24-09-2014, 09:51 AM
SWIFT: A Secure Web Domain Filter in Hardware
A Secure Web Domain.pdf (Size: 563.66 KB / Downloads: 22)
Abstract
—The risk of becoming a victim of spam and phishing
attacks increases in today’s Internet. Various Web sites exhibit
violent or illegal content. Unfortunately, many users are not
able to protect themselves and their networks. Already now,
some countries deploy systems to filter Web content. However,
the existing solutions show high latency or overblocking. Thus,
a novel Web filtering concept to protect users at the Internet
service provider level is presented. The proposed system is able to
detect and block illegal and threatening Web sites. The suggested
scalable hardware-based approach can examine Internet domains
in wire speed without overblocking. The Web filter serves as
security measure for all connected users, especially for users with
limited IT expert knowledge. The system is fully transparent for
all network devices. Setup and maintenance can be made only
by the Internet service provider administrator. Consequently, the
suggested security system itself is safe from attacks from users
and from the network side.
THE HARDWARE WEB FILTER
Each subscriber is connected to the Internet by the access
network. Access networks comprise access nodes such as
Digital Subscriber Line Access Multiplexers. Because the Web
filter is located on an AN, a bandwidth of at least 1 Gbit/s
must be achieved. Therefore, the Web filter was designed and
developed as hardware solution since software cannot achieve
the necessary throughpu
. Web Filtering
In order to protect ordinary Internet users, e.g., against
malicious Web content, there are three general possibilities:
Either IP addresses, URLs, or domain names can be controlled.
The filtering of IP addresses can lead to crucial overblocking
since different Web sites can share the same Web server.
Moreover, a Web site can move to a new Web server while
it remains accessible over the old domain name. For these
reasons, only URL and domain name filtering are concerned.
The domain name is part of each URL. A domain name points
to the server, whereas URL points to the specific resource on
the server. URL filtering can lead to underblocking, i.e., the
path on the server to a requested resource (e.g., an image
on the Web site) can be newly created on every access.
Therefore, URL filtering is not efficient against malicious
content. Domain names represent a fixed part of the URL and
thus can not be easily changed. From the hardware view, URLs
are disadvantageous as their maximum length is not defined
[15]. Moreover, URL characters can be encoded in different
ways. Since all possibilities must be captured in hardware,
the hardware complexity increases enormously. In contrast,
the tree-like structure of domain names is hardware-friendly
[16]. A domain name has a defined structure and may be up
to 255 characters long. The characters are ASCII encoded.
Furthermore, only letters (a-z), digits (0-9), period (”.”), and
hyphen (”-”) are allowed. Since the focus of this paper is to
protect unexperienced users against malicious content using a
high speed hardware architecture, it is advantageous to check
domain names rather than URLs
I. CONCLUSION AND OUTLOOK
In this paper, the working prototype of the hardware Web
filter was presented. As hardware solution, it offers more
advantages in terms of security and robustness than a software
solution. SWIFT can control HTTP traffic in wire speed
without packet loss. On the test platform, 1 Gbit/s throughput
is achieved. The throughput is only limited by the FPGA type
and can be even multiplied by using ASIC. As a high speed
Web filter, it can be deployed in the access networks of ISPs.
Hereby, the suggested solution can protect users without IT
expert knowledge from illegal, aggressive, or threatening Web
contents such as child pornography or phishing. SWIFT does
not produce false positives. Thus, only blacklisted domains
will be blocked. The configuration of the blacklist can be
done only by the network administrator. Since SWIFT is
fully transparent for all network participants, it is safe from
attacks. Prospectively, the functionality of the Web filter can be
extended to URL filtering allowing to block specific resource,
e.g, an image on the server.