Some key problems in the design of network firewall

Source: Internet
Author: User
Tags functions key require firewall linux

1. Scenario: Hardware? Or the software?

Now the function of the firewall is more and more fancy, so many functions must require the system to have an efficient processing ability.

Firewall from implementation can be divided into software firewalls and hardware firewalls. The software firewall is represented by the firewall-i of checkpoint company, whose implementation is to load the filter function by Dev_add_pack method (Linux, the other operating system does not make analysis, estimate is similar), Implement the various functions and optimizations of the firewall by doing work at the bottom of the operating system. There are some so-called software firewalls in the country, but it is understood that most of the so-called "personal" firewall, and the function and its limited, it is not discussed in this scope.

In the country has passed the Ministry of Public Security inspection of the firewall, hardware firewall accounted for the vast majority. Hardware firewall one is from hardware to software are designed separately, typical such as NetScreen firewall not only software part of the design, hardware part also uses specialized ASIC integrated circuit.

Another is the so-called hardware firewall based on the PC architecture that uses a customized general-purpose operating system. At present, most of the firewall in China belongs to this type.

Although the so-called hardware firewall, domestic manufacturers and foreign manufacturers still exist a huge difference. Hardware firewalls require both hardware and software to work at the same time, the common practice of foreign manufacturers is software operation Hardware, its design or selection of the operating platform itself may not be high performance, but it will be the main operational program (look-up table operation is the main work of the firewall) into a chip to reduce the CPU operating pressure of the host. The domestic manufacturer's firewall hardware platform basically adopts the common PC system or the Industrial PC architecture (the direct reason is can save the hardware development cost), in enhances the hardware performance aspect to be able to do the work only to enhance the system CPU processing ability, increases the memory capacity. Now a typical structure of the domestic firewall is: Industrial motherboard +x86+128 (256) m memory +doc/dom+ hard disk (or do not have a hard drive and add a log server) + gigabit network card Such an industrial PC structure.

In terms of software performance, the difference between domestic and foreign manufacturers is even greater, foreign (some well-known) manufacturers are using a dedicated operating system, the design of their own firewalls. and all domestic manufacturers operating system systems are based on general Linux, without exception. The difference between the manufacturers is simply the amount of changes made to the Linux system itself and the firewall section (the kernel is netfilter after the 2.2 kernel is ipchains,2.4).



Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.