Firewall Wizards mailing list archives
Re: RE: firewall-wizards digest, Vol 1 #79 - 2 msgs appliance firewall
From: Mikael Olsson <mikael.olsson () enternet se>
Date: Thu, 12 Oct 2000 22:33:41 +0200
Paul Gerry wrote (off-list; forwarded with permission)
[snip] I certainly wasn't trying to snipe anyone or load up my response. In fact I never mentioned NetScreen in my e-mail.
Ah, no, but since you were arguing for ASICs, coupled with your number-one marketing point being that your products make use of them, sort of makes it all an argument for your own product ;)
Anyway to answer your question Netscreen's are flash upgradeable. If a new attack is discovered we create a firmware file that a user can use to flash their NetScreen firewall. That's all there is to it. Firewall policy look up and data encryption for VPN happens in the ASIC. This is where Netscreen gains the performance advantage.
All in the interest of learning... not to simply be argumentative or a pain in the b*tt.. 1. There's people that tend to follow the logical(?) chain "appliance -> not a computer -> no software -> there's nothing that can go wrong -> gotta be a lot better", which .. well .. let's just say that I don't really like it ;) 2. A whole bunch of us readers here on this list are _very_ paranoid when it comes to I'd like to argue that it's still not an "appliance" the same way a hub or repeater is, now is it? Storage medium is a moot point -- Cisco PIX for instance uses flash storage for its executables and config files, but it still runs on an x86 processor. See, my point is that is still doesn't get any more "appliance" than, for instance, Cisco PIX or the Nokia IP series. At least not in the way that a hub or toaster does; they're pretty much bugproof -- unless you got one of those fancy models with a built-in web server, that is :P Evidently, ASICs are faster than your run-of-the-mill x86 clone CPU, but, well, can you actually refute that it's still a "CPU" running "software"? (Here's where the paranioa part comes in...) If too much is done in the ASICs (which are fairly static?), you won't be able to upgrade those parts. If there's a lot of software (gets involved with the actual per-packet processing), it's still "software designed for packet shuffling". Having more software is (imho) a good thing, provided that it is WELL WRITTEN of course. If too much logic is tied up into the ICs, you won't be able to change it in the future, right? So... which way is it? :) Regards, Mikael Olsson -- Mikael Olsson, EnterNet Sweden AB, Box 393, SE-891 28 ÖRNSKÖLDSVIK Phone: +46-(0)660-29 92 00 Fax: +46-(0)660-122 50 Mobile: +46-(0)70-66 77 636 WWW: http://www.enternet.se E-mail: mikael.olsson () enternet se On bosses and technology: "There are bosses who don't know, and there are bosses that don't know that they don't know" /Anonymous techie _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- Re: RE: firewall-wizards digest, Vol 1 #79 - 2 msgs appliance firewall Mikael Olsson (Oct 14)
- RE: RE: firewall-wizards digest, Vol 1 #79 - 2 msgs appliance firewall Paul Gerry (Oct 14)
- More on Netscreen appliance firewall Tony Miedaner (Oct 18)
- RE: RE: firewall-wizards digest, Vol 1 #79 - 2 msgs appliance firewall Paul Gerry (Oct 14)