On Tue, 15 Oct 2002, Ryan M. Ferris wrote: > I agree "Appliance" is a meaningless term - I've worked on three > different appliances each with a different version of a different > customized monolithic kernel OS (W2K SAK, RH Linux 7.0, OpenBSD). > Someone could ship you embedded NT in a toaster oven and call it secure. To me personally an appliance is something that would be developed using real time techniques. My experience with real time comes from being involved with some industrial controls projects a few years ago. For those guys there's a clear life&death corrolation to getting it right. Failsafes are built-in. Testing was impressively thorough. I doubt any firewall vendors look at things as if their reliability is of life and death importance, so I personally don't think the 'appliance' label applies to any firewall or security product in existance. > What is not meaningless to security and function is kernel size, The size of the code of the whole firewall is important. People can easily make a tiny kernel (ding, a microkernel) and push all of the functionality out into modules. So, realistically you have to look at the entire code size to determine if they've made it adequately simple. Somebody should do a study of how simpler firewalls are less likely to break, but the vendors would be reticent to admit to their code size and it'd be hard to verify their answers if they were 'willing'. > Gigabit throughput is still best achieved by a switched bus architecture > and custom ASICS or other real-time micro-kernel OS. The shared bus > archictecture of even the fastest PCS and gigabit NICs will never be a > match for dedicated hardware in processing traffic. Bull. I heard the same things about 10M and 100M. PC's will catch up. > You are an NSA Analyst, monitoring traffic from multiple backbones that > has be "muxed" or results from the parallel mirroring, spanning of many > WDM optical switches - i.e. terabit amounts of information flow. The > distributed systems needed to process such traffic on PC based sytems > would be immense in number. You would probably opt for hardware based > solutions as they would be more easily centralized. Bah. Look at all the linux-based supercomputers based on myranet and such. If you're doing communications analysis your biggest need is GOBS of CPU power. If you're starting with a fixed number of dollars, you're going to get more CPU sooner with the latest off-the-shelf hardware than playing with ASIC's. Of course if you're the NSA you might augment those systems with custom cards that do specialized processing, but that card is still more likely to be a PCI card going into a PC motherboard than a custom bus on a custom computer. > Obviously, the question becomes more confusing when you start putting $ > 16K NICS with their own OS and memory into a PC. Don't you think if there's a market for $16k NIC's that someone will realize there's a much bigger market for $10k NIC's? And so on. ASIC's are beautiful, but for most people they're beyond affordability. Commodity hardware will show up to fill the need for the rest of us before long. -- </chris> The truth is rarely pure, and never simple. -Oscar Wilde, writer (1854-1900) _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Wed Oct 16 2002 - 05:34:34 PDT