[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf vs ASIC firewalls



* Jim Fron <[email protected]> [2005-03-17 08:46]:
> On Mar 14, 2005, at 2:26 PM, Mike Frantzen wrote:
> >>Could Someone please tell me the advantages of PF against Firewalls
> >>using the ASIC technology in terms of Security and perfomance??
> >Many (most? all?) vendors shipping what they call ASIC firewalls are
> >actually running software on a network processor (NPU). The benefit is
> >that most NPUs will process packets in real-time so if they claim to
> >support X gigabit per second then they can probably sustain that even
> >with minimum sized 64byte ethernet frames;
> You think?  I've been a bit curious about this, especially in the 
> low-end ("cheap") consumer-grade hardware.
Mike was obviously not talking about low-end stuff.
well, this entire thread is not about low-end shitz
> I have no idea if the BSD's--or any general-purpose host OS, for that 
> matter--will, for example, prevent logging to disk during bursts of 
> traffic.  Perhaps there's a kernel option for priority of servicing 
> i/o.
(almost all of the) logging happens in userland
> All of that said, I wonder if there isn't some way to implement 
> something vaguely PF-ish in an FPGA that would allow more control over 
> the rulesets than an off-the-shelf ASIC.
there likely is...
I mean, state table and state table lookups in hardware, hand off 
ruleset processing to the main CPU, that would rock. If done right.
-- 
Henning Brauer, BS Web Services, http://bsws.de
[email protected] - [email protected]
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)