFlow with Intel 82599 Voravit Tanyingyong, Markus Hidell, Peter Sjödin Outline Background Goal Design Experiment and Evaluation Conclusion OpenFlow SW HW Open up commercial network hardware for experiment
More informationWhat is Firewall? A system designed to prevent unauthorized access to or from a private network.
What is Firewall? A system designed to prevent unauthorized access to or from a private network. What is Firewall? (cont d) Firewall is a set of related programs, located at a network gateway server. Firewalls
More informationIP Phone Security: Packet Filtering Protection Against Attacks. Introduction. Abstract. IP Phone Vulnerabliities
W H I T E P A P E R By Atul Verma Engineering Manager, IP Phone Solutions Communications Infrastructure and Voice Group averma@ti.com Introduction The advantages of a converged voice and data network are
More informationEVALUATING THE NETWORKING PERFORMANCE OF LINUX-BASED HOME ROUTER PLATFORMS FOR MULTIMEDIA SERVICES. Ingo Kofler, Robert Kuschnig, Hermann Hellwagner
EVALUATING THE NETWORKING PERFORMANCE OF LINUX-BASED HOME ROUTER PLATFORMS FOR MULTIMEDIA SERVICES Ingo Kofler, Robert Kuschnig, Hermann Hellwagner Institute of Information Technology (ITEC) Alpen-Adria-Universität
More informationTechnical White Paper BlackBerry Enterprise Server
Technical White Paper BlackBerry Enterprise Server BlackBerry Enterprise Edition for Microsoft Exchange For GPRS Networks Research In Motion 1999-2001, Research In Motion Limited. All Rights Reserved Table
More informationVMWARE WHITE PAPER 1
1 VMWARE WHITE PAPER Introduction This paper outlines the considerations that affect network throughput. The paper examines the applications deployed on top of a virtual infrastructure and discusses the
More informationLast Class: OS and Computer Architecture. Last Class: OS and Computer Architecture
Last Class: OS and Computer Architecture System bus Network card CPU, memory, I/O devices, network card, system bus Lecture 3, page 1 Last Class: OS and Computer Architecture OS Service Protection Interrupts
More informationClassification of Firewalls and Proxies
Classification of Firewalls and Proxies By Dhiraj Bhagchandka Advisor: Mohamed G. Gouda (gouda@cs.utexas.edu) Department of Computer Sciences The University of Texas at Austin Computer Science Research
More informationNetwork Access Security. Lesson 10
Network Access Security Lesson 10 Objectives Exam Objective Matrix Technology Skill Covered Exam Objective Exam Objective Number Firewalls Given a scenario, install and configure routers and switches.
More informationCisco Application Networking for IBM WebSphere
Cisco Application Networking for IBM WebSphere Faster Downloads and Site Navigation, Less Bandwidth and Server Processing, and Greater Availability for Global Deployments What You Will Learn To address
More information