IPv6 firewall design system to build a comprehensive security protection network
1 Introduction
Among many network security facilities, firewalls are effective and important network security devices. They screen and shield network communications to prevent unauthorized access to and from computer networks. The firewall is a security barrier between the trusted network and the untrusted network. Its core task is to manage and control the traffic entering and leaving the network. It can intercept and process the data packets transmitted midway, and then communicate with the previously defined Compare the security policy rules, and finally decide to forward or drop the packet. The traditional firewall is usually located at the boundary of a section of the network. It can well filter the access of external users to the internal network, but it is powerless to attack the internal network. In response to this problem, there have been many researches on new firewalls in recent years, such as distributed firewall systems and embedded firewall systems. The purpose of these systems is to extend the boundaries of the firewall so that it can spread across every terminal device on the network and build a comprehensive security protection network.
Most existing firewall systems are developed for IPv4. Due to insufficient IPv4 address space and poor security, it is a general trend to upgrade existing networks to IPv6. As the foundation of the next generation network, IPv6 is widely recognized for its massive address space and strong security features, so it is necessary to study firewalls that support IPv6 protocol.
The embedded IPv6 firewall designed with Intel Xscale IXP425 as the core processor achieves dynamic filtering of data packets in the network. However, its cost is relatively high, and the strong network processing performance of IXP425 cannot be fully exerted in the application of network terminals.
The embedded firewall based on U disk is easy to use and novel in design, but it needs to be attached to the x86 computer hardware platform, and the reliability of the U disk is poor, so it is not suitable for long-term use.
The general-purpose ARM processor has higher cost performance and more software support, and has been widely used in various fields of production and life. This paper designs and implements an embedded IPv6 firewall system based on S3C2440 by analyzing and researching the IPv6 protocol, IPv6 security mechanism and firewall technology, and combining the characteristics of existing firewalls. The embedded IPv6 firewall based on S3C2440 is introduced from the aspects of hardware design, software design and core module design.
2 Hardware design of embedded IPv6 firewall
The hardware design of the embedded IPv6 firewall is shown in Figure 1. The main control chip uses Samsung's 32-bit embedded processor S3C2440. The processor uses ARM920T RISC as the core and the standard operating frequency is 400MHZ (maximum operating frequency: 533MHZ) , Computing power is 450MIPS, with strong processing power.
Figure 1 Embedded IPv6 firewall hardware block diagram
The S3C2440 processor has a complex internal structure and powerful functions, and many hardware resources are integrated on-chip. Such as: external storage controller, USB interface, UART interface, internal timer, 130 general-purpose I / O interfaces, 24-channel external interrupt source, etc. Such rich interface resources can easily realize the expansion of hardware circuits. In addition, S3C2440 supports ARM920T's powerful instruction set system, with an independent memory management unit (MMU), supports NAND Flash boot guidance, and can easily implement the transplantation of Bootloader and embedded operating system.
The storage unit of the system mainly includes SDRAM memory and Flash memory. SDRAM provides memory space for the operation of system programs. This system uses two HY57V561620FTP-H (32M) in parallel with a capacity of up to 64MB. Flash is used to store programs. Flash is divided into NOR type and NAND type. The NOR Flash process is complex and costly. Its advantage is that it can execute application programs on-chip, and it is mostly used for the bootloader of the storage system. NAND Flash has extremely high storage density and fast write and erase speeds and low cost, and is suitable for storing large-capacity data and files. Considering that S3C2440 supports NAND Flash booting, this system uses K9F1208U0M-YCB0 (64MB) NAND Flash as the system's Flash memory.
The system's Ethernet interface unit uses two 10M / 100M adaptive Ethernet controllers DM9000A. The DM9000A chip is a low-power, highly integrated, low-cost single-chip fast Ethernet chip developed by DEVICOM. It is widely used in the field. It integrates the physical layer interface (PHY), Ethernet media media access controller (MAC) and external processor bus interface. The working voltage of 3.3V reduces the power consumption of the system. The high integration of DM9000A simplifies the hardware design of the system's Ethernet circuit, and is particularly suitable as a network interface for embedded IPv6 firewall.
Wholesale Stainless Steel Threaded Rod, SUS304 Stainless Steel Threaded Rod, 316L Imported Stainless Steel Threaded Rod
ShenZhen Haofa Metal Precision Parts Technology Co., Ltd. , https://www.haofametal.com