RE: ASIC Based IPS

["Brian Smith" <bsmith () tippingpoint com>]

Network Processors (NPs) are chips that are programmed much like CPUs.
NPUs differ from CPUs in several ways:

1) Many offer hardware level parallelism -- much like the coming
generation of multi-core CPUs.
2) Most offer tight control over memory layout and cache control.  This
leads to more predictable performance than CPUs (at the cost of added
complexity in programming them).
3) Most offer specialized instructions and/or programming models for
parsing packet headers (L2-L4 processing).

In my experience, NPs are generally good for fixed header processing,
but not so good at processing the application layer.  You have to
reassemble the stream before you can decode it at the application layer.
The complexities associated with IP defragmentation, TCP reassembly,
application-layer fragmentation, plus the zillion different types of
application layer-processing, are beyond most NPUs (at least, if you
want to get the advertised throughput :-)

FPGAs are completely programmable -- you can program in an almost
arbitrary amount of parallelism (you're limited by the physical
characteristics of the chip, memory access, and so on).  An FPGA is
functionally identical to a custom ASIC. In fact, implementing a design
in an FPGA is almost always the first step in developing a fixed
function ASIC.  The nice thing about an FPGA is that it can be
reprogrammed in the field.  So their function can evolve as required;
this is really important for a new product, like IPS.

If FPGAs are so great, why would anyone develop an ASIC?  The answer is
cost.  FPGAs are expensive, ASICs are cheap.  However, transforming an
FPGA into an ASIC costs about $1M and 9-18 mos.  After that, though, you
can get the ASICs comparatively cheaply (it all depends on the volume
ordered).  But if you ever want the ASIC to do something else, you need
to go back to the drawing board, pay another $1M and 9-18 mos, and then
any customers will have to do a forklift upgrade to get the new
features.

        Brian Smith
        TippingPoint, a division of 3com

-----Original Message-----
From: Richard Bejtlich [mailto:taosecurity () gmail com] 
Sent: Monday, April 04, 2005 11:24 AM
To: Brian Smith
Cc: THolman () toplayer com; siddharth.phadnis () impetus co in;
focus-ids () securityfocus com
Subject: Re: ASIC Based IPS

On Apr 1, 2005 7:39 PM, Brian Smith <bsmith () tippingpoint com> wrote:
> Hi Tim!  Good post; let me add my 2 cents.
>
> The key to performance is parallelism, and processing network data is
an
> inherently (and extremely) parallel problem.  
> ...
> FPGAs are the way to go, for now.

Hi Brian,

You briefly mentioned network processors in your post, but prefer
FPGAs.  Would you (and anyone else) care to comment on NPs vs FPGAs?

Also, do you or anyone else have experience developing on Cloudshield?
 Any idea what Cloudshield uses under the hood?  I see they are
working with Arbor.

Thank you,

Richard
http://www.taosecurity.com

--------------------------------------------------------------------------
Stop hurting your network!

The NeVO passive vulnerability sensor continuously finds vulnerabilities,
applications and new hosts without the need for network scanning.
It also finds compromised systems with application-based intrusion detection.
Go to http://www.tenablesecurity.com/products/nevo.shtml to learn more.
--------------------------------------------------------------------------