Re: Two things about new firewalls etc.

[Ted Doty <ted () iss net>]

At 10:34 AM 11/30/97 -0500, dnewman () data com wrote:

> One thing that's happening in other networking devices like switches is
putting 
> almost everything in ASICs, which makes the devices really fast. Today
there are
> routers with latency of less than 100 microseconds for short frames. And the 
> latest ASICs have entire CPUs embedded in them, which allows them to do
multiple
> subnets per interface, run filters, and other sorts of tasks that require
rule 
> lookups.
>
> Are any security vendors looking to embed firewall code in silicon?

While using programmable silicon (FPGA or CAM) offers large performance
improvements, there's a fundamental difference between basic
routing/switching and security analysis.  Routers and switches assume more
or less correct implementation, which results in fairly hard boundaries for
the analysis they perform.  Security devices must assume that the protocols
themselves can be used for attacks, so there are *no* bounds to the analysis.

This makes the number of required checks much larger, which makes the
silicon larger, which makes the cost higher.  The more exceptions, the more
processing must be done outside the fast path.  Comes a point where it's
cheaper to use a general purpose processor.

The only case I see for general hardware assist is where the data rates are
so humongous that nothing else is possible (e.g. OC-12).

- Ted

--------------------------------------------------------------
Ted Doty, Internet Security Systems | Phone: +1 770 395 0150
41 Perimeter Center East            | Fax:   +1 770 395 1972
Atlanta, GA 30346  USA              | Web: http://www.iss.net
--------------------------------------------------------------
PGP key fingerprint: 362A EAC7 9E08 1689  FD0F E625 D525 E1BE