Case Study: ASIC vs Standard Processing Chips
The foundation engine is the underlying architecture of the security protection engine. When designing a protection engine, scalability, performance, throughput, extensibility, and modularity must be built in from the beginning. Adding more features to the foundation engine becomes more difficult to make significant changes to the foundation, as changes cause major impacts throughout the entire design. By starting with a weak foundation engine, it becomes very painful to address serious architectural and foundational flaws and even more painful to replace the entire underlying architecture. Many large software projects have failed because the design foundation was not solid, and as complexity grew, the foundation and the architecture could not scale or be extended in new directions.
If the foundation engine starts with an ASIC-based firewall appliance, it becomes very difficult to integrate the IDS (also known as IPS or IDP) appliance for many reasons.
Because most ASIC-based firewall companies have developed their own custom Operating System (OS), it becomes problematic to port new applications like IDS to a custom OS. If there are any dependencies that the IDS engine had on the standard OS, like Linux or Windows libraries, then they must be rewritten to work with the custom OS. This may require rewriting major portions of the source code to eliminate dependencies, which is most often a time consuming, costly, and non-trivial task.
The nature of Deep Traffic Protection engines is to continually evolve and grow in complexity to address the dynamic threat. Trying to implement the DTP engine into the ASIC component will simply not work.
It can be misleading to claim that a firewall and IDS technology will converge under an ASIC hardware design. Some ASIC hardware companies are integrating their IDS as a separate hardware blade, rather than as an integrated protection appliance. The ASIC expertise provides no additional protection value to the customer. Their current value is with VPN performance enhancements, but even that component is becoming a commodity as Intel designs the VPN algorithms into standard chips. As long as the firewall and IDP engine are separated as hardware blades, they will not have unified protection approach and will lack significant protection capabilities. As the industry moves toward Smart Firewalls ™, the software-based foundation engines built with solid architecture will become increasingly important to ensure they perform and are scalable and extensible.
Both ASIC hardware and software designs can contain security flaws. Vulnerabilities in an ASIC design may be problematic to rapidly change and address. The customers will need to replace their ASIC hardware components (not a trivial process) or replace the entire appliance. This can be an expensive and time consuming process to correct a serious security issue. Software-based engines can use software-based updates to correct the security flaw with minimal down time and cost.
ASIC-based designs are good in two major areas:
1) increasing the performance of a specific algorithm by hardware design and,
2) producing the hardware chips at low cost.
Typically, the best algorithms that can be burnt into ASIC hardware should be static and do not change frequently. Mathematical encryption algorithms for VPN and SSL fall into this category.
Hardware companies like NetScreen and Fortinet are touting that their appliance is ASIC-based, but only portions of their product's functionality are actually using the ASIC component. Primarily, the ASIC increases the performance speed in specific areas like the encryption algorithm and the firewall policy lookup.
The advantages of the ASIC-based encryption are becoming less significant as intel builds these algorithms into their standard generic chips. This makes the encryption algorithm performance a commodity, and any software-based security company can take advantage of it without having to build their own ASIC. Long term, Intel has the resources to increase the performance of their hardware algorithm designs and will supersede any custom ASIC encryption algorithm.
Long term, custom ASIC hardware advantages become commoditized by companies like Intel. It will be difficult for legacy firewall companies to gain the performance and design advantage of an integrated Smart Firewall protection solution since it will require changing the entire foundation of the architecture.
ASIC-based designs provide no advantage to Deep Traffic Protection due to the size and complexity of the protection algorithms. Therefore, ASIC-based technologies become a disadvantage in the long term. Software-based security blades and software-based designs will have the flexibility and cost advantage over ASIC in the long term. As the industry moves to security platforms, software-based designs have the needed agility needed to adapt with both the changing threat and environment that can be leveraged across the network and host infrastructure. ASIC-based hardware appliances can only be applied at the network layer.