Brief introduction of soft and hard firewall difference
Most of the firewalls of pure software are based on the PC architecture. It may adopt the optimized OS as its operation, which is: good scalability, strong adaptability, easy to upgrade, and cost is much lower than the hardware-based firewall.
Most of the hardware-based firewalls use ASIC, without the need for OS, which features fast, stability, safety factor, high, high cost, scalability, and easy upgradeability is not as good as software firewall.
The ASIC's full name Application Specific Integrated Circuit means a dedicated integrated circuit, is an acceleration processor with logical processing, simply, ASIC is the function of software using hardware logic. The purpose of online products adopts ASIC technology is to handle some recurrent work completed by the CPU to specialized hardware to achieve breakthrough improvement. ASIC technology is currently widely used in switches, routers, firewalls, and smart IC card ID cards.
The CPU chip and the ASIC chip have excellent disadvantages. The greatest advantage of CPU is high flexibility, which uses instruction sets and software to complete a variety of work, but the actual processing capacity of the CPU is often limited by the PC and the general-purpose operating system. The ASIC is a single-function integrated circuit to complete process processing, although sacrificing flexibility but exchanges high reliability and powerful processing power, belongs to the "Dedicated Hardware" processing category.
The ASIC chip and CPU have its own characteristics, and it also has targeted in the application. In order to adapt to a variety of applications, people want to adopt CPUs; in a relatively single area, people hope that ASIC can bring higher operational efficiency. Due to different applications for CPU and ASICs, we cannot make both two simple comparisons, but to see their specific application fields. In the early days of certain technologies, in order to save development costs, people tend to complete some applications based on CPU-based universal PCs. With the maturity of technology and the increasing application of applications, people have begun to consider adopting ASIC to achieve more stringent, efficient performance. The typical example of this development trend is the evolution of the router: PC Routing Software -> Special router -> Routing Switch Based on ASIC, swap routers. Similarly, in the field of security, firewalls are also experiencing a similar development process. The development of firewalls can generally summarize as three stages: pure software firewall, soft and hard combined firewall and ASIC hardware firewall.
Pure Software Firewall Based on a PC and runs on a universal operating system such as UNIX, Windows platform. The general operating system is not customized for network, so many vulnerabilities or bugs are inevitably exist. In this way, even the firewall filter is considered to be a normal packet, it is also possible to be a "bomb" that is used to attack the operating system. Once the operating system is captured, the firewall has lost value. Plus this type of firewall has no proprietary resources, all work must use the same resources as other task processes, including common CPUs, RAM, PCI bus, etc., the performance of firewalls is naturally affected.
Soft hard-binding firewalls no longer use universal operating systems, and use special or autonomous development (optimized) operating systems. These operating systems customized by network security, fundamentally solve the security hidden dangers in the software firewall, which has greatly improved overall processing performance than software firewalls. However, the basic encryption and decryption of such firewalls still needs to rely on software to complete, still belong to the firewall of the PC structure.
The ASIC hardware firewall has recently been developed. With the improvement of network construction and the development and popularity of broadband networks, people have found that the soft and hard combined firewall is still unreasonable in speed, function, and stability, which has become the driving force for promoting the development of ASIC hardware firewall. The ASIC hardware firewall uses the ASIC chip and multi-bus, parallel processing, so that the process that originally needed to be thousands or even tens of thousands of instructions can be completed by several loops in instant, and the multi-bus structure guarantees that there is data transmission on the port. Firewall Internally, efficient data processing can still be performed simultaneously, which is no longer limited by traditional "interrupt". The ASIC hardware firewall uses a dedicated operating system with high security. In fact, the CPU of such firewalls usually only uses mid-end products, but this does not prevent the independently working ASIC has ultra-high-speed processing power, because this firewall's operating system and CPU only start up with ASIC hardware driver and management interface The role is only responsible for overall coordination but does not participate in the basic processing of any firewall. When the ASIC chip is fully committed to data processing, the CPU is still in a lower use state without affecting the response speed of device management. Therefore, the ASIC hardware firewall can fully play its own speed and processing power, not affected by the number of sessions. And the ASIC hardware firewall completely got rid of the influence of the PC structure. Below we come to a comparison of the firewall of the PC structure and the ASIC structure. If the firewall of the PC structure If you pour your own task (such as a single policy, the address translation in a single session state), you can also reach or approach the processing capability of the ASIC firewall, but in a typical broadband application environment, Tens of thousands or even hundreds of parallel sessions not only bring more interruptions for the firewall of the PC structure, but also makes it a sharp drop; the ASIC structure does not exist, and the number of sessions has little effect on processing power. In terms of encryption, decryption capabilities, the firewall of the PC structure needs to reach a certain processing speed with an expensive encryption card; the ASIC chip integrates the basic operation of the firewall, even if it runs high strength, the decryption is not too much. Large decrease. In terms of short-term and long-term costs, although the ASIC firewall purchase cost is higher than that of the software firewall, considering the future upgrade of the enterprise network, the ASIC firewall can effectively protect the company's existing investment, saving daily maintenance costs.
