Information Security News mailing list archives
Hardware firewall runs on NSA technology
From: William Knowles <wk () C4I ORG>
Date: Tue, 10 Oct 2000 19:02:51 -0500
http://www.eetimes.com/story/OEG20001009S0056 By Craig Matsumoto EE Times (10/09/00, 4:14 p.m. EST) SAN MATEO, Calif. A relationship with the National Security Agency has netted Marconi Communications the technology to produce a firewall that is said to run at OC-12 speeds (622 Mbits/second) and to be undetectable to potential intruders. The technology, licensed from the NSA and sold back to the agency in product form, is part of a longstanding relationship between government agencies and Fore Systems Inc., which Marconi (Pittsburgh) acquired last year. Marconi showed the SA-400 at the Networld + Interop show in Atlanta last month. Unlike typical firewalls, which reside in software on a workstation, the SA-400 is a standalone appliance that sits on the incoming line and passes traffic through at wire speed, eliminating the telltale delay and routing of a workstation firewall. In part, the box achieves that speed because it can handle asynchronous transfer mode (ATM) traffic natively. "Most firewalls are done at the IP [Internet Protocol] layer and higher, because most people's security policy is at the IP layer," said Matthew Jones, program manager for enterprise ATM at Marconi. The SA-400 operates by inspecting the IP header and payload inside the ATM cell, without having to extract the IP information explicitly. Jones likened the process to a glass bottle: "You can read the label and know what's in it without having to taste it," he said. "It's a pretty neat technology, to actually figure out the IP layer without going up there." The SA-400 takes in traffic through two queues able to process two ATM cells apiece, then uses information at the ATM layer to determine how a particular frame has been encapsulated. From there, it searches for specific bits of IP-layer information source address, destination address, TCP port and UDP port implementing policies programmed onto FPGAs inside the box. These shortcuts let the SA-400 hit higher speeds than conventional firewalls, Jones said. "Even with the most sophisticated and high-performance workstations out there, running a firewall, you're lucky to get DS-3 [45-Mbit/s] rates," he said. Plugging the hole Reading ATM also lets the SA-400 process voice-over-IP packets. With a software firewall, there isn't time to route voice signals through the workstation, so a path is created that bypasses the firewall entirely essentially creating a hole in the firewall. Because the SA-400 can operate at wire speed, it averts that problem, Jones said. Hardware-based firewalls didn't become common earlier because silicon hadn't caught up, Jones said, noting that FPGAs only now are large enough to handle the processing of IP data streams. In addition, line rates have now gotten high enough (many corporations now have high-speed access lines to the Internet) so that the delays of software-based firewalls are becoming a hassle, he said. The SA-400 was developed at the NSA's Laboratory of Technology and Science. But the agency wanted to be able to buy the product commercially, to keep the price down, Jones said. So, the NSA licensed the technology to Marconi and acted as consultant in the development of the SA-400, which Marconi now sells back to the agency. "Part of their charter is to make the technology commercially available for use internally," Jones said. "The economics of scale for federal production just aren't there. We can mass-produce the item and drive costs down." The relationship stems from Fore Systems' origins as a government contractor. In fact, Fore was created through a Navy grant and has since remained close to the Pentagon and the intelligence community. Marconi holds unconditional licenses to the NSA's patents on the traffic-inspection methods used in the SA-400. The company is "kicking around" ideas for using that technology in other products, including such possibilities as a firewall integrated into an ATM switch or a device to sort and prioritize IP-level information in much the same way as Multi-Protocol Label Switching does, Jones said. The SA-400 is priced at $15,000 for an OC-3 (155-Mbit/s) version, or $25,000 for OC-12. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Hardware firewall runs on NSA technology William Knowles (Oct 10)