Firewall acceleration over ATM

Firewalls are not new; but high-performance firewalls are. Historically, firewalls used software to examine every packet and then make the decision to forward or drop the packet. This made them slow.

When administrators placed them in line with low-speed WAN access links, firewalls introduced no bottlenecks. But the trust boundary where a firewall is needed doesn't always lie at a WAN link. A finance department's network needs protection from disruption by other departments in the building.

Also, the speed of WAN links is increasing as the use of the Internet grows. Multigigabit links to metropolitan-area networks will become commonplace over the next few years. At these speeds, the performance bottleneck of older firewalls will be exposed.

But a new generation of firewall accelerators use flow recognition to eliminate performance bottlenecks and to let administrators deploy firewalls wherever they are needed.

A flow is a series of packets with the same values in particular IP fields - for example, source IP address, destination IP address and TCP port numbers. Firewall accelerators examine these fields in hardware.

The first packet of a flow is diverted to a traditional software firewall where security policies are stored; the accelerator then learns to recognize and act on (forward, drop or monitor) subsequent packets independently. This provides firewall security at line-rate speeds.

Firewall accelerators appeared two years ago offering 10/100M bit/sec and Gigabit Ethernet interfaces.

However, many network administrators with the most demanding security concerns select ATM as their network transport. They do so for a number of reasons:

• ATM's connection-oriented architecture makes it resistant to denial-of-service attacks.
• Assigning a bandwidth profile to a connection guarantees its performance.
• The fixed length of ATM cells makes high-speed bulk encryption practical and affordable.

Although ATM is often used in highly secure networks and commonly used at the WAN access trust boundary, early firewall accelerators supported only Ethernet because IP packets that split into 53-byte cells could not be examined at line rate.

Expedient solution

The National Security Agency has solved that problem with technology that tracks ATM packet framing to extract a copy of each packet's IP header, with no time-consuming reassembly of cells into packets. Through selected commercial partners, this technology is giving birth to a new generation of IP/ATM firewall accelerators.

With an IP/ATM firewall accelerator, cells of the first packet are forwarded to the firewall control processor (FCP), which consults its filtering policies to determine whether to forward, drop or monitor the packet.

Forwarded packets are re-injected into the cell stream, and the FCP informs the firewall inline processor of the action to take on subsequent traffic for this flow. One firewall accelerator using this technology offers a choice of OC-3c or OC-12c interfaces, performing line-rate firewalling at either speed.

Ladam is director of strategic marketing for Marconi Corp.'s Enterprise business. He can be reached at Michael.Ladam@Marconi.com.

Firewall included
Network World, 09/27/00.

Vendors look to tame VPN technologies
Network World, 09/25/00.

Review: Frontier Defense
Keep the Bad guys away from your remote outposts. Network World, 08/07/00.