Testbed for Reconfigurable Network Security Research and Experimentation

The testbed integrates FPGA co-processing nodes to test and analyze network-based defenses against information attacks.

A novel, reconfigurable network testbed has been developed, suitable for the implementation, testing, and analysis of new and existing network-based defenses against various information attacks. The system is based on a cluster of reconfigurable networking nodes that can be configured to emulate an arbitrary network infrastructure.

Architecture of the Reconfigurable Network Testbed.
This testbed is the first of its kind to incorporate hardware reconfigurability at multiple network layers, integrating FPGA co-processing elements in both the network interface and routing infrastructure. The system supports emulation of combined hardware/software network-based defense mechanisms. The testbed was constructed to support experimentation and testing for gigabit networks and beyond. As modern networks become faster and more feature-laden, attacks against them become increasing sophisticated and prevalent. It is widely accepted that today’s software-based defense mechanisms, which are embedded in routers and end-hosts, will be overwhelmed by the rate of traffic they will be required to process. It is also known that more sophisticated hardware-based defense mechanisms can be embedded within the network infrastructure to better secure it.

Limited reconfiguration of networking components is possible in some instances through device hacking and firmware modification, but this approach is insufficient for practical analysis. The developed reconfigurable network testbed is based on a cluster of networking components that can be quickly reconfigured to emulate a wide range of network configurations. These components are reconfigurable in both hardware and software, allowing accurate, high-speed network emulation.

At the heart of the testbed are 11 reconfigurable networking nodes. Each node is based on an augmented XD2000 Development System from XtremeData. The development system consists of a Linux PC tower with a dual Intel Xeon motherboard. One Xeon socket is populated with XtremeData’s XD2000 FPGA Co-processor module, based on an Altera’s Stratix II device. This co-processor allows FPGA co-processing at the system processor level, which supports hardware acceleration of network processing at network layers 3 and above. The processor and co-processor each have 4 GB of DDR SDRAM.

XtremeData’s development system has been augmented with a NetFPGA development board. The NetFPGA is an open-platform, reconfigurable development board that is used to build advanced network flow processing systems. On the board are a programmable Virtex II FPGA (with two PowerPC processors), SRAM, DRAM, and four 1-Gbps Ethernet ports. The FPGA can be used to do low-level packet processing acceleration functions within the NIC. Aside from the kernel reconfigurable networks, there are 8 Dell 2950 servers that are also connected through the 6248 and 551048T switches. These servers not only provide the background traffic for the network security experiments, but also play various roles in the network architecture. In addition, when necessary, these Dell servers can be used as computing resources when computationally expensive operations are conducted.

The 48 network interfaces of the reconfigurable networking nodes are interconnected by the testbed’s programmable testbed backplane, consisting of a Nortel Switch 551048T. The control network (PowerConnect 6248 Managed Switch) provides control access to monitoring the status of each test node. The remaining servers form the basic support infrastructure for the reconfigurable network testbed. These control user access, node configuration, and other administrative functions required.

This work was done by Douglas H. Summerville and Yu Chen of SUNY Binghamton University for the Air Force Office of Scientific Research. AFRL-0189



This Brief includes a Technical Support Package (TSP).
Document cover
A Testbed for Reconfigurable Network Security Research and Experimentation

(reference AFRL-0189) is currently available for download from the TSP library.

Don't have an account? Sign up here.