Analyze the security firewall built in the gigabit network switch

Analyzes the security firewall built in the gigabit network switch, and implements the Gigabit line rate switching by using the proxy plug-in of the gigabit network switch application service. The built-in security firewall will also be a highlight of gigabit network switches. I hope you will have a clear understanding after reading the following articles.

Application/service agent

The basic structure integration of network applications and services is supported by application proxy and Service proxy plug-in. These plug-ins are network middleware, such as directory service, authentication service, Firewall Service, Address Allocation service, and location service. These services are directly integrated into the wire speed implementation programmable gigabit network switch hardware.

An example of the Service proxy plug-in is the firewall switching technology proxy. When the firewall switching agent is combined with the firewall software, the performance can be improved, and the firewall's throughput can be increased by 1000 times. With the development of exchange technology, Gigabit network switches will also integrate more application proxies, such as video conferencing, IP voice calls, and ERP applications.

Gigabit wire speed switching

Generally, the data transmission speed on the transmission line is very fast. After the data reaches the gigabit network switch, the transmission rate is slowed down due to the speed limit of the gigabit network switch. After the advent of the gigabit network switch, the data exchange speed of the gigabit network switch is greatly improved, basically reaching the line rate switching capability.

Line rate switching is to make the switching speed of a gigabit network switch reach the data transmission speed on the transmission line and eliminate the switching bottleneck. The core of line rate switching is dedicated Integrated Circuit ASIC Technology, which uses hardware to implement Protocol Resolution and packet forwarding, rather than traditional software processing. The current ASIC Technology is proprietary to various companies and there is no unified standard.

However, basically, the implementation of line rate switching relies on distributed processing technology, that is, multiple ports simultaneously process data streams. For example, Fore's new ESX series Gigabit network switch this year, the 4800 vswitch has 48 Gigabit Ethernet full duplex ports, 384 10/100 Ethernet ports, 16 Load Balancing ATMOC-12 uplinks.

Therefore, the total data exchange volume in the 2nd, 3, and 4 layers reaches the processing speed of 38Mpps, which is also one of the highest-performance and highest-density Ethernet router gigabit network switch platforms in the industry, the 2400 gigabit network switch has 24 Gigabit Ethernet ports, and each performance indicator is halved.

Built-in security firewall

Network security is very important to enterprises. However, after network security firewall products are loaded, the network data exchange speed is significantly affected. In this regard, Fore cooperates with the CheckPoint Software technology company to develop a high-speed firewall Exchange Proxy FSA). By using a firewall-specific integrated circuit, the firewall's data throughput speed is increased to 20 Gbps.

This speed is much higher than the traditional independent firewall 50 Mbps ~ 80 Mbps speed. Fore integrates this technology into its ESX series Gigabit network switches. Because the firewall chip is built into the gigabit network switch, the Network Administrator does not need to install an independent firewall for each gigabit network switch connected to the Internet.

The FSA module is actually a microcode running on the dedicated IC of the ESX series Gigabit network switch. Network administrators can configure FSA filtering policies by running CheckPointFirewall-1 software on an independent computer, such as allowing or disabling video conferencing data through a firewall. After a filter policy is configured, the system runs on a gigabit network switch.

The Firewall-1 delivers policy data to a dedicated integrated circuit that runs the FSA. In the high-speed firewall market, there are also some companies with Firewall-1 software bound routers or multi-protocol gigabit network switches, but they do not run the Firewall code in the dedicated integrated circuit.