Building firewalls with intelligent network interface cards

The primary method for protecting networks today is to use a rewall: a boundary separating the protected network from the untrusted Internet. However, these rewalls o er no protection from internal attacks, scale poorly due to limited rewall processing capacity, and do not support mobile computing. Distributing a rewall to each network host avoids many of these problems, but weakens the security guarantees of the network since it places the rewall under the control of the host OS. Leveraging the increasing capability of embedded-VLSI, including network-speci c processors, we propose a Network Interface Card (NIC) based distributed rewall. Supporting the same (and more) functions as a centralized rewall, NIC-based rewalls provide signi cant bene ts including: scalability, easier client customization, sharing application/OS state to enable application-level ltering, and the ability to block misbehaving hosts at the source, the host itself. We describe the architecture of a Network Interface Card-based distributed rewall and our implementation, which uses an i960-based NIC and IPsec for management and policy distribution. The rewall currently supports basic packet ltering and some application policies as well as secure policy distribution. This research is supported by the member companies of the Parallel Data Consortium. At the time of this writing, these companies include EMC Corporation, Hewlett-Packard Labs, Hitachi, IBM corporation, Intel Corporation, LSI Logic, Lucent Technologies, Network Appliance, PANASAS, L.L.C., Platys Communications, Seagate Technology, Snap Appliances, Sun Microsystems and Veritas Software Corporation.