Comparison of NP architecture firewall and ASIC

In x86, NP, ASIC and other three firewall hardware technology architecture, which will become the mainstream of firewall product technology development? How should users choose? With these questions, the reporter interviewed the days of the company firewall product manager Chia.

He said that the firewall product after years of development, through the software firewall to the hardware firewall changes. At present, domestic users generally accept the market is widely sold hardware firewall, however, with the phenomenon of firewall products homogenization increasingly obvious, manufacturers and users have shifted their attention to the technical framework system, especially in the past two years, the increasingly fierce hardware architecture, the user to choose a firewall product to bring a lot of confusion.

Firewall hardware architecture faces change

Chia that the hardware architecture of the firewall is facing a change. The contention of hardware architecture is heating up with the development of gigabit network in China in recent years. In most network environments, the traditional firewall based on X86 architecture can not meet the requirement of high throughput and low delay of gigabit firewall. Therefore, two new technologies, namely network Processor (NETWORKPROCESSOR) and specialized integrated circuit (ASIC) technology, have become the main choice for many domestic manufacturers to implement gigabit firewalls.

It can be said that the firewall hardware architecture is facing a change, there will be a variety of structural coexistence and interaction, but any one technology will not become mainstream and replace another. Finally, the technology that can survive in the change only is the technique that serves the user's actual demand.

Network processor and ASIC scheme, which is more suitable for the application of Gigabit firewall, is a hot topic in the current controversy. The user can compare the performance, flexibility, function completeness, cost, development difficulty, technology maturity and so on. The performance of the firewall based on the network processor is based on the nature of the software solution, which relies heavily on the performance of software design, and ASIC because the algorithm is solidified in the hardware, so the performance of a more obvious advantage.

About the potential of a multifunctional ASIC architecture

At present, the domestic sales based on the ASIC technology firewall, has reached 4 Gigabit network port speed packet forwarding rate. and generally based on the network processor firewall in the packet case, can not fully achieve the 2 network of Gigabit line speed forwarding.

On the other hand, the software color of the network processor makes it more flexible and has a great advantage in the upgrade maintenance. The lack of programmability of pure hardware ASIC firewalls makes it less flexible to keep up with the rapid development of firewall functions.

Modern ASIC technology can better match the software of ASIC by increasing its programmability, so as to satisfy the requirement of flexibility and running performance. From the realization of functional aspects, ASIC technology can be more easily integrated IDs, VPN and other functions, but also the product has achieved content filtering and anti-virus functions. The network processor is limited by its computational power, these functions can only rely on the coprocessor to achieve.

From the cost of future products, a network of processors in the price of about 300 or 400 dollars, if the need for coprocessor, but also the cost of coprocessor. In the early stage of ASIC, if the FPGA (Field programmable gate Arrays, Field Programmable gate array) is used, the price is roughly equal. However, if the volume production of the chip, the ASIC price can be reduced by one level, so in the long run ASIC technology more potential.

Flexibility: NP preemptive

In the development of difficulties, development costs and development cycle, network processor technology has a more obvious advantage, after all, the network processor is a major reason to reduce this threshold, which is also a lot of domestic firewall enterprises selected network processor reasons.

But from a technical maturity point of view, compared to the ASIC has been proven to practice the mature technology, the network processor for the firewall is actually more than a year before the appearance. Before this, the network processor in the market performance is not ideal, generally used only for low-end routers, switches and other data communications products. The main reason is that the network processor development needs of programming technology than expected complex difficulties, and in the actual application of performance is often not ideal, far less than the nominal performance of its manufacturers. The application of this technology in the firewall such a complex network equipment, whether it can not affect the function of the premise, to achieve the expected performance, still to be tested.

At present, the architecture of firewall is already in a threshold of renewal, the future development trend is basically network processor and ASIC two paths. Considering the performance, function and technology maturity, the ASIC scheme is better, and the network processor is superior from the entry threshold, the research cost and the flexibility consideration.

From the current situation, the foreign high-end firewall most of the use of ASIC technology, domestic manufacturers are choosing the majority of network processors. The future of high-end firewall technology will be ASIC and network processor, the two mainstream technology coexist, they will continue to move forward, in terms of speed, function have a lot of room for development. and users in the choice of gigabit firewall products to take into account the strength of manufacturers, the actual application needs, procurement costs, firewall technology and product maturity and other factors, the overall consideration is advisable.

The different characteristics of the three major architectures

In the Hundred Mega Firewall era, the domestic firewall manufacturers commonly used is the general CPU with software technology program. Although many manufacturers also call it a hardware firewall, but in fact are based on the X86 architecture of the server or industrial computer. Such firewalls are typically run on a downsized operating system (usually Linux or BSD), and all packet parsing and review work is done by the software.

Although this technology project has achieved great success in the Hundred Mega Firewall market, however, due to CPU processing capacity and PCI bus speed constraints, in practical applications, especially in small packets, this structure of the gigabit firewall is far less than the gigabit forwarding speed (64 bytes packet length, Bidirectional forwarding rate is generally below 20%, it is difficult to meet the requirements of Gigabit backbone network applications.

The network processor is a programmable processor designed specifically for processing packets, which is characterized by the inclusion of multiple data processing engines. These engines can work concurrently on data processing and have a distinct advantage over general-purpose processors in processing 2 to 4-tier packet data.

The network processor optimizes the general tasks of packet processing, such as the verification and calculation of TCP/IP data, packet classification and routing lookup. At the same time, the design of hardware architecture mostly adopts high speed interface technology and bus specification, and has high I/O ability. So the packet processing ability of network device based on network processor has been greatly improved.

It has the following characteristics: Complete programmability, simple programming mode, maximizing system flexibility, high processing capability, highly functional integration, open programming interface, and Third-party support capabilities.

Firewalls based on the network processor architecture can be greatly improved in performance compared to firewalls based on the common CPU architecture. Network processor can make up for the performance of the general CPU architecture, without the need for the development of ASIC based on the firewall required by a large amount of funds and technology accumulation, recently in the domestic information security manufacturers have attracted much attention, as domestic manufacturers to achieve high-end gigabit firewall popular choice.

ASIC technology can be designed for the application of the firewall specialized data packet processing pipeline, optimize the use of storage resources, is recognized as a firewall to achieve line-speed gigabit, and to meet the gigabit environmental backbone of the application of technical solutions.

3 development trends of firewall products

From the existing network environment, as well as the changing trend of user security requirements, firewall products will be moving toward high-speed, multi-functional, more secure direction.

1, high-speed. At present, a big limitation of the firewall is the speed is not enough, really to achieve the speed of the firewall is very few. Prevent DOS (Denial of service) is a very important task of firewalls, firewalls are often used in network exports, such as network congestion, security firewall can not be applied. Application of ASIC, FPGA and network processor is the main method to realize high speed firewall, but it is best to adopt network processor, because the network processor uses microcode programming, can upgrade at any time according to need, can even support IPv6, and other methods are not so flexible. Implementation of high-speed firewall, the algorithm is also a key, because the network processor integration of a lot of hardware coprocessor unit, it is easier to achieve high-speed.

2, multi-function. Multi-function is also one of the development of the firewall, in view of the current router and firewall prices are relatively high, networking environment is increasingly complex. General users always hope that firewalls can support more functions to meet the needs of networking and saving investment. For example, the firewall supports the WAN port, does not affect the security, but in some cases can save a router for the user, supports some router protocols, such as routing, dialing, etc., can better meet the networking needs; IPSec VPN can be used to build secure dedicated channel It is safe and saves the investment of the special line. According to IDC statistics, 90% of foreign encryption VPN is implemented through the firewall.

3, safety. The operating system of the future firewall will be more secure. With the development of algorithm and chip technology, the firewall will be more involved in application layer analysis and provide more security for the application. In the process of information security development and confrontation, the technology of firewall will be constantly updated and changing, and play a role of fortress in the defense system of information security.