Abstract
Many present applications usually require high communication throughputs. Multiprocessor nodes and multicore architectures, as well as programmable NICs (Network Interface Cards) provide new opportunities to take advantage of the available multigigabits per second link bandwidths. Nevertheless, to achieve adequate communication performance levels efficient parallel processing of network tasks and interfaces should be considered. In this paper, we leverage network processors as heterogeneous microarchitectures with several cores that implement multithreading and are suited for packet processing, to investigate on the use of parallel processing to accelerate the network interface, and thus the network applications developed above it. More specifically, we have implemented an intrusion prevention system (IPS) with such a network processor. We describe the IPS we have developed that after its offloaded implementation allows faster packet processing of both normal and corrupted traffic. The benefits from placing the IPS close to the network, by using specialized network processors, give many times lower latency and higher bandwidth available to the legitimate traffic.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Intel i/o acceleration technology. http://www.intel.com/technology/ioacceleration/
Intel network processors. http://www.intel.com/design/network/products/npfamily/
Bos H, Xu L, van Reeuwijk K., Cristea M., Huang K. (2005) Network intrusion prevention on the network card. In: IXA Education Summit, Hudson, MA, USA, September 2005.
Byrne J, Gwennap L (2005) A guide to network processors. The Linley Group, Mountain View
Cascón P, Ortega J, Haider WM, Díaz AF, Rojas I (2009) A multi-threaded network interface using network processors. In: Proc. of the 17th euromicro international conference on parallel, distributed, and network-based processing, February 2009
de Bruijn W, Bos H (2008) Model-T: rethinking the OS for terabit speeds. In: Computer communications workshops, 2008. INFOCOM. IEEE Conference on, pp 1–6
Luo Y, Xiang K, Fan J, Zhang C (2009) Distributed intrusion detection with intelligent network interfaces for future networks. In: IEEE international conference on communications, Dresden, Germany, June 2009
Mackenzie K, Shi W, Mcdonald A, Ganev I (2003) An intel IXP1200-based network interface. In: Proceedings of the workshop on novel uses of system area networks at HPCA (SAN-2 2003)
Willmann M, Brogioli P, Rixner S (2006) Parallelization strategies for network interface firmware. In: Proceedings of the workshop on optimizations for DSP and embedded systems
Narayanaswamy G, Balaji P, Feng W (2007) An analysis of 10-Gigabit ethernet protocol stacks in multicore environments. In: Proceedings of the 15th annual IEEE symposium on high-performance interconnects. IEEE Comp Soc, Los Alamitos, pp 109–116
Ortiz A, Ortega J, Díaz AF, Prieto A (2010) Network interfaces for programmable nics and multicore platforms. Comput Netw 54(3):357–376
Regnier G, Makineni S, Illikkal I, Iyer R, Minturn D, Huggahalli R, Newell D, Cline L, Foong A (2004) TCP onloading for data center servers. Computer 37(11):48–58
Shalev L, Makhervaks V, Machulsky Z, Biran G, Satran J, Ben-Yehuda M, Shimony I (2006) Loosely coupled TCP acceleration architecture. In: Proceedings of the 14th IEEE symposium on high-performance interconnects. IEEE Comput Soc, Los Alamitos, pp 3–8
Snell Q, Mikler A, Gustafson J, Helmer G (2007) A network protocol independent performance evaluator. http://www.scl.ameslab.gov/netpipe/
Snort (2009) Snort open source network intrusion prevention and detection system (ids/ips). http://www.snort.org
Willmann P, Rixner S, Cox AL (2006) An evaluation of network stack parallelization strategies in modern operating systems. In: Proceedings of the annual conference on USENIX ’06 annual technical conference, Boston, MA, pp 8–8. USENIX Association
Xinidis K, Anagnostakis K, Markatos E (2005) Design and implementation of a high-performance network intrusion prevention system. In: Security and privacy in the age of ubiquitous computing, pp 359–374
Zhao L, Luo Y, Bhuyan LN, Iyer R (2006) A network processor-based, content-aware switch. IEEE MICRO 26(3):72–84
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Cascón, P., Ortega, J., Luo, Y. et al. Improving IPS by network processors. J Supercomput 57, 99–108 (2011). https://doi.org/10.1007/s11227-011-0558-8
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11227-011-0558-8