Development framework for firewall processors

High-performance firewalls can benefit from the increasing size, speed and flexibility of advanced reconfigurable hardware. However, direct translation of conventional firewall rules in a router-based rule set often leads to inefficient hardware implementation. Moreover, such lowlevel description of firewall rules tends to be difficult to manage and to extend. We describe a framework, based on the high-level policy specification language Ponder, for capturing firewall rules as authorization policies with userdefinable constraints. Our framework supports optimisations to achieve efficient utilisation of hardware resources. A pipelined firewall implementation developed using this approach running at 10MHz is capable of processing 2.5 million packets per second, which provides similar performance to a version without optimisation and is about 50 times faster than a software implementation running on a 700MHz PIII processor.