Global Sources
EE Times-Asia
Stay in touch with EE Times Asia
EE Times-Asia > Networks

Gigabit nets slowed by security

Posted: 16 Dec 2002 ?? ?Print Version ?Bookmark and Share

Keywords:gigabit network? lan? gigabit ethernet? network security? gigabit security?

Gigabit networks require gigabit security. The idea is simple enough, but at present, no solutions are available to fully protect a gigabit-speed network at wire-speed under all loading conditions. This has caused security to become a bottleneck in the gigabit networking environment.

LANs have been using GbE as a backbone technology for nearly four years. In the past, because most LAN traffic was both sourced and terminated inside the LAN, enterprises could get by with DSL - up to 1.5Mbps - or a simple T1/T3 connection - 1.544Mbps and 45Mbps, respectively - to access the outside world.

But times have changed. Now, instead of 80 percent of network traffic internal and 20 percent external, the model is heading towards 20 percent internal and 80 percent external. Because of this, ISPs recently started offering GbE (and fractions thereof; e.g. 100Mbps) as an access alternative to DSL, T1, and T3 for outward-bound data traffic.

These trends - massive amounts of outward-bound LAN traffic and gigabit interfaces to the service provider or Internet - are wreaking havoc on network managers responsible for network security. Legacy firewalls, whose architectures were designed around an old model of network traffic dynamics, have become the bottleneck in the interface between the private and public network.

Four years ago, the mantra for network architects was "switch where you can; route where you must." The new generation of ASIC-based Layer 3 switches changed that by making Layer 3 routing as fast as switching--that is to say, "wire-speed" for all packet sizes. Security is now in a similar position as routing was four years ago.

Firewall evolution

To understand why this is the case, it is helpful to examine the evolution of the firewall. In the late 1980s and early 1990s, software-based firewalls dominated the landscape. While flexible and effective for simple security deployments, they were difficult to manage and generally lacked the speed and scalability to keep up with growth in bandwidth requirements.

In the late 1990s, ASICs were deployed for both stateful packet inspection and encryption/decryption tasks. The result was an order-of-magnitude performance gain over existing solutions, which allowed security to keep up with newly available public network bandwidth increases. Modern requirements for gigabit security are now putting a tremendous strain on both the software and ASIC-based solutions.

Even the devices that claim to be gigabit-ready, generally are not. Just because a firewall has gigabit ports or a gigabit specification does not guarantee it is a true gigabit firewall. A meaningful throughput calculation will consider the average packet size.

The network processor, now offered by a score of vendors, is a flexible, programmable device that can deliver performance rivaling hard-coded ASIC pipelines while maintaining flexibility and the possibility for designers to step onto a platform that will accelerate in clock speed, much like the Pentium processors have done during the past four years.

The network processor originally was targeted at routing and packet classification, but also lends itself to network security. It has the ability to scale in the same manner as a CPU (such as a Pentium), but differs dramatically in its approach to manipulating data. While a CPU architecture is optimized for classic data processing, the network processor architecture is optimized for processing streams of packet data and the typical operations performed on packets.

Key attack detection and protection routines are implemented with C code and run in the microengines of the network processor. New attacks are effectively handled by adding code to the network processor, rather than having to spin the ASICs. Management functions, such as writing event logs, adding new policies, and passing along session state information to other systems, are conducted by the management processor, which can run an industry-standard OS, such as Linux, especially hardened and secured.

- Dave Buchanan

VP Marketing

ServGate Technologies

- Scott Lukes

Senior Director - Marketing

ServGate Technologies

Article Comments - Gigabit nets slowed by security
*? You can enter [0] more charecters.
*Verify code:


Visit Asia Webinars to learn about the latest in technology and get practical design tips.

Back to Top