Re: [fw-wiz] Proverbial appliance "Its software, Jim!"

• Previous message: Mark McCreary: "[fw-wiz] PIX Firewall IP Addresses"
• In reply to: Anton Aylward: "Re: [fw-wiz] Proverbial appliance "Its software, Jim!""
• Next in thread: Stephen D. B. Wolthusen: "Re: [fw-wiz] Proverbial appliance "Its software, Jim!""
• Next in thread: Mikael Olsson: "Re: [fw-wiz] Proverbial appliance vs software based firewall"
• Reply: Stephen D. B. Wolthusen: "Re: [fw-wiz] Proverbial appliance "Its software, Jim!""
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> > Inside every "appliance" is an operating system. Inside
> > every ASIC or "embedded processor" is software. There's
> > really no difference other than the packaging. 
> Wake up and smell the caffine!
> Its all software.  
> THAT'S IT!  End of Story.
> All the heritage of s/w applies to "appliances".
>  - Keep it small and simple
>  - Test, test and test.
>  - Limit the complexity.
> If we can't learn that and apply it rigorously, what have we learnt?

Sigh.  Packet filtering, even stateful packet filtering is pretty easy
to do in hardware.  Unless you're a big fish, you'd probabley do it in
an FPGA as opposed to an ASIC.  Drop a CAM table off it to keep state
pointers and a few SRAMS to keep the actual state.  IIRC ISI even has
premade boards called OSIRIS with a 6M FPGA (which is HUGE) and it has a
PMC slot to drop the interfaces off of.  Or you could plug the
interfaces into the PCI bus off the other 1M FPGA.  Now it's been a
year, but IIRC the parts cost was about a grand.  You'd still probabley
drop an embedded micro off the PCI bus if you want to reassemble
fragments.


There are two applicable difference between a hardware firewall and a
software firewall.  In hardware, everything happens in parrallel (well,
every stage, you'll latch between stages to produce a sequential
pipeline).  And the other difference, is that hardware testing standards
are orders of magnitude better than software testing standards.

The first person who tells me VHDL or Verilog is software gets labeled
a dumbass.
 
> It
> doesn't matter if you're design tool is back-of-the-envelope or the best
> that Rational has to offer.  You're still human and fallible.

You'll find very few software people who acknowledge the fallibility.
But almost all hardware people not only acknowledge it, but they accept
it and plan for it.  The ideological difference creates a big
improvement in quality.

.mike
frantzen@(nfr.com | cvs.openbsd.org | w4g.org)
_______________________________________________
firewall-wizards mailing list
firewall-wizardsat_private
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Next message: Stephen D. B. Wolthusen: "Re: [fw-wiz] Proverbial appliance "Its software, Jim!""
• Previous message: Mark McCreary: "[fw-wiz] PIX Firewall IP Addresses"
• In reply to: Anton Aylward: "Re: [fw-wiz] Proverbial appliance "Its software, Jim!""
• Next in thread: Stephen D. B. Wolthusen: "Re: [fw-wiz] Proverbial appliance "Its software, Jim!""
• Next in thread: Mikael Olsson: "Re: [fw-wiz] Proverbial appliance vs software based firewall"
• Reply: Stephen D. B. Wolthusen: "Re: [fw-wiz] Proverbial appliance "Its software, Jim!""
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Oct 17 2002 - 10:08:02 PDT