Re[2]: Two things about new firewalls etc.

[dnewman () data com]

While using programmable silicon (FPGA or CAM) offers large performance 
improvements, there's a fundamental difference between basic 
routing/switching and security analysis.  Routers and switches assume more 
or less correct implementation, which results in fairly hard boundaries for 
the analysis they perform.  Security devices must assume that the protocols
themselves can be used for attacks, so there are *no* bounds to the analysis.

This makes the number of required checks much larger, which makes the 
silicon larger, which makes the cost higher.  The more exceptions, the more 
processing must be done outside the fast path.  Comes a point where it's 
cheaper to use a general purpose processor.

     As a general rule, Ted's comments are right on the mark. But the 
     boundaries are beginning to blur: Look at devices like some of the 
     ASIC-based traffic shapers that copied Packeteer (the one from 
     Integralis springs to mind). And router and switch folks are moving up 
     the stack and doing it in silicon: Look at Alteon's layer-4 stuff, and 
     3Com and Bay aren't far behind.
     
     I'd be very surprised if at least some security vendors *weren't* 
     working to embed at least some analysis in silicon. I don't have any 
     advance knowledge of this. But I've seen ASIC-based products move from 
     L2 to L3 to L4, and I don't see why chipmakers will stop there. No 
     question it's hugely compute-expensive. But there's some cool stuff 
     happening in chip design.
     
     dn