In recent years, with the large-scale application of Gigabit Networks in China, users' requirements for gigabit firewalls have gradually increased. In many network environments, the traditional Firewall Based on the X86 architecture cannot meet the high throughput and low latency requirements of the gigabit firewall. Therefore, the two new technologies, network Processor and ASIC technologies have become the main choice for many domestic manufacturers to implement Gigabit firewalls. It can be said that the firewall's hardware architecture is facing a revolution.
Limitations of the MB Firewall
In the MB firewall era, Firewall vendors in China generally adopt the technical solutions of universal CPU and software. Although many manufacturers refer to it as hardware firewalls, they are all server or industrial computer based on X86 architecture. Such firewalls generally run on a cut-down operating system (usually Linux or BSD), and all data packet parsing and review work is done by the software. Although this technical solution has achieved great success in the MB firewall market, due to the CPU processing capability and PCI bus speed constraints, in practical applications, especially in small packets, the gigabit firewall with this structure is far below the Gigabit forwarding speed (the Bidirectional Forwarding rate is generally below 20% when the 64-byte packet length is long), which is difficult to meet the application requirements of the Gigabit backbone network.
Two technologies of gigabit firewall
To implement a true gigabit firewall, there are basically two technical approaches: network processor and ASIC. Next we will analyze the characteristics of these two technical architectures.
A network processor is a programmable processor specially designed to process data packets. It features Multiple Data Processing engines that can process data concurrently, it has obvious advantages over general-purpose processors in Processing Layer 2 to Layer 4 grouped data. The Network Processor optimizes the general tasks of data packet processing, such as the validation and calculation of TCP/IP data, packet classification, and route lookup. At the same time, most of the hardware architecture is designed with high-speed interface technology and Bus Specifications, with high I/O capability. In this way, the packet processing capability of network devices based on network processors has been greatly improved. It has the following features: completely programmable, simple programming mode, maximum system flexibility, high processing capability, high function integration, open programming interfaces, and third-party support capabilities. Compared with the general-purpose CPU-based firewall, the network processor-based firewall can greatly improve its performance. Network processors can make up for the performance deficiency of the general-purpose CPU architecture, and do not need to have a lot of funds and technical accumulation required to develop ASIC-based firewalls. Recently, they have received much attention from information security vendors in China, it has become a hot choice for domestic manufacturers to implement high-end Gigabit firewalls.
The second solution is an ASIC-based architecture. Netscreen is a representative manufacturer of this technology. ASIC technology can be used to design a special data packet processing line for firewall applications to optimize the utilization of storage and other resources. It is recognized that it is a technical solution that enables the firewall to reach a line speed of 1 Gigabit and meet the needs of applications in a gigabit environment. Netscreen has also achieved remarkable success. However, the costs of ASIC Technology Development are high, the development cycle is long, and it is difficult for general Firewall vendors to have the corresponding technical and financial strength.
Which solution is more suitable for user applications?
Which network processor and ASIC solution is more suitable for applications of gigabit firewalls is currently a hot topic. Users can compare performance, flexibility, functional completeness, cost, development difficulty, and technical maturity. In terms of performance, because network processor-Based Firewalls are essentially software-based solutions, they depend heavily on the Performance of software design, ASIC has obvious performance advantages because it is used to solidify algorithms in hardware.
At present, the first-letter Firewall Based on ASIC Technology in China has four gigabit network ports capable of Full-line rate packet forwarding, generally, network processor-Based Firewalls cannot completely forward packets to two network ports at a gigabit speed. On the other hand, the software color of the network processor makes it more flexible and has great advantages in upgrading and maintenance. Hardware-only ASIC firewalls lack programmability, which makes them less flexible and unable to keep up with the rapid development of firewall functions.
Modern ASIC Technology increases the programmability of ASIC chips to better work with the software to meet the requirements of flexibility and performance. In terms of implementation functions, ASIC Technology can easily integrate IDS, VPN, and other functions. Some products have already implemented content filtering and anti-virus functions, however, the network processor is limited by its computing power. These functions can only be implemented by the coprocessor. From the perspective of the cost of future products, the price of a network processor is about three or four hundred US dollars. If a co-processor is required, the cost of the co-processor will also be added. If Field Programmable Gate Arrays (Field Programmable Gate Array) is used in the early stage of ASIC Technology, the prices are roughly the same. However, after mass production, the price of ASIC can be reduced by one level, so ASIC Technology has more potential in the long run.
Network Processor Technology has obvious advantages in terms of development difficulty, development cost, and development cycle. After all, a major cause of network processor generation is to lower the threshold, this is why many firewall Enterprises in China have selected network processors. However, from the perspective of technical maturity, compared with the mature technology that has been proved by ASIC for practice, the network processor used for firewall has actually appeared more than a year ago. Previously, network processors were not doing well in the market. They were generally used only for data communication products such as low-end routers and switches. The main reason is that the programming technology required for network processor development is more complex and difficult than expected, and the performance in practical application is often not ideal, far lower than the nominal performance of the manufacturer. Whether the application of this technology can achieve the expected performance on complex network devices such as firewalls without affecting functions remains to be tested.
At present, the firewall architecture is already under the threshold of upgrading, and the future development trend is basically two roads: network processor and ASIC. In terms of performance, functions, and technical maturity, the ASIC solution is better, and the network processor is dominant in terms of entry threshold, R & D cost, and flexibility.
According to the current situation, most of the high-end firewalls in foreign countries use ASIC Technology, while most domestic vendors use network processors. In the future, high-end firewall technologies will coexist as ASIC and network processor technologies, both of which will continue to develop, and there is still much room for development in terms of speed and functionality. Who will be the final winner can only be tested by time. When selecting a gigabit firewall product, users should also consider the vendor strength, actual application requirements, procurement costs, firewall technology and product maturity among other factors.
Related materials: three major development trends of firewalls
In the future, firewalls will develop towards high speed, multi-functionality, and security.
1. High Speed. At present, a major limitation of the firewall is that the speed is not enough, and there are few firewalls that actually reach the line speed. Preventing DoS is a very important task of firewalls. Firewalls are often used at the network egress. If a network is blocked, a secure firewall cannot be used. Application ASIC, FPGA, and network processor are the main methods for implementing high-speed firewalls. However, network processors are the most optimal. Because network processors use microcode programming, they can be upgraded at any time as needed, or even support IPv6, other methods are not that flexible. Algorithms are also the key to implementing high-speed firewalls. Because network processors integrate many hardware coprocessor units, it is easier to achieve high-speed. Algorithms must be supported for firewalls that use pure CPUs, such as ACL algorithms.
2. multi-functionality. Multiple functions are also one of the development directions of firewalls. Given the high prices of routers and firewalls, the networking environment is becoming more and more complex. Generally, users want firewalls to support more functions, meet the networking and investment saving needs. For example, if a firewall supports wide-area network ports and does not affect security, but in some cases, it can save you one vro and support some vro protocols, such as routing and dialing, it can better meet the networking needs. It supports IPSec VPN and can use the Internet to form a secure dedicated channel, which saves both security and leased line investment. According to IDC statistics, 90% of encrypted VPNs outside China are implemented through firewalls.
3. Security. In the future, the firewall operating system will be more secure. With the development of algorithms and chip technology, firewalls will be more involved in application layer analysis to provide more security protection for applications. During the development and confrontation of information security, firewall technologies will be constantly updated and updated, and play a role in the information security defense system.