Architecture analysis of firewall and UTM product hardware platform

Now the market on the firewall, UTM products from its architecture, is probably divided into three major categories.

The first class is based on the X86 platform, which typically uses one or more primary CPUs to process business data, and the network card chip and CPU transmit data through the PCI bus.

Since the traditional 32-bit PCI bus frequency is 33MHZ, the theoretical communication rate is: 132 MB bytes/s namely: 1056 mbits/s. Single from the rate of PCI communication can meet the needs of gigabit firewalls, but in fact, the PCI bus in the X86 system is shared, that is, if there are two network adapters at the same time transmission of data, then each network card can get the rate of only MB bytes/s, that is: 528 mbits/s, If you have four ports that transmit data at the same time, each network card can get a speed of only MB bytes/s, or 128mbit/s.

From the bus speed to look at the 32-bit PCI bus based on the X86 platform, as a hundred-Gigabit firewall scheme is no problem. But the X86 platform firewall scheme, data from the network card to the CPU transmission mechanism is by "interrupt" to achieve, interrupt mechanism caused by the need to deal with a large number of packets (such as: bytes packet, hereinafter referred to as small packet), X86 platform firewall throughput rate is not high, about 30%, And CPU usage will be very high. This is a common problem for all firewalls based on the X86 platform.

Therefore, the X86 platform based on the 32-bit PCI bus cannot be used as a gigabit firewall because the communication rate of the 32-bit PCI bus does not meet the requirements of gigabit firewalls. To address this issue, Intel has proposed a solution that can upgrade the 32-bit PCI bus to PCI-E, namely: pci-express, so that the PCI-E 4X bus speed can reach 2000MB bytes/s, namely: 16GBITS/S, and PCI-E each PCI device is independent of each other without sharing bus bandwidth, each PCI-E based on the network can use the bandwidth: 2000MB bytes/s, that is: 16GBITS/S, so based on Pci-e 4X X86 from the system bandwidth, As a gigabit firewall there is no problem. However, the PCI-E firewall data from the network card to the CPU transmission between the same use of the "interrupt" mechanism to transmit data, so packets (Bytes) pass rate is still: 30-40%.

The second category, based on the ASIC architecture firewall, UTM products.

From the above analysis of the X86 architecture firewall, we learned that the X86 platform firewall its biggest drawback is the small packet pass rate is low, only 30%-40%, the main reason for this problem is because the X86 platform of the interrupt mechanism and X86 platform firewall all data must be processed through the main CPU. Based on the ASCI architecture of the firewall from the structure of the improved interrupt mechanism, data received from the network card, not through the main CPU processing, but through the integration of some chips in the system directly processing, by these chips to complete the traditional firewall functions, such as: routing, NAT, firewall rules matching. This data is not processed by the primary CPU, and the interrupt mechanism is not used, and the ASIC is, of course, the best choice for a simple, functional firewall.

But the problem with this is that the ASIC architecture firewall is chip-level, and all the firewall actions are handled by the chip. These chips have a single function, the development cycle to upgrade maintenance is relatively long. In particular, as a multi-functional integrated UTM gateway, can not complete the chip at the level of anti-virus, spam filtering, network monitoring and other more complex functions, so that the ASIC architecture used to do a simple firewall, is fully applicable, the bytes packets can reach the line speed. But ASIC architecture as UTM is not an ideal choice, because the ASIC architecture can not be like the gateway antivirus, spam filtering, network monitoring and other functions to do chip level.