Architecture analysis of firewall and UTM product hardware platform

Now the market on the firewall, UTM products from its architecture, is probably divided into three major categories.

The first class is based on the X86 platform, which typically uses one or more primary CPUs to process business data, and the network card chip and CPU transmit data through the PCI bus.

Since the traditional 32-bit PCI bus frequency is 33MHZ, the theoretical communication rate is: 132 MB bytes/s namely: 1056 mbits/s. Single from the rate of PCI communication can meet the needs of gigabit firewalls, but in fact, the PCI bus in the X86 system is shared, that is, if there are two network adapters at the same time transmission of data, then each network card can get the rate of only MB bytes/s, that is: 528 mbits/s, If you have four ports that transmit data at the same time, each network card can get a speed of only MB bytes/s, or 128mbit/s.

From the bus speed to look at the 32-bit PCI bus based on the X86 platform, as a hundred-Gigabit firewall scheme is no problem. But the X86 platform firewall scheme, data from the network card to the CPU transmission mechanism is by "interrupt" to achieve, interrupt mechanism caused by the need to deal with a large number of packets (such as: bytes packet, hereinafter referred to as small packet), X86 platform firewall throughput rate is not high, about 30%, And CPU usage will be very high. This is a common problem for all firewalls based on the X86 platform.

Therefore, the X86 platform based on the 32-bit PCI bus cannot be used as a gigabit firewall because the communication rate of the 32-bit PCI bus does not meet the requirements of gigabit firewalls. To address this issue, Intel has proposed a solution that can upgrade the 32-bit PCI bus to PCI-E, namely: pci-express, so that the PCI-E 4X bus speed can reach 2000MB bytes/s, namely: 16GBITS/S, and PCI-E each PCI device is independent of each other without sharing bus bandwidth, each PCI-E based on the network can use the bandwidth: 2000MB bytes/s, that is: 16GBITS/S, so based on Pci-e 4X X86 from the system bandwidth, As a gigabit firewall there is no problem. However, the PCI-E firewall data from the network card to the CPU transmission between the same use of the "interrupt" mechanism to transmit data, so packets (Bytes) pass rate is still: 30-40%.