Design and implementation of firewall supporting IPv6 protocol based on S3C2440 processor

1 Introduction

Among many network security facilities, firewall is an important and effective network security device. It filters and shields network communications to prevent unauthorized access into and out of the computer network. A firewall is a security barrier between a trusted network and an untrusted network. Its core task is to manage and control the traffic in and out of the network. It can intercept and process the data packets transmitted midway, and then communicate with the pre-defined The security policy rules are compared and the final decision is made to forward or drop the packet. Traditional firewalls are usually located at the boundary of a network. They can well filter external users' access to the internal network, but they are powerless against attacks on the internal network. In response to this problem, there have been many studies on new firewalls in recent years, such as distributed firewall systems, embedded firewall systems, etc. The purpose of these systems is to extend the boundaries of the firewall so that it can spread across every terminal device on the network to build a comprehensive security protection network.

Most existing firewall systems are developed for IPv4. Due to insufficient IPv4 address space and poor security, it is a general trend to upgrade existing networks to IPv6. As the foundation of the next generation network, IPv6 has been widely recognized for its massive address space and strong security features. Therefore, it is necessary to study firewalls that support the IPv6 protocol.

The embedded IPv6 firewall designed with Intel Xscale IXP425 as the core processor can better realize dynamic filtering of data packets in the network. However, its cost is relatively high, and the strong network processing performance of IXP425 cannot be fully utilized in network terminal applications.

The embedded firewall based on U disk is easy to use and has a novel design, but it needs to rely on the x86 computer hardware platform, and the U disk has poor reliability and is not suitable for long-term use.

General-purpose ARM processors have higher cost performance and more software support, and have been widely used in various fields of production and life. This paper designs and implements an embedded IPv6 firewall system based on S3C2440 through the analysis and research of IPv6 protocol, IPv6 security mechanism and firewall technology, combined with the characteristics of existing firewalls. The following introduces the embedded IPv6 firewall based on S3C2440 from the aspects of hardware design, software design and core module design.

2 Hardware design of embedded IPv6 firewall

The hardware design of the embedded IPv6 firewall is shown in Figure 1. Its main control chip uses Samsung's 32-bit embedded processor S3C2440. The processor uses ARM920T RISC as the core and the standard operating frequency is 400MHz (maximum operating frequency: 533MHZ) , the computing power is 450MIPS, and it has strong processing power.

Figure 1 Embedded IPv6 firewall hardware block diagram

The storage unit of the system mainly includes SDRAM memory and Flash memory. SDRAM provides memory space for the operation of system programs. This system uses two HY57V561620FTP-H (32M) in parallel, with a capacity of up to 64MB. Flash is used to store programs. Flash is divided into two types: NOR type and NAND type. NOR-type Flash has complex process and high cost. Its advantage is that it can execute applications on-chip, and is mostly used for the bootloader of the storage system. NAND-type Flash has extremely high storage density, fast writing and erasing speeds and low cost, and is suitable for storing large-capacity data and files. Considering that S3C2440 supports NAND Flash booting, this system selects K9F1208U0M-YCB0 (64MB) NAND Flash as the system's Flash memory.

The Ethernet interface unit of the system uses two 10M/100M adaptive Ethernet controller DM9000A. The DM9000A chip is a low-power, highly integrated, low-cost single-chip fast Ethernet chip developed by DEVICOM. It is embedded It is widely used in the field. It integrates the physical layer interface (PHY), Ethernet media access controller (MAC) and external processor bus interface. The working voltage of 3.3V reduces the power consumption of the system. The high degree of integration of DM9000A simplifies the hardware design of the system's Ethernet circuit, and is particularly suitable as a network interface for embedded IPv6 firewalls.

3 Software design of embedded IPv6 firewall

The software writing of the embedded IPv6 firewall system adopts the modular programming method. Modular programming is conducive to the division of programming tasks, making the program easy to write and debug, and easy to inspect and maintain.

This system compiles the startup code (Bootloader), Linux operating system (network card driver, protocol stack), firewall module (intelligent packet filtering, status tracking, etc.) and WEB management module (Boa server) into independent modules.

The system software hierarchy is shown in Figure 2.

Figure 2 Embedded IPv6 firewall software hierarchy diagram.

The first layer: startup code (Bootloader). It is a piece of code executed before entering the operating system after the chip is reset. It mainly provides a basic operating environment for the startup of the operating system, such as initializing the CPU, initializing the memory system, etc. This system uses U-Boot as the system's Bootloader.

The second layer: Linux operating system, which shields the specific operations of the underlying hardware and provides rich support for upper-layer applications, including underlying device drivers, network card drivers, and network protocol stacks. Under the Linux operating system, developers only need to focus on application software programming, which greatly saves system development time.

The third layer: Firewall module (intelligent packet filtering, status tracking, etc.). This module is the core of the embedded firewall system. It includes the dynamic NAT module: responsible for address translation of data packets entering and leaving the firewall; the status tracking module: maintaining the network Session connection information assists the intelligent packet filtering module in tracking connection status, and is a key module to implement state detection packet filtering (dynamic packet filtering); intelligent packet filtering module: filters data packets entering and exiting the network based on the access control list (ACL) , conduct statistics, memory and decision-making on filtering rules, dynamically optimize the priority list of filtering rules, and achieve high-speed and efficient packet filtering processing functions.

The fourth layer: WEB management module, based on CGI language, builds the Boa server platform. Through this module, users can easily view firewall logs, add or modify filtering rules, adjust the priority of filtering rules, monitor firewall network status, etc.

4 Firewall core module design

The key to whether a firewall can achieve a good filtering effect lies in the design of the firewall's core filtering module. The overall workflow of the core filtering module of this firewall is shown in Figure 3.

Figure 3 Embedded IPv6 firewall workflow diagram.

Workflow of embedded IPv6 firewall:

(1) When an IPv6 data packet enters the firewall through the network interface, it will first go through the dynamic NAT module for network address translation. The purpose is to map the external public network IP and the internal private network IP to each other.

(2) After completing dynamic NAT, the firewall will traverse the connection status tracking information table to determine whether the data packet belongs to an existing connection. This connection status tracking information table records the source IP address, destination IP address, source port number of the transport layer, destination port and TCP sequence number of the existing connection. Through this information, the firewall can efficiently and quickly identify whether the data packet belongs to An existing connection.

(3) If the packet does not belong to an existing connection, the system will call the intelligent packet filtering rule set and traverse the entire rule set one by one. At the same time, the firewall will dynamically create and update the filtering rule matching information table. Based on this information table, the system uses intelligent methods of statistics, memory, probability and decision-making to identify data and dynamically optimize the priority of filtering rules. Intelligent data identification methods eliminate the massive calculations required for matching checks, efficiently discover characteristic values ​​of network behavior, and directly perform access control. Since these methods are mostly used by artificial intelligence disciplines, they are also called intelligent access control technologies.

(4) If the data packet passes the review of the filtering rule set, or the data packet belongs to an existing connection, the firewall will detect whether the data packet contains specific content. At this time, the firewall will only detect the key information of the data packet. , thus greatly speeding up the efficiency and speed of detection.

(5) If the data packet fails to pass the state tracking security policy or fails to pass the intelligent packet filtering rule set, the firewall will reject or discard the data packet and record it in the log.

(6) After the data packet passes the above filtering and review, the firewall will forward the data packet to the final destination address, and the firewall will create or update a connection information for this session in its connection status tracking information table. . The firewall will use this connection item to filter the returned data packets.

5 Conclusion

This article conducts in-depth research on firewall technology and designs an embedded IPv6 firewall based on S3C2440 processor. The firewall implements dynamic packet filtering that combines IPv6 protocol status tracking with intelligent packet filtering. And successfully built a remote WEB management platform to conveniently manage filtering rules, firewall logs, network status, etc. With the gradual promotion of IPv6 networks, it will become an inevitable trend for network equipment, including firewalls, to support IPv6 networks. Therefore, the application prospects of embedded IPv6 firewalls based on ARM will become increasingly broad.