Firewall Wizards mailing list archives
Re[2]: Two things about new firewalls etc.
From: dnewman () data com
Date: Tue, 02 Dec 97 19:18:27 -0500
While using programmable silicon (FPGA or CAM) offers large performance improvements, there's a fundamental difference between basic routing/switching and security analysis. Routers and switches assume more or less correct implementation, which results in fairly hard boundaries for the analysis they perform. Security devices must assume that the protocols themselves can be used for attacks, so there are *no* bounds to the analysis. This makes the number of required checks much larger, which makes the silicon larger, which makes the cost higher. The more exceptions, the more processing must be done outside the fast path. Comes a point where it's cheaper to use a general purpose processor. As a general rule, Ted's comments are right on the mark. But the boundaries are beginning to blur: Look at devices like some of the ASIC-based traffic shapers that copied Packeteer (the one from Integralis springs to mind). And router and switch folks are moving up the stack and doing it in silicon: Look at Alteon's layer-4 stuff, and 3Com and Bay aren't far behind. I'd be very surprised if at least some security vendors *weren't* working to embed at least some analysis in silicon. I don't have any advance knowledge of this. But I've seen ASIC-based products move from L2 to L3 to L4, and I don't see why chipmakers will stop there. No question it's hugely compute-expensive. But there's some cool stuff happening in chip design. dn
Current thread:
- Re: Two things about new firewalls etc. Ted Doty (Dec 01)
- <Possible follow-ups>
- RE: Two things about new firewalls etc. Joseph Judge (Dec 03)
- Re: Two things about new firewalls etc. Jason Keimig (Dec 03)
- Re[2]: Two things about new firewalls etc. dnewman (Dec 03)
- Re: Two things about new firewalls etc. Vern Paxson (Dec 03)
- Re: Two things about new firewalls etc. Jyri Kaljundi (Dec 04)
- Re: Two things about new firewalls etc. -= ArkanoiD =- (Dec 05)
- Re[2]: Two things about new firewalls etc. dnewman (Dec 04)