Re: LAN access while VPN is up

• Previous message: Triffid: "Re: LAN access while VPN is up"
• Maybe in reply to: Moe Trin: "Re: LAN access while VPN is up"
• Next in thread: Somebody.: "Re: LAN access while VPN is up"
• Reply: Somebody.: "Re: LAN access while VPN is up"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 03 Nov 2005 23:37:28 -0500

Somebody. wrote:

> The 5GT is basically a CPU based box more than a purely ASIC box like the
> 5XT, 5XP, or any of the bigger boxes . That's why it has AV as well as DI.
> There is no AV on the bigger boxes, because they don't have the CPU
> horsepower (or system membory) for it. DI is implemented on bigger boxes,
> but it seriously, seriously impacts the performance of the box because it's
> done in the general purpose CPU, which was never scaled for that in the
> first place since the GPCPU requirements for an ASIC box are laughably small
> and they were all (except for the new ISG line) designed before DI was ever
> thought of . So you take a box with 200Mbps of stateful inspection firewall
> throughput and d very nearly that much 3DES throughput cranking through
> their excellent ASIC, and just strangle it down into low double or perhaps
> single digits -- nobody at NS will fess up exactly what the number is so far
> in my experience anyway, and I've never benchmarked it. They basically just
> say "don't do it" when pressed. And that's just single packet deep
> inspection, not data re-assembly required for AV or more advanced IPS.
>
> That's the major difference between NetScreens and Fortigates, and the
> reason Ken Xie left NS to start Fortinet. He knew they had to inspect the
> entire packet in silicon to compete in the next generation, and NS didn't
> want to invest in it because of the upcoming IPO. So, he left and stated
> his own company. Result: Fortigates do all their content inspection and
> content reassembly in ASIC and therefore can scale those services much more
> efficiently than a NS can, while still retaining all the advantages of an
> ASIC box vs a general purpose computer with an OS and software running on
> it -- those very advantages are the main reasons that NetScreens had such a
> solid, low-cost product and gained such market share in the first place.
>
> -Russ.

Many thanks for a lot of very interesting background I wasn't aware of -
which appears to position the 5GT as an oddball entry in the NS product
line. Know how it came about?

Triffid

• Previous message: Triffid: "Re: LAN access while VPN is up"
• Maybe in reply to: Moe Trin: "Re: LAN access while VPN is up"
• Next in thread: Somebody.: "Re: LAN access while VPN is up"
• Reply: Somebody.: "Re: LAN access while VPN is up"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]