Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: RE: firewall-wizards digest, Vol 1 #79 - 2 msgs appliance firewall

From: "Paul Gerry" <pgerry () netscreen com>
Date: Thu, 12 Oct 2000 18:49:17 -0400
This is a religious argument.  Are ASIC's better than Software?  What do I
give up to use ASIC based hardware?   ASIC's are not as flexible as software
as Mikael states, and therefore the paranoia:

If too much is done in the ASICs (which are fairly static?),
you won't be able to upgrade those parts.
If there's a lot of software (gets involved with the actual
per-packet processing), it's still "software designed for packet
shuffling".

Having more software is (imho) a good thing, provided
that it is WELL WRITTEN of course. If too much logic is
tied up into the ICs, you won't be able to change it
in the future, right?

Software can be more flexible, however, you have to give up some flexibility
to gain performance.  In today's bandwidth intensive environment, where
faster throughput is a requirement, using a software solution can be a
bottleneck.  Some software based firewalls are excellent and offer a high
degree of protection.  However, they can be slow and  difficult to manage
when the underlining  OS requires upgrading or patch fixes (Maintaining
software is a pain ).    So, if to much logic is built jnto the the ASIC
that's the tradeoff for a high performance firewall.

Software flexibility vs performance?  It's your call.

-----Original Message-----
From: Mikael Olsson [mailto:mikael.olsson () enternet se]
Sent: Thursday, October 12, 2000 4:34 PM
To: pgerry () netscreen com
Cc: firewall-wizards () nfr net
Subject: Re: [fw-wiz] RE: firewall-wizards digest, Vol 1 #79 - 2 msgs
appliance firewall


Paul Gerry wrote (off-list; forwarded with permission)


[snip] I certainly wasn't trying to snipe anyone or load up
my response.  In fact I never mentioned NetScreen in my e-mail.


Ah, no, but since you were arguing for ASICs, coupled with your
number-one marketing point being that your products make use
of them, sort of makes it all an argument for your own product ;)


Anyway to answer your question Netscreen's are flash upgradeable.  If a

new

attack is discovered we create a firmware file that a user can use to

flash

their NetScreen firewall.  That's all there is to it.  Firewall policy

look

up and data encryption for VPN happens in the ASIC.  This is where

Netscreen

gains the performance advantage.


All in the interest of learning... not to simply be argumentative
or a pain in the b*tt..

1. There's people that tend to follow the logical(?) chain
   "appliance -> not a computer -> no software ->
    there's nothing that can go wrong -> gotta be a lot better",
   which .. well .. let's just say that I don't really like it ;)

2. A whole bunch of us readers here on this list are
   _very_ paranoid when it comes to

I'd like to argue that it's still not an "appliance" the same way a
hub or repeater is, now is it? Storage medium is a moot point -- Cisco
PIX for instance uses flash storage for its executables and config
files, but it still runs on an x86 processor.

See, my point is that is still doesn't get any more "appliance"
than, for instance, Cisco PIX or the Nokia IP series. At least
not in the way that a hub or toaster does; they're pretty
much bugproof -- unless you got one of those fancy models
with a built-in web server, that is :P

Evidently, ASICs are faster than your run-of-the-mill x86
clone CPU, but, well, can you actually refute that
it's still a "CPU" running "software"?

(Here's where the paranioa part comes in...)

If too much is done in the ASICs (which are fairly static?),
you won't be able to upgrade those parts.
If there's a lot of software (gets involved with the actual
per-packet processing), it's still "software designed for packet
shuffling".

Having more software is (imho) a good thing, provided
that it is WELL WRITTEN of course. If too much logic is
tied up into the ICs, you won't be able to change it
in the future, right?

So... which way is it? :)

Regards,
Mikael Olsson

--
Mikael Olsson, EnterNet Sweden AB, Box 393, SE-891 28 ÖRNSKÖLDSVIK
Phone: +46-(0)660-29 92 00         Fax: +46-(0)660-122 50
Mobile: +46-(0)70-66 77 636
WWW: http://www.enternet.se        E-mail: mikael.olsson () enternet se

On bosses and technology: "There are bosses who don't know, and there
are bosses that don't know that they don't know" /Anonymous techie


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: