HyPaFilter - A versatile hybrid FPGA packet filter

With network traffic rates continuously growing, security systems like firewalls are facing increasing challenges to process incoming packets at line speed without sacrificing protection. Accordingly, specialized hardware firewalls are increasingly used in high-speed environments. Hardware solutions, though, are inherently limited in terms of the complexity of the policies they can implement, often forcing users to choose between throughput and comprehensive analysis. On the contrary, complex rules typically constitute only a small fraction of the rule set. This motivates the combination of massively parallel, yet complexity-limited specialized circuitry with a slower, but semantically powerful software firewall. The key challenge in such a design arises from the dependencies between classification rules due to their relative priorities within the rule set: complex rules requiring software-based processing may be interleaved at arbitrary positions between those where hardware processing is feasible. We therefore discuss approaches for partitioning and transforming rule sets for hybrid packet processing, and propose HyPaFilter, a hybrid classification system based on tailored circuitry on an FPGA as an accelerator for a Linux netfilter firewall. Our evaluation demonstrates 30-fold performance gains in comparison to software-only processing.Horizon 2020 (Grant ID: SSICLOPS project, 644866)This is the author accepted manuscript. The final version is available from the Association for Computing Machinery via http://dx.doi.org/10.1145/2881025.288103

HyPaFilter+: Enhanced Hybrid Packet Filtering using Hardware Assisted Classification and Header Space Analysis

Firewalls, key components for secured network in- frastructures, are faced with two different kinds of challenges: first, they must be fast enough to classify network packets at line speed, second, their packet processing capabilities should be versatile in order to support complex filtering policies. Unfortu- nately, most existing classification systems do not qualify equally well for both requirements: systems built on special-purpose hardware are fast, but limited in their filtering functionality. In contrast, software filters provide powerful matching semantics, but struggle to meet line speed. This motivates the combination of parallel, yet complexity-limited specialized circuitry with a slower, but versatile software firewall. The key challenge in such a design arises from the dependencies between classification rules due to their relative priorities within the rule set: complex rules requiring software-based processing may be interleaved at arbitrary positions between those where hardware processing is feasible. We therefore discuss approaches for partitioning and transforming rule sets for hybrid packet processing. As a result we propose HyPaFilter+, a hybrid classification system consisting of an FPGA-based hardware matcher and a Linux netfilter firewall, which provides a simple, yet effective hardware/software packet shunting algorithm. Our evaluation shows up to 30-fold throughput gains over software packet processing.We would like to acknowledge the support of the German Federal Ministry for Economic Affairs and Energy and the German Federal Ministry of Education and Research. This work was, in part, supported by the EU Horizon 2020 SSICLOPS project (grant agreement 644866)

Entwicklung von Regeln zur Kombination stochastischer Lasten fuer die Tragwerksbemessung

SIGLETIB: RN 2979 (68) / FIZ - Fachinformationszzentrum Karlsruhe / TIB - Technische InformationsbibliothekDEGerman

Shedding Light on the Shade: How Nurseries Protect Their Children from Ultraviolet Radiation

Minimizing exposure to ultraviolet radiation (UVR) is strongly recommended as the most important primary prevention measure regarding skin cancer. The responsibility for adequate sun protection of young children lies with their parents and external caregivers. Since a high proportion of 3- to 6-year-old children in Germany attend nurseries, the practice of sun protection in this setting was assessed. A survey was conducted in 246 nurseries in southern Germany during spring and summer of 2014 and 2015. Shade coverage in the outdoor area of the nursery was assessed by study team members and UVR protective behavior of staff was assessed by an interview with the directors. On average, 52% of the entire outdoor area and 65% of the children’s outdoor play area were covered by shade, with a significant difference between nurseries of different sizes, pointing to a better shade coverage in larger nurseries. The daily outdoor stay was not regularly scheduled before or after peak sun intensity hours around noon to avoid intense UVR exposure. General sun protection rules were present in the majority of the nurseries and addressed predominantly wearing sunhats and applying sunscreen. Our findings show that current sun protection recommendations for children are only partially met in nurseries and indicate a lower level of sun protection in small institutions. Especially, avoidance of excessive exposure to UVR around noon and the importance of shade provision over play structures needs to be emphasized in future information campaigns