Firewall Wizards mailing list archives
Re: Two things about new firewalls etc.
From: Ted Doty <ted () iss net>
Date: Mon, 01 Dec 1997 10:32:42 -0500
At 10:34 AM 11/30/97 -0500, dnewman () data com wrote:
One thing that's happening in other networking devices like switches is
putting
almost everything in ASICs, which makes the devices really fast. Today
there are
routers with latency of less than 100 microseconds for short frames. And the latest ASICs have entire CPUs embedded in them, which allows them to do
multiple
subnets per interface, run filters, and other sorts of tasks that require
rule
lookups. Are any security vendors looking to embed firewall code in silicon?
While using programmable silicon (FPGA or CAM) offers large performance improvements, there's a fundamental difference between basic routing/switching and security analysis. Routers and switches assume more or less correct implementation, which results in fairly hard boundaries for the analysis they perform. Security devices must assume that the protocols themselves can be used for attacks, so there are *no* bounds to the analysis. This makes the number of required checks much larger, which makes the silicon larger, which makes the cost higher. The more exceptions, the more processing must be done outside the fast path. Comes a point where it's cheaper to use a general purpose processor. The only case I see for general hardware assist is where the data rates are so humongous that nothing else is possible (e.g. OC-12). - Ted -------------------------------------------------------------- Ted Doty, Internet Security Systems | Phone: +1 770 395 0150 41 Perimeter Center East | Fax: +1 770 395 1972 Atlanta, GA 30346 USA | Web: http://www.iss.net -------------------------------------------------------------- PGP key fingerprint: 362A EAC7 9E08 1689 FD0F E625 D525 E1BE
Current thread:
- Re: Two things about new firewalls etc. Ted Doty (Dec 01)
- <Possible follow-ups>
- RE: Two things about new firewalls etc. Joseph Judge (Dec 03)
- Re: Two things about new firewalls etc. Jason Keimig (Dec 03)
- Re[2]: Two things about new firewalls etc. dnewman (Dec 03)
- Re: Two things about new firewalls etc. Vern Paxson (Dec 03)
- Re: Two things about new firewalls etc. Jyri Kaljundi (Dec 04)
- Re: Two things about new firewalls etc. -= ArkanoiD =- (Dec 05)
- Re[2]: Two things about new firewalls etc. dnewman (Dec 04)