Product Leaders: Firewalls
Putting A Firewall in Firmware
With its Firewall Accelerator Agent module, Berkeley Networks casts a firewall on an ASIC
Speed or security-pick one. Berkeley Networks Inc. says that's a choice net managers no longer face. A module for the company's gigabit Ethernet switches casts Check Point's market-leading Firewall-1 in custom silicon. And that neat little trick, the vendor claims, lets its Firewall Accelerator Agent (FAA) blow through traffic at up to 40 Gbit/s-compared with the 50-Mbit/s max of most conventional firewalls. What's more, since the firewall is inside the switch, net managers won't need to shell out for standalone devices on every link, a huge cost savings.
But net managers will have to wait a bit to see whether the performance claim stands up. Although the vendor has released test results clocking the FAA at 1-Gbit/s rates, neither Berkeley's Exponent switches nor its FAA module are shipping.
The Hard Way
Berkeley's FAA module is microcode that runs on ASICs (application-specific integrated circuits) in the vendor's Exponent e4 and e8 switches.
<Picture>
Swifter Security
Here's how it works. Net managers configure firewall policies-for example, allowing videoconferencing traffic-using the same grid-style graphical interface available on standalone versions of Firewall-1 from Check Point Software Technologies Inc. (Redwood City, Calif.). Once each policy is configured it's passed down through the Exponent's customized version of Windows NT and sent to the ASICs on line cards (see the Figure).
Berkeley (Milpitas, Calif.) says its hardware-based approach will prove to be up to 1,000 times faster than software schemes. With the latter, every packet a firewall receives must be passed up through an adapter driver and protocol stack, inspected by an application, and then sent back down to the wire.
That results in some serious delay. Data Comm lab tests show top speeds on full-duplex fast Ethernet segments of roughly 90 Mbit/s, far less than the theoretical maximum of 200 Mbit/s (see "NT Firewalls: Tough Enough," April 1998; data.com.
Steady State
While it remains to be seen whether the FAA will scale all the way up to 40 Gbit/s, there are good reasons to believe it will. The module is capable of sustaining aggregate rates of at least 1 Gbit/s, according to tests commissioned by the vendor and conducted by LANquest Labs (Fremont, Calif.). "We saw only a couple of hundred kbit/s difference between tests with no switch and tests with the FAA," says LANquest network test engineer Paul Anderson.
Besides running parts of the firewall code in silicon, the Exponent switches use ASICs to maintain state information about key applications. And this information can be used to prioritize key apps when congestion occurs. "In our experience, the applications of greatest interest are stateful," says Donal Byrne, Berkeley's vice president of marketing and product management. Apps that don't maintain state information, like Web surfing, generally don't involve mission-critical traffic, he adds.
What's more, Berkeley says its approach also allows load-balancing among multiple switch/firewalls. And Byrne notes that the FAA can protect internal LANs. That's beyond the reach of most firewalls, which sit between the LAN and the Internet. Recent studies have shown that some 80 percent of all security breaches occur on internal networks.
<Picture>
MORE INFO
Catalyst 8500
On the flip side, Berkeley's switches are built on Windows NT, which some Unix experts deride as slower and less scalable than the stripped-down OSs running on most firewalls, routers, and switches. Berkeley's answer? It's licensed NT source code from Microsoft Corp. (Redmond, Wash.)-and removed all services but those needed to operate its switch.
Berkeley has plenty of company in the high-speed firewall market. Bay Networks Inc. (Santa Clara, Calif.), Nokia Silicon Valley (formerly Ipsilon Networks Inc., Sunnyvale, Calif.), and Xylan Corp. (Calabasas, Calif.) all sell routers or multilayer switches that implement Firewall-1. But none of these vendors runs firewall code in an ASIC.
Berkeley's biggest competition could come from Neo Networks Inc. (Minnetonka, Minn.). The vendor has plans to add stateful inspection this year, and says that it will ensure wire-speed performance by distributing the function across multiple CPUs in its gigabit routing platform (see "The Softer Side of Routing," January 1998; data.com.
The Firewall Accelerator Agent is slated to ship in July. One line card (6 gigabit Ethernet or 48 10/100 ports) will cost $9,995; additional line cards will go for $4,995. Berkeley plans to ship the Exponent e4 and e8 switches this month. An e4 starts at $30,000 and an e8 at $40,000. Each has 48 10/100 ports. |
