Some key problems in the design of firewall (1)

1. Scenario: Hardware? Or the software?

Now the function of the firewall is more and more fancy, so many functions must require the system to have an efficient processing ability.

Firewall from implementation can be divided into software firewalls and hardware firewalls. The software firewall is represented by the firewall-i of checkpoint company, whose implementation is to load the filter function by Dev_add_pack method (Linux, the other operating system does not make analysis, estimate is similar), Implement the various functions and optimizations of the firewall by doing work at the bottom of the operating system. There are some so-called software firewalls in the country, but it is understood that most of the so-called "personal" firewall, and the function and its limited, it is not discussed in this scope.

In the country has passed the Ministry of Public Security inspection of the firewall, hardware firewall accounted for the vast majority. Hardware firewall one is from hardware to software are designed separately, typical such as NetScreen firewall not only software part of the design, hardware part also uses specialized ASIC integrated circuit.

Another is the so-called hardware firewall based on the PC architecture that uses a customized general-purpose operating system. At present the domestic absolute big

Most firewalls belong to this type.

Although the so-called hardware firewall, domestic manufacturers and foreign manufacturers still exist a huge difference. Hardware firewalls require both hardware and software to work at the same time, the common practice of foreign manufacturers is software operation Hardware, its design or selection of the operating platform itself may not be high performance, but it will be the main operational program (look-up table operation is the main work of the firewall) into a chip to reduce the CPU operating pressure of the host. The domestic manufacturer's firewall hardware platform basically adopts the common PC system or the Industrial PC architecture (the direct reason is can save the hardware development cost), in enhances the hardware performance aspect to be able to do the work only to enhance the system CPU processing ability, increases the memory capacity. Now a typical structure of the domestic firewall is: Industrial motherboard +x86+128 (256) m memory +doc/dom+ hard disk (or do not have a hard drive and add another log server) + gigabit NIC This

Like an industrial PC structure.

In terms of software performance, the difference between domestic and foreign manufacturers is even greater, foreign (some well-known) manufacturers are using a dedicated operating system, the design of their own firewalls. and all domestic manufacturers operating system systems are based on general Linux, without exception. The difference between the manufacturers is simply the amount of changes made to the Linux system itself and the firewall section (the kernel is netfilter after the 2.2 kernel is ipchains,2.4).

In fact, Linux is just a general-purpose operating system that does not optimize for firewall functionality, and its ability to handle large amounts of data traffic has not been significant or even low (which is why Linux has always been the darling of low-end servers), and I think, At this point it is not as good as the BSD series, which is said to be useful abroad BSD firewall, not yet seen in the country. Now the vast majority of manufacturers, including the so-called domestic largest letter of the day, in the software work is nothing more than the system targeted reduction, the firewall part of the code small changes (most of them still no changes) and a small number of system patches. And we are in the analysis of the manufacturers of products can pay attention to this, if which manufacturer of the system itself has made any major changes, it will certainly regard this as an important selling point, big blow special blow, Unfortunately, there seems to be no manufacturers have the ability to do publicity (checkpoint seems to have a similar function: Open Security Application Interface Topsec, but it does how much work, but also need to carefully understand).