Some key problems in the design of network firewall

1. Scenario: Hardware? Or the software?

Now the function of the firewall is more and more fancy, so many functions must require the system to have an efficient processing ability.

Firewall from implementation can be divided into software firewalls and hardware firewalls. The software firewall is represented by the firewall-i of checkpoint company, whose implementation is to load the filter function by Dev_add_pack method (Linux, the other operating system does not make analysis, estimate is similar), Implement the various functions and optimizations of the firewall by doing work at the bottom of the operating system. There are some so-called software firewalls in the country, but it is understood that most of the so-called "personal" firewall, and the function and its limited, it is not discussed in this scope.

In the country has passed the Ministry of Public Security inspection of the firewall, hardware firewall accounted for the vast majority. Hardware firewall one is from hardware to software are designed separately, typical such as NetScreen firewall not only software part of the design, hardware part also uses specialized ASIC integrated circuit.

Another is the so-called hardware firewall based on the PC architecture that uses a customized general-purpose operating system. At present, most of the firewall in China belongs to this type.

Although the so-called hardware firewall, domestic manufacturers and foreign manufacturers still exist a huge difference. Hardware firewalls require both hardware and software to work at the same time, the common practice of foreign manufacturers is software operation Hardware, its design or selection of the operating platform itself may not be high performance, but it will be the main operational program (look-up table operation is the main work of the firewall) into a chip to reduce the CPU operating pressure of the host. The domestic manufacturer's firewall hardware platform basically adopts the common PC system or the Industrial PC architecture (the direct reason is can save the hardware development cost), in enhances the hardware performance aspect to be able to do the work only to enhance the system CPU processing ability, increases the memory capacity. Now a typical structure of the domestic firewall is: Industrial motherboard +x86+128 (256) m memory +doc/dom+ hard disk (or do not have a hard drive and add a log server) + gigabit network card Such an industrial PC structure.

In terms of software performance, the difference between domestic and foreign manufacturers is even greater, foreign (some well-known) manufacturers are using a dedicated operating system, the design of their own firewalls. and all domestic manufacturers operating system systems are based on general Linux, without exception. The difference between the manufacturers is simply the amount of changes made to the Linux system itself and the firewall section (the kernel is netfilter after the 2.2 kernel is ipchains,2.4).