RE: ASIC-based vs. Software-based Security Platform

[Pankaj Parekh <psparekh () yahoo com>]

Ron, 

Thank you for the commendation but a slight correction. iPolicy's ipEnforcer is
a purpose built hardware platform which uses a combination of Network
Processors (14 to be precise), multiple General purpose processors, Multiple
programmable encryption/decryption and IKE processors, and multiple FPGAs. It
does not use ASICs. It can support Fast/Gig Ethernet to OC48 (5 Gbps)
interfaces in full duplex mode to run up to seven different security
applications (IDS, IPS/DDoS blocking, Firewall, VPN, URL Screening,
Surveillance etc) simultaneously at wire speed. 

Although the current debate ASIC-based vs. Software based is a very valid
debate in the industry, technology has evolved to a degree that you can get the
best of both worlds i.e. software flexibility and performance by going the
network processor route without using an ASIC. In fact, we believe that using 
ASICs can  seriously limit  extensibility of applications and performance.
Further, given the increasing tooling cost and elapsed time to achieve reliable
ASICs in production volume, our experience would suggest avoiding ASICs
whenever possible. There are multiple key technology providers in the
networking space that eliminates the need for ASIC even if one needs highest
performance. These chip vendors have built purpose built chips to accelerate
networking functions while keeping software programmability and flexibility. 

Pankaj Parekh
Founder, CTO
iPolicy Networks

-----Original Message-----
From: Ron Gula [mailto:rgula () tenablesecurity com]
Sent: Wednesday, August 27, 2003 5:33 AM
To: focus-ids () securityfocus com
Subject: Re: ASIC-based vs. Software-based Security Platform


Of course,

Look at companies like IPolicy. They make extensive use of ASICs and FPGAs,
but have a completely flexible underlying architecture for updating how they
do network flow reconstruction, IDS, firewall, etc.

Ron Gula

At 01:49 AM 8/27/2003 -0700, Shaiful wrote:
> Hi guys,
>
> Can we have the best of both worlds?
>
> With the emergence of network processors and the FPGA
> like devices that you can buy off-the-shelf, I think
> it is a very promising direction.
>
> Pls refer to the following links:
>
> Intel's Network Processor IXP family:
> http://www.intel.com/design/network/products/npfamily/
>
> Altera's Nios development kit
> http://www.altera.com/products/devkits/altera/kit-nios.html
>
> Tarari's content inspections processor
> http://www.tarari.com/index2.html
>
> Regards,
> Shaiful


---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
October 1-2 (Briefings) in Tysons Corner, VA; the world’s premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symanetc is the Diamond sponsor.  Early-bird registration ends September 6
Visit: www.blackhat.com
---------------------------------------------------------------------------


__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com

---------------------------------------------------------------------------
Captus Networks IPS 4000
Intrusion Prevention and Traffic Shaping Technology to: 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Precisely Define and Implement Network Security & Performance Policies
FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo 
http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
---------------------------------------------------------------------------