To meet the higher requirements of users, the firewall architecture evolved from low-performance x86, PPC software firewall hardware firewall in the transition to high performance, and gradually to not only meet the high performance capabilities needed to support more business direction.
After several years of prosperity, the firewall in the development, has formed a variety of types of system architecture and the architecture of the equipment that the coexistence of several complementary and ongoing evolution of escalation.
Firewall Architecture "bring together"
The development of a firewall from a PC, the first generation software, to the IPC, PC-Box, and then to MIPS architecture. The second generation of NP, ASIC architecture. The development of the third generation of dedicated security processor chip backplane switching architecture, as well as "All In One" integrated security architecture.
In order to support broader and more high-performance business requirements, all the manufacturers to play their respective advantages, promote the entire technology and market development.
Currently, three generations of architecture firewall products are mainly:
The first generation of architecture: the main system as a whole is a single CPU core business and management, CPU with x86, PowerPC, MIPS and many other types of products are mainly the form of PC, IPC, PC-Box or RISC-Box, etc.;
Second-generation architecture: the NP or ASIC, as the main core business processes, to accelerate the general security services, embedded CPU core for the management, the product mainly in the form of Box, etc.;
Third-generation architecture: ISS (Integrated Security System) integrated security architecture, secure high-speed processor chip as the main core business processes, using high-performance CPU to play a variety of high-level security business applications, products, mainly in the form of high-based carrier-grade reliable, switched backplane rack mount equipment, large capacity, high-performance, all units and the system more flexible.
FDT-based index of the system changes
Indicators to measure the performance of the firewall includes throughput, packet forwarding rate, maximum number of concurrent connections, new connections per second and so on.
Throughput and packet forwarding rate is the main indicator relations firewall applications, commonly used FDT (Full Duplex Throughput) to measure, refer to full-duplex 64-byte packet throughput, the throughput of the target indicators cover both the newspapers transmitted the rate index.
The difference between FDT and port capacity: port capacity means the sum of physical port capacity. If the firewall, then the two Gigabit ports, the port capacity of 2GB, but the FDT may be just 200MB.
The difference between FDT and HDT: HDT means half-duplex throughput (Half Duplex Throughput). A Gigabit port can simultaneously receive and send 1GB speed. By FDT is that the 1GB; by HDT, that means 2GB. Some firewall vendors said throughput, often HDT.
In general, even if there are multiple network interfaces, firewall, core processing is often only a single processor to complete, either CPU, or is the safe disposal of chips, or NP, ASIC, etc..
For a firewall application, should be fully emphasized that 64 bytes of data throughput in full duplex machine, the indicator or the safe handling by the CPU chip, NP, ASIC core processing unit of processing power and firewall architecture to decide.
For different architecture, the FDT is not the same scope of adaptation, such as the first generation of single-CPU architecture for the Fast-level FDT his theory, for applications in high-end firewall, you must use the second or third generation of ISS Integrated Security System structure.
ISS-based agency's third-generation security architecture, fully inherited the bulk GSR routers, switches, architecture features, can support multiple security services, based on full high-throughput, high capacity packet forwarding rate.
Firewall architecture evolved from low-performance x86, PPC software firewall hardware firewall to high transition, and gradually to not only meet the high performance capabilities needed to support more business direction.
ISS Integrated Security System
As a third generation firewall architecture, ISS according to the future for high-performance multi-service enterprise security requirements, integrated security architecture, absorbing the advantages of different hardware architecture.
Heng Yang launched a self-developed technology SempSec, SempCrypt security chip and P4-M CPU and integrated security system architecture based on ISS's independent property rights operating system SempOS. It increases the packet filtering firewall detection, attack detection, encryption, NAT features, VPN features, while areas such as performance, and can achieve all aspects of security operations to expand. China also launched a micro-communications security architecture based on ISS's GCS3000 series firewall.
ISS structure flexible modular structure, comprehensive message filtering, state detection, data encryption and decryption capabilities, VPN services, NAT operations, traffic control, attack prevention, security audits and user management authentication and other security functions into one, according to business functions to achieve required customization and rapid service response upgrade.
ISS architecture of the main features:
1. Using structured design of special security chip technology as a safe business processing chip processing core, can significantly enhance the throughput, forwarding rate, and encryption capabilities; structured chip programmable custom wire-speed processing module to quickly meet customer demand;
2. Using high-performance general-purpose CPU as the device management center and top business development platform that can support the upper smooth migration and security applications, upgrade the system's application business capacity;
3. With high-capacity switching backplane bus carrying a large number of business and management of channels, including bus and PCI Gigabit Serdes business management channel physical separation, not only the division of business-level clarity, ease of management, and performance are not mutually constrained;
4. Using carrier-grade rack-mount design, whether it is safe processing unit SPU, MPU main processing unit and other kinds of boards, power supplies, machine frame and other modules can be extensible, pluggable, radiation, anti-interference, redundancy Backup can be done a full upgrade to consider, to truly achieve carrier-grade security equipment reliability and availability;
5. Not only to the security services and achieve high performance "All in One", a customer point of view to solve the multi-service, multi-device integration, to avoid a single point of equipment failures and safety failures, greatly reduced management complexity;
6. Through the backplane and line interface unit LIU expanded the business to provide high-density interfaces.