# **Delay Time Analysis of Reconfigurable Firewall Unit**

Tomoaki SATO C&C Systems Center, Hirosaki University Hirosaki 036-8561 Japan

Phichet MOUNGNOUL Faculty of Engineering, King Mongkut's Institute of Technology Ladkrabang Bangkok 10520 Thailand

and

Masa-aki FUKASE Graduate School of Science and Technology, Hirosaki University Hirosaki 036-8561 Japan

#### ABSTRACT

A firewall function is indispensable for mobile devices and it demands low-power operations. To realize this demand, the authors have developed a firewall unit with a reconfigurable device. The firewall unit needs a large amount of register for the timing adjustment of packets. Using the registers is the cause of power consumption. In this paper, to solve the problem of power consumption, the firewall unit has developed by using wave-pipelining technique and detailed delay time for the technique is analyzed.

**Keywords**: Firewall, Mobile Devices, Wave-Pipelining, Delay Time Analysis.

### **1. INTRODUCTION**

A firewall is indispensable to prevent unauthorized access to computers connected to computer networks. It is needed in not only server computers but also mobile devices such as a PDA and a smartphone. The mobile devices have a feature that operates with a small battery. Therefore, the firewall can be used without sacrificing this feature is required. As a firewall that achieves these demands, logic-based firewall circuits on FPGA have developed [1].

Additionally, the authors have developed H-HIPS (Hardware- and Host-based Intrusion Prevention System) [2]. It has been implemented on FPGA (Field programmable gate array), and its detection units have been achieved by logic circuits that can be reconfiguration.

H-HIDS has an IDL (Intrusion Detection Logic). The IDL of NIC that plays in part the function of network-base IDS should process the packet analysis more than three layers of OSI (Open Systems Interconnection) layer model. After manufacturing custom design VLSI processor cannot change hardware, it cannot add a limitation to a specific protocol and a new function. Therefore, it cannot be used for IDL. Then, the hardware processing that is only software becomes possible by using FPGA as for IDS. The TCP/IP Flow Monitor circuits were achieved with FPGA for such reasons [3].

The firewall contributes to not only the prevention of an illegal access but also reduction of unauthorized detection circuits. Moreover, the firewall enables the power control to

aim at the power reduction of the detection circuits of H-HIPS and networks and mobile communications systems.

The novelty of the circuits is to be able to achieve wavepipelined operations without changing the composition of the circuits. Because the wave-pipelined circuits execute the pipeline operations without using registers, the operations lead a low-power operation and a high-speed operation. However, the firewall circuits are only the circuits for the judgment of an illegal port and don't have a shift register necessary to operate as the firewall.

Conventional shift register necessary to operate as the firewall is not mounted. Building conventional shift register into it influences the operation speed of the firewall circuits. In addition, to use a lot of registers, those using has the problem to increase the power consumption. Therefore, wave-pipelined shift register has been developed. Building into the firewall unit and the delay time analysis of the whole circuits is needed.

This paper is organized as follows. Section 2 presents wave-pipelining. Then, Section 3 describes reconfigurable firewall units by using wave-pipelining. The results of delay time analysis presented on Section 4. In Section 5, the conclusions are made.

### 2. WAVE-PIPELINING

Not only high clock frequency but also low power dissipation can be obtained at the same time by wavepipelining [4]-[6]. It exploits high throughput combinational logic blocks in which as many as data are launched unless they conflict. Although wave-pipelining was attempted to the entire region of a processor, it was viewed pessimistically because it requires removing general registers as well as pipeline registers from processors. It seems hard to eliminate general registers playing fundamental roles in sequential circuits. The insufficient power of CAD tools so far developed is another reason why wave-pipelines have been applied out of processors.

Accordingly, design and evaluation methods for wavepipelines have not yet established well compared with those for conventional pipelines. Mostly wave-pipelines have been so far applied to simple unifunctional circuits such as adders, multipliers, counters, and DRAM. Regarding multifunctional wavepipelines, a wave-pipelined ALU has recently appeared [7]-[10]. Then, a microprocessor developed by using wave-pipelines in part appeared [10]. It is 14-segment ULTRASPARC-III whose second and third instruction fetch segments have been wave-pipelined. Another example is an asynchronous wavepipeline, though it is not compatible with conventional processors. Wave-pipelined CRC that is sequential circuits has been developed by us [11].

The signal path of combinational circuit is uneven of delay time. The most high-speed signal in one group in a clock has the possibility to collide with the slow signal in just before clock. The problem was solved to wave-pipelined combinational circuit shown in Figurer 1 (a) by the delay time of all signal paths is brought close at the delay time of critical path.

The relation between the clock cycle and delays is obtained as follows [6].

$$T_{CK} > (D_{MAX} - D_{MIN}) + T_{OV.}$$
 (1)

Here,

 $T_{CK}$ : Clock cycle time  $T_{OV}$ : Overhead time



(b)

Figurer 1. Synchronization of pipelines. (a) Wave-pipeline. (b) Conventional pipeline.

From Eq. (1),  $D_{MAX} - D_{MIN}$  should be close to 0 as much as possible in order to obtain minimum  $T_{ck}$ . One of solution to satisfy this requirement can be conceived from Figure 2 that shows relation between time and logical depth.



Figurer 2. Wave model of Figurer 1 (a).

# 3. **RECONFIGUREURABLE FILEWALL**

Figure. 3 shows the outline of the firewall for H-HIPS. In the last work of [12], the controlled ports are for using a mobile computing, and they are at least needed. Table I is the controlled ports. Because the firewall unit is developed by FPGA, the change of ports is very easy. H-HIPS is shown in Figure 4.

| TABLE      | Ι    |
|------------|------|
| CONTROLLED | PORT |

| CONTROLLED I OKIS |             |                   |
|-------------------|-------------|-------------------|
| Function          | Port Number | Binary            |
| NOP               | 0           | 00000000000000000 |
| SMTP              | 25          | 000000000011001   |
| DNS               | 53          | 000000000110101   |
| HTTP              | 80          | 000000001010000   |
| POP3              | 110         | 000000001101110   |
| HTTPS             | 443         | 0000000110111011  |



Figure 3. Firewall of H-HIPS.



Figure 4. H-HIPS.

| TABLE II               |   |
|------------------------|---|
| DEVELOPMENT ENVIRONMEN | I |

| CPU             | Intel Core 2 Duo E6600 (2.4GHz)      |
|-----------------|--------------------------------------|
| Memory          | 2G Bytes                             |
| OS              | Micorosoft Windows XP Pro. SP3       |
| Logic synthesis | Altera Quartus II V8.0               |
| Simulator       | Mentor Graphics ModelSim Altera 6.1g |
| FPGA Device     | Altera Cyclone EP1C20F400C7          |

Figure 5 shows synthesized circuits by using the development environment of Table II. Maximum delay time of the circuits is 17.9 ns. The circuits can operate at 50 MHz by conventional operations. And, Minimum delay time is 12.3 ns. According to Eq. (1), they can operate at 100MHz by wave-pipelined operations. The gate-level simulations are executed

for confirming wave-pipelined operations. Figure 6 shows conventional operations and Figure 7 shows wave-pipelined operations. According to the results of Figure 7, 100 MHz operations are confirmed.

#### A. Shift Register for the Firewall Circuits

The firewall circuits are only the circuits for the judgment of an illegal port number. They are necessary for each observation of a source port number and a destination port number. Therefore, the authors develop the firewall unit shown in Figure 7.

Detection results in the source port number and the destination port number obtained by the firewall circuits are input to an OR gate. Then, the value of the OR gate is input to a flag register. When an illegal port number is detected by the flag register, the packet including the illegal port number must be destroyed. Accordingly, a shift register is needed for the packet.

However, the firewall circuits operate by wave-pipelined operations. That is, because operation speed of a conventional shift register is slower than that of the firewall circuits, the conventional shift register cannot be used. Therefore, a wavepipelined shift register that is composed by buffers is developed and is built in.

#### **B.** Operation Speed

The delay time of the firewall unit shown in Figure 7 is analyzed. The development environment of Table II is used for the analysis. As a result, the maximum delay time is 8.80 ns and the minimum delay time is 3.33 ns. In the development of the firewall unit, buffer insertion and logic synthesis are executed. As a result, the different maximum delay time from the results of Sec. III is obtained. From Eq. (1), the firewall unit operates at 180 MHz.



Figure 5. Firewall Circuits.



Figure 6. Conventional Operations (50MHz).



Figure 7. Wave-Pipelined Operations (100MHz).



Figure 8. Firewall Unit.

## 4. DELAY TIME ANALYSYS

In this section, the optimized number of the buffers for the delay time adjustment is found by delay time analysis. Figure 9 shows relation between the number of buffers and delay time. It was made from the following.

- Dividing the circuit of Figure 8 into Firewall Circuits with OR gate and Waved Shift Registers.
- Buffer numbers of Waved Shift Registers are adjusted.
- The maximum delay time and the minimum delay time of each circuits are obtained by using the CAD.

According to Eq. (1), it is dominant in the point at the speed that the difference at the maximum delay and the minimum delay time is minimum. When the buffer number is 8 in Figure 9, it is shown that it is minimum in 6.3ns. On the other hand, delay time of 6 buffers is 6.4ns. In this case, 6 buffers are selected from the point of the area.



Figurer 9. Relation between the Number of Buffers and Delay Time.

## 5. CONCLUDING REMARKS

In this paper, the authors analyzed the optimal number of buffers for wave-pipelining operations of Reconfigurable Firewall Unit. In the case of 8 buffers, the results of the analysis shows maximum operating speed. However, 6 buffers were selected from the point of the area. Future works are detailed evaluations by using a packet data.

### ACKNOWLEDGMENT

This work has been supported in part by Grant-in-Aid for Young Scientists (B) (23700068) from Japan Society for the Promotion of Science (JSPS), Japan.

#### REFERENCES

- Tomoaki Sato, Syuya Imaruoka, and Masa-aki Fukase, "ReconFigureurable Firewall Unit by Wave-Pipelined Operations," Proc. of ISPACS 2008, pp. 449-452, 2009.
- [2] Tomoaki Sato, Kazuhira Kikuchi, Syuya Imaruoka, and Masa-aki Fukase, "DoS Attack Analysis for H-HIPS," Proc. of IMETI, Vol. II, pp. 110-115, 2008.

- [3] David V. Schuehler and John W. Lockwood, "TCP Splitter: A TCP/IP Flow Monitor in ReconFigureurable Hardware," IEEE Micro, Vol. 23, No. 1, pp. 54-59, 2003.
- [4] L. Cotton, "Maximum rate pipelining systems," Proc. AFIPS Spring Joint Computer Conference, pp. 581-586, 1969.
- [5] F. Klass and M. J. Flynn, "COMPARATIVE STUDIES OF PIPELINED CIRCUITS," Stanford University Technical Report, No. CSL-TR-93-579, July 1993.
- [6] W. P. Burleson, M. Ciesielski, F. Klass, and W. Liu, "Wave-Pipelining: A Tutorial and Research Survey," IEEE Trans. on Very Large Scale Integration (VLSI) Systems, Vol. 6, No. 3, pp. 464-474, Sept. 1998.
- [7] T. Sato, M. Fukase, and T. Nakamura, "Performance analysis of a wave-pipelined ALU," Technical Report of IEICE, CPSY 2000, Vol. 100, No. 20, pp. 1-6, 2000.
- [8] M. Fukase, T. Sato, R. Egawa, and T. Nakamura, "Scaling up of Wave Pipelines," THE FOURTEENTH INTERNATIONAL CONFERENCE ON VLSI DESIGN, Jun. 2000.
- [9] M. Fukase, T. Sato, R. Egawa, and T. Nakamura, "Breakthrough of Superscalar Processors by Multifunctional Wave-Pipelines," Proc. of 9th NASA Symposium on VLSI Design, pp. 6.3.1-6.3.17, Nov. 2000.
- [10] M. Fukase, T. Sato, R. Egawa, and T. Nakamura, "Designing a Wave-Pipelined Vector Processor," Proc. of the Tenth Workshop on Synthesis and System Integration of Mixed Technologies, pp. 351-356, Oct. 2001.
- [11] Tomoaki Sato, Phichet Moungnoul, keisuke Saito, Masaaki Fukase, "Wave-Pipelined CRC Circuits for Wireless Broadband Systems Based on W-CDMA," Proc. of ICESIT2010, pp. 100.1-100.4, 2010.
- [12] Tomoaki Sato, Kei Ito, Keisuke Saito, Phichet Moungnoul and Masa-aki Fukase, "Development of a shift register for Firewall Circuits by Wave-Pipelined Operations," Proc. of 2010 International Workshop on Information Communication Technology, pp. w4c-1-1-w4c-1-4, 2010.