In recent years, as the gigabit network began to be widely used in China, the demand for gigabit firewalls has gradually warmed up. In many network environments, the traditional firewall based on X86 architecture can not meet the requirement of high throughput and low delay of gigabit firewall, therefore, two new technologies, namely network processor (network Processor) and specialized integrated circuit (ASIC) technology has become the main choice for many domestic manufacturers to achieve gigabit firewalls. It can be said that the hardware architecture of the firewall is facing a change.
The shortage of hundred trillion firewalls
In the Hundred Mega Firewall era, the domestic firewall manufacturers commonly used is the general CPU with software technology program. Although many manufacturers also call it a hardware firewall, but in fact are based on the X86 architecture of the server or industrial computer. Such firewalls are typically run on a downsized operating system (usually Linux or BSD), and all packet parsing and review work is done by the software. Although this technology project has achieved great success in the Hundred Mega Firewall market, however, due to CPU processing capacity and PCI bus speed constraints, in practical applications, especially in small packets, this structure of the gigabit firewall is far less than the gigabit forwarding speed (64 bytes packet length, Bidirectional forwarding rate is generally below 20%, it is difficult to meet the requirements of Gigabit backbone network applications.
Two technology implementations of Gigabit firewall
To achieve a true gigabit firewall, the current technical approach is basically two: one is the use of network processors, the other is the use of ASIC. Let's analyze the characteristics of these two technical architectures.
The network processor is a programmable processor designed specifically for processing packets, characterized by a number of data processing engines that can be processed concurrently for data processing, and have a distinct advantage over general-purpose processors in processing 2 to 4-tier packet data. The network processor optimizes the general tasks of packet processing, such as the verification and calculation of TCP/IP data, packet classification and routing lookup. At the same time, the design of hardware architecture mostly adopts high speed interface technology and bus specification, and has high I/O ability. So the packet processing ability of network device based on network processor has been greatly improved. It has the following characteristics: Complete programmability, simple programming mode, maximizing system flexibility, high processing capability, highly functional integration, open programming interface, and Third-party support capabilities. Firewalls based on the network processor architecture can be greatly improved in performance compared to firewalls based on the common CPU architecture. Network processor can make up for the performance of the general CPU architecture, without the need for the development of ASIC based on the firewall required by a large amount of funds and technology accumulation, recently in the domestic information security manufacturers have attracted much attention, as domestic manufacturers to achieve high-end gigabit firewall popular choice.
The second option is to use the architecture based on ASIC technology. NetScreen is the representative manufacturer of the technology. ASIC technology can be designed for the application of the firewall specialized data packet processing pipeline, optimize the use of storage resources, is recognized as a firewall to achieve line-speed gigabit, to meet the gigabit environmental backbone of the application of technical solutions. The NetScreen company has also achieved remarkable success. But the ASIC technology development cost is high, the development cycle is long and difficult, the general firewall manufacturer is difficult to have the corresponding technical and financial strength.
Which scheme is more suitable for user application
Network processor and ASIC scheme which is more suitable for the application of Gigabit firewall is currently a hot issue. The user can compare the performance, flexibility, function completeness, cost, development difficulty, technology maturity and so on. The performance of the firewall based on the network processor is based on the nature of the software solution, which relies heavily on the performance of software design, and ASIC because the algorithm is solidified in the hardware, so the performance of a more obvious advantage.
At present, the first-letter firewall based on ASIC technology can reach 4 Gigabit network speed packet forwarding rate, and generally based on network processor firewall in small packet case can not be completely to 2 network of Gigabit speed forwarding. On the other hand, the software color of the network processor makes it more flexible and has a great advantage in the upgrade maintenance. The lack of programmability of pure hardware ASIC firewalls makes it less flexible to keep up with the rapid development of firewall functions.
Modern ASIC technology can better match the software of ASIC by increasing its programmability, so as to satisfy the requirement of flexibility and running performance. From the realization of functional aspects, ASIC technology can easily integrate IDs, VPN and other functions, but also the product has implemented content filtering and anti-virus functions, and network Processor limited by its computing power, these functions can only rely on coprocessor to achieve. From the cost of future products, a network of processors in the price of about 300 or 400 dollars, if the need for coprocessor, but also the cost of coprocessor. In the early stage of ASIC, if the FPGA (Field programmable gate Arrays, Field Programmable gate array) is used, the price is roughly equal. However, if the volume production of the chip, the ASIC price can be reduced by one level, so in the long run ASIC technology more potential.
In the development of difficulties, development costs and development cycle, network processor technology has a more obvious advantage, after all, the network processor is a major reason to reduce this threshold, which is also a lot of domestic firewall enterprises selected network processor reasons. But from a technical maturity point of view, compared to the ASIC has been proven to practice the mature technology, the network processor for the firewall is actually more than a year before the appearance. Before this, the network processor in the market performance is not ideal, generally used only for low-end routers, switches and other data communications products. The main reason is that the network processor development needs of programming technology than expected complex difficulties, and in the actual application of performance is often not ideal, far less than the nominal performance of its manufacturers. It remains to be seen whether this technique can be used in complex network devices such as firewalls to achieve the expected performance without affecting the function.
At present, the architecture of firewall is already in a threshold of renewal, the future development trend is basically network processor and ASIC two paths. Considering the performance, function and technology maturity, the ASIC scheme is better, and the network processor is superior from the entry threshold, the research cost and the flexibility consideration.
From the current situation, the foreign high-end firewall most of the use of ASIC technology, domestic manufacturers are choosing the majority of the network processor. The future of high-end firewall technology will be ASIC and network processor, the two mainstream technology coexist, they will continue to move forward, in terms of speed, function have a lot of room for development. Who will be the final winner, can only wait for the test of time. and users in the choice of gigabit firewall products should also take into account the strength of the manufacturers, the actual application needs, procurement costs, firewall technology and product maturity and many other factors to consider the overall suitable.
Related data: Three major development trends of firewall
The development trend of the future firewall is to develop in the direction of high speed, multi-function and safer.
1, high-speed. At present, a big limitation of the firewall is the speed is not enough, really to achieve the speed of the firewall is very few. Prevent DOS (Denial of service) is a very important task of firewalls, firewalls are often used in network exports, such as network congestion, security firewall can not be applied. Application ASIC, FPGA and network processor is the main method to realize high speed firewall, but it is best to adopt network processor, because the network processor uses microcode programming, can upgrade at any time according to need, can even support IPv6, and adopt other method not so flexible. Implementation of high-speed firewall, the algorithm is also a key, because the network processor integration of a lot of hardware coprocessor unit, it is easier to achieve high-speed. For a firewall with a pure CPU, there must be an algorithm support, such as an ACL algorithm.
2, multi-function. Multi-function is also one of the development of the firewall, in view of the current router and firewall prices are relatively high, networking environment is increasingly complex, the general user always hope that the firewall can support more functions to meet the network and save investment needs. For example, the firewall supports the WAN port, does not affect the security, but in some cases can save a router for the user, supports some router protocols, such as routing, dialing, etc., can better meet the networking needs; IPSec VPN can be used to build secure dedicated channel It is safe and saves the investment of the special line. According to IDC statistics, 90% of foreign encryption VPN is implemented through the firewall.
3, safety. The operating system of the future firewall will be more secure. With the development of algorithm and chip technology, the firewall will be more involved in application layer analysis and provide more security for the application. In the process of information security development and confrontation, the technology of firewall will be constantly updated and changing, and play a role of fortress in the defense system of information security.