Re: LAN access while VPN is up
From: Somebody. (somebody._at_spamout.russdoucet.com)
Date: 11/05/05
- Next message: Triffid: "Re: LAN access while VPN is up"
- Previous message: Duane Arnold: "Re: Web Server behind ZoneAlarm?"
- In reply to: Triffid: "Re: LAN access while VPN is up"
- Next in thread: Triffid: "Re: LAN access while VPN is up"
- Reply: Triffid: "Re: LAN access while VPN is up"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 4 Nov 2005 21:14:32 -0500
"Triffid" <triffid@nebula.net> wrote in message
news:9ABaf.6687$J14.483267@news20.bellglobal.com...
>
>
> Somebody. wrote:
>
>> The 5GT is basically a CPU based box more than a purely ASIC box like the
>> 5XT, 5XP, or any of the bigger boxes . That's why it has AV as well as
>> DI. There is no AV on the bigger boxes, because they don't have the CPU
>> horsepower (or system membory) for it. DI is implemented on bigger
>> boxes, but it seriously, seriously impacts the performance of the box
>> because it's done in the general purpose CPU, which was never scaled for
>> that in the first place since the GPCPU requirements for an ASIC box are
>> laughably small and they were all (except for the new ISG line) designed
>> before DI was ever thought of . So you take a box with 200Mbps of
>> stateful inspection firewall throughput and d very nearly that much 3DES
>> throughput cranking through their excellent ASIC, and just strangle it
>> down into low double or perhaps single digits -- nobody at NS will fess
>> up exactly what the number is so far in my experience anyway, and I've
>> never benchmarked it. They basically just say "don't do it" when
>> pressed. And that's just single packet deep inspection, not data
>> re-assembly required for AV or more advanced IPS.
>>
>> That's the major difference between NetScreens and Fortigates, and the
>> reason Ken Xie left NS to start Fortinet. He knew they had to inspect
>> the entire packet in silicon to compete in the next generation, and NS
>> didn't want to invest in it because of the upcoming IPO. So, he left and
>> stated his own company. Result: Fortigates do all their content
>> inspection and content reassembly in ASIC and therefore can scale those
>> services much more efficiently than a NS can, while still retaining all
>> the advantages of an ASIC box vs a general purpose computer with an OS
>> and software running on it -- those very advantages are the main reasons
>> that NetScreens had such a solid, low-cost product and gained such market
>> share in the first place.
>>
>> -Russ.
>
> Many thanks for a lot of very interesting background I wasn't aware of -
> which appears to position the 5GT as an oddball entry in the NS product
> line. Know how it came about?
>
> Triffid
Sure, the old ASIC boxes couldn't do AV and they needed a competetive entry
to combat the SonicWalls and Fortigates, so they built the GT. Pretty
simple.
It's definately an oddball and took them a while to sort it out. In fact,
from projects I'm involved in that are deeply exploring feature sets of the
GT, they still have problems to sort out, the sort of problems you just
never saw in the ASIC based 5XT.
-Russ.
- Next message: Triffid: "Re: LAN access while VPN is up"
- Previous message: Duane Arnold: "Re: Web Server behind ZoneAlarm?"
- In reply to: Triffid: "Re: LAN access while VPN is up"
- Next in thread: Triffid: "Re: LAN access while VPN is up"
- Reply: Triffid: "Re: LAN access while VPN is up"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
