Kenji Toda (Senior Research Scientist), RT-Synthesis Research Group (Leader: Tetsuo Kotoku), the Intelligent Systems Research Institute (Director: Hirohisa Hirukawa) of the National Institute of Advanced Industrial Science and Technology (AIST; President: Tamotsu Nomakuchi), and Eiichi Takahashi (Leader), Sensor Communications Group, the Information Technology Research Institute (Director: Satoshi Sekiguchi) of AIST, have developed a security device compatible with super-high-speed networks having speeds from tens of Giga (109) to several Tera (1012) bits per second (bps) in collaboration with KDDI R&D Laboratories Inc. (President and CEO: Shigeyuki Akiba) (Fig. 1).
This device is based on an FPGA board (Fig. 2) with specially developed 60-Gbps optical communication function (10-Gbit Ethernet port × 6). Further, it can be implemented with functions for blocking harmful websites, network intrusions, and computer viruses, and packet capture. Since this FPGA board is of the peripheral component interconnect express (PCI-Express) type, more than one board can be used in one PC, and the scale of operation can be expanded easily. Therefore, security measures can be implemented for communication speeds between tens of Gbps and several Tbps. Further, as an example of the applications of this device, a system for automatic creation and distribution of a filtering list of harmful websites by combining the communication data collected by packet capture and the external information on reliability has been developed.
![]() |
![]() |
| Figure 1: Developed network security device | Figure 2: Expandable FPGA board with 60-Gbps optical communication |
Today, information communication infrastructure has become an important part of society. However, damages caused by "malicious communications" such as tampering of websites, leaking of information, phishing by sites to deceitfully obtain bank accounts and credit card information by spoofing, stopping of services by denial-of-service (DoS) attacks, and computer viruses, have become serious social issues. In the future, it is expected that there will be higher-speed and wider-band communications including the distribution of high-definition image- and video-contents, and widespread use of smart phones and tablet-type devices. It is also expected that information and communication technology will be used in energy control. Therefore, it is imperative to ensure the safety of communications along with high communication speeds. With increasing volume of information, personal security measures using software have limitations, since the security measures need most of the capability of PCs. In order to deal with such a situation, it is necessary to develop technology for blocking "malicious communications" in the super-high-speed networks of information communications services and data centers before end users receive such communications. Moreover, since harmful websites repeatedly appear and disappear over short periods of time, conventional manual checks cannot cope. Hence, the collection and updating of instantaneous filtering lists have become a challenging task.
AIST has developed devices for blocking network intrusions or computer viruses in order to enhance the security of large-scale networks. This research and development was conducted as part of the "Research and Development of Technology Compatible with Super-High-Speed Networks for Blocking Malicious Communications (072003008)" (FY2007–FY2009) under the Strategic Information and Communications R&D Promotion Programme (SCOPE) of the Ministry of Internal Affairs and Communications.
The hardware of the developed network security device consists of newly developed expandable FPGA boards with 60-Gbps optical communication function (Fig. 2) and a PC. The developed FPGA board mainly aimed at applications to high-speed networks for blocking harmful websites, network intrusions, and computer viruses. It is equipped with six 10-Gbit Ethernet ports and two sockets for the dynamic random access memory (DRAM) to store processing data such as filtering lists. In addition, it has eight serial advanced technology attachment (SATA) ports to store data on hard disks or other storage devices. The board is connected to a PC via a PCI-Express interface and is used as a built-in card. Figure 1 shows a test of the network security device; the board is attached to the PCI-Express socket of the PC. The network security device can load the respective circuits for blocking harmful websites, intrusions, and computer viruses, and for packet capture. In addition, software for the automatic generation of filtering lists can be installed (Fig. 3).
|
||||||||||||
| Figure 3: Outline of network security device | ||||||||||||
It was demonstrated that the network security device developed in this research was capable of supporting super-high-speed networks operating at Tbps, while the device is compact and energy-saving. Because this device can be easily installed, it is expected to enhance the security of large-scale networks and make great contributions to the realization of a safe and secure IT society. In the future, we will conduct experiments simulating practical conditions, and will aim at the commercialization of the device. A wide range of high-speed network applications such as in routers, switches, network cards, and network storages can be expected by rewriting the circuits of FPGA of the board.