The shortcomings of a hundred-megabit firewall
In the era of 100 megafibrous firewalls, domestic firewall manufacturers generally adopted technical solutions of general CPU and software. Although many manufacturers also call it a hardware firewall, they are actually servers or industrial control machines based on X86 architecture. This type of firewall generally runs on a cut operating system (usually Linux or BSD), and all packet parsing and review work is done by software. Although this technical solution has achieved great success in the 100-megapixel firewall market, due to the constraints of CPU processing capabilities and PCI bus speed, in practical applications, especially in small packets, the Gigapixel firewall of this structure is far from reaching the Gigapixel forwarding speed (when 64-byte packets are long, the bidirectional forwarding rate is generally less than 20%), and it is difficult to meet the application requirements of Gigapixel backbone networks.
Two technologies for gigabit firewall implementation
To realize a true gigabit firewall, there are basically two current technical ways: one is to use a network processor, and the other is to use ASIC. Let’s analyze the respective characteristics of these two technical architectures.
Network processors are programmable processors designed specifically for processing data packets. They are characterized by their inclusion of multiple data processing engines that can perform data processing concurrently, and have obvious advantages over general-purpose processors in processing packet data from 2 to 4 layers. The network processor optimizes general tasks of packet processing, such as checksum calculation of TCP/IP data, packet classification, routing search, etc. At the same time, the design of hardware architectures mostly adopts high-speed interface technology and bus specifications, with high I/O capabilities. In this way, the packet processing capabilities of network devices based on network processors have been greatly improved. It has the following characteristics: complete programmability, simple programming mode, maximum system flexibility, high processing capabilities, high functional integration, open programming interfaces, and third-party support capabilities. Compared with firewalls based on network processor architecture, firewalls based on general CPU architecture can be greatly improved in performance. Network processors can make up for the shortcomings of general-purpose CPU architecture performance, and at the same time, they do not need to have the large amount of funds and technical accumulation required to develop firewalls based on ASIC technology. It has recently attracted much attention among domestic information security manufacturers and has become a popular choice for domestic manufacturers to realize high-end gigabit firewalls.
The second solution is to adopt an architecture based on ASIC technology. Netscreen is a representative manufacturer that uses this technology. Using ASIC technology can design special packet processing pipelines for firewall applications, optimize the utilization of memory and other resources. It is recognized as a technical solution to enable firewalls to reach a linear gigabit and meet the backbone application of Gigabit environment. Netscreen has also achieved remarkable success. However, ASIC technology development costs are high, the development cycle is long and difficult, and it is difficult for ordinary firewall manufacturers to have the corresponding technical and financial strength.
Which solution is more suitable for user applications
Which network processor or ASIC solution is more suitable for the application of gigabit firewall is a hot topic of debate. Users can compare performance, flexibility, functional completeness, cost, development difficulty, and technology maturity. In terms of performance, since the network processor-based firewall is essentially a software-based solution, it depends to a large extent on the performance of software design, and ASIC has relatively obvious advantages in performance since it solidifies algorithms in hardware.
At present, the first-signal firewall based on ASIC technology in China can reach the full-line packet forwarding rate of 4 Gigabit network ports, while generally, the firewall based on network processors cannot fully perform gigabit linear forwarding of 2 network ports under small packet conditions. Conversely, the software color of the network processor makes it more flexible and has great advantages in upgrading and maintenance. ASIC firewalls with pure hardware lack programmability, which makes them lack flexibility and cannot keep up with the rapid development of firewall functions.
Modern ASIC technology increases the programmability of ASIC chips and makes them better match with software, thus meeting the requirements from flexibility and operational performance at the same time. From the perspective of implementation functions, ASIC technology can easily integrate functions such as IDS and VPN. Some products have implemented content filtering and antivirus functions, while network processors are limited by their computing capabilities, and these functions can generally be implemented by coprocessors. Judging from the future product costs, the price of a network processor is around 300 to 400 US dollars. If a coprocessor is needed, the cost of the coprocessor must be added. If ASIC technology was implemented in the early stage using FPGA (Field Programmable Gate Arrays), the prices of the two were roughly the same. However, if the price of ASIC can be reduced by an order of magnitude after mass production, the ASIC technology has more potential in the long run.
Network processor technology has obvious advantages in terms of development difficulty, development cost and development cycle. After all, one of the major reasons for the emergence of network processors is to lower the threshold in this regard, which is also the reason why many domestic firewall companies choose network processors. However, from the perspective of technological maturity, compared with mature technologies such as ASIC that have been proven by practice, network processors have actually appeared in the past year for firewalls. Before this, network processors did not perform well in the market and were generally only used in low-end routers, switches and other data communication products. The main reason is that the programming technology required for network processor development is more complex and difficult than expected, and its performance in actual applications is often not ideal, far lower than the nominal performance of its manufacturers. Whether this technology can achieve the expected performance without affecting the functions of complex network devices such as firewalls remains to be tested.
At present, the firewall architecture is at the threshold of renewal, and the future development trend is basically two paths: network processor and ASIC. From the perspective of performance, functions and technical maturity, the ASIC solution is better, while the network processor is the advantage in terms of entry threshold, R&D cost and flexibility.
Judging from the current situation, most of the high-end firewalls in foreign countries use ASIC technology, while most domestic manufacturers use network processors. In the future, the technology of high-end firewalls will coexist with two mainstream technologies, ASIC and network processors. They will each continue to develop forward and there is still a lot of room for development in terms of speed and functions. Who will become the final winner can only be tested by time. When choosing a gigabit firewall product, users should also comprehensively consider various factors such as manufacturer's strength, actual application needs, procurement costs, firewall technology and product maturity.
Related information: Three major development trends of firewalls
The future development trend of firewalls is to develop towards high-speed, multi-functional and safer directions.
1. High speed. One of the major limitations of firewalls at present is that they are not fast enough, and there are very few firewalls that truly achieve linear speed. Preventing DoS (Denforcement Denial of Service) is a very important task for firewalls. Firewalls are often used on network exits. If network blockage is caused, even the safe firewall cannot be used. The application of ASICs, FPGAs and network processors is the main method to implement high-speed firewalls, but network processors are especially optimal, because network processors are microcode programming, which can be upgraded at any time as needed, and can even support IPv6, while other methods are not so flexible. The algorithm is also a key to implementing a high-speed firewall, because many hardware coprocessing units are integrated into the network processor, so it is easier to achieve high speed. For firewalls that use pure CPUs, there must be algorithm support, such as ACL algorithm.
2. Multifunctional. Multifunctionality is also one of the development directions of firewalls. Given that routers and firewalls are currently relatively expensive and the networking environment is becoming more and more complex, ordinary users always hope that the firewall can support more functions to meet the needs of networking and saving investment. For example, the firewall supports wide-area network ports, which does not affect security, but in some cases it can save users a router, and supports some router protocols, such as routing, dialing, etc., which can better meet networking needs; it supports IPSec VPN, which can use the Internet to form a secure dedicated channel, which is both safe and saves dedicated investment. According to IDC statistics, 90% of encrypted VPNs abroad are implemented through firewalls.
3. Safety. The operating system of the firewall will be more secure in the future. With the development of algorithms and chip technology, firewalls will participate more in application-level analysis to provide more secure guarantees for applications. In the process of development and confrontation of information security, the technology of firewall will be constantly updated and change with each passing day, and will play a role as a fortress in the defense system of information security.